Jump to content

Cloudflare Ip Leak


whitehat
 Share

Recommended Posts

Over the past few months I've noticed every 14 year old on the Internet has a booter with a CloudFlare resolver. I would like to keep my domain safe from DDOS.

When I type in my domain name at www.cloudflareresolver.com however, it does show my real IP on the mail and FTP lines. I've noticed many other CloudFlare sites do not leak their IP in this way though.

How do I configure it such that my IP will not be leaked? I do use the server for mail, I hope I won't have to lose that functionality.

Link to comment
Share on other sites

Depends on your host provider, but if your host uses different servers for mail than your main site(they would then have different DNS servers), then you need to have the DNS switched over for the mail servers too, not just the main domain. Speak with your hosting company on how to change it or Cloudflare might have instructions on their site on how to do it, but check with your host provider on how to make the switch.

Link to comment
Share on other sites

Thanks DigiP. I went ahead and contacted the host right after you said that. I just heard back. My host is totally cool and he said he's happy to help in any way, but basically has no clue what to do : /

I can try contacting CloudFlare, but as a free member I doubt if that will pan out. I'm kind of wondering if the trick is simply to disable Mail and FTP. I use those 2 things and those are the 2 that are leaking the IP, but I don't use the other 6-7 things that could have (but did not) leak my server's IP.

I just don't want that to be answer, becuse I pretty much have to keep using mail, if not mail + ftp.

Edited by whitehat
Link to comment
Share on other sites

Do you have access to the DNS settings for your host? If so, you might be able to put in a records or cname records or such to make it point to cloudflare for the setup, but if its one of those one click all in one type deals, you would probably need to step up to the paid version of cloudflare to use them exclusively as your DNS host I'm guessing. There is probably some confiuguration on the cloudflare side to make it work too, which might require paid support to make everything all happy snappy.

The main thing cloudflare is good for though, is protecting your site from DDoS, and caching more than anything else. For FTP, if you host has the options, disable standard FTP, and enable only SFTP and SSH/SCP capabilities. FTP sends everything in plain text, so I wouldn't use FTP anymore if you don't have to anyway, sftp, scp and ssh are the way to go on that end. Check with your host or the control panel for your site if it can be changed. After doing so, you'll need an sftp/sftp compliant client, and the port will change from 21/20 to port 22 and runs over SSH for encrypted file transfers ;)

In most cases the IP for the domain tends to differ from the mail and ftp servers, but in your case, they might actually be the same, so I can see how it could make you nervous. My guess is they aren't the same IP though, if changing to cloudflare only masks your domain, and not the mail and ftp side, I'm assuming the file servers on the back end use different IP's, but doesn't always have to be the case.

I'm not the best with DNS stuff, but you also might try changing DNS registrars, which might help. You should be able to keep the same hosting company, but change DNS registrars, and your hosting company would have to change the name servers to your new registrar, which might even be able to do directly through cloudflare. I've yet to make the switch to cloudflare so not 100% sure how their stuff works.

Anyone else using cloudflare want to chime in, have advice on how to fix?

Edited by digip
Link to comment
Share on other sites

Thank you. I will share some of that with the host and see what he says.

Unfortunately, it is the same IP for everything. I've disabled FTP and it's no longer an issue, but the mail is still there and I have to keep that working.

My nameservers are CloudFlare nameservers, so that part is all good.

Edited by whitehat
Link to comment
Share on other sites

what is the name of your website and what is the name of your mailserver. They may share the same IP, but have say, different domain names, or subdomains, like www.yoursite.com and mail.yoursite.com, which means you need to have a DNS record put in to change mail.yoursite.com to point at the cloudflare dns servers(is my guess), so however your host does the change to make cloudflare resolve the main domain name, the same thing needs to be put in place for the mail server, so it resolves through cloudflare.

Link to comment
Share on other sites

what is the name of your website and what is the name of your mailserver. They may share the same IP, but have say, different domain names, or subdomains, like www.yoursite.com and mail.yoursite.com, which means you need to have a DNS record put in to change mail.yoursite.com to point at the cloudflare dns servers(is my guess), so

It's currently like you said:

www.yoursite.com

and

mail.yoursite.com

If you want the actual domain name I'd prefer to give it to you privately or offsite, for security (yes, I'm paranoid LOL).

I asked the host about making it something like 234234234q2jknk.yoursite.com for the mail server to see if that would trick the CloudFlare resolvers, but I haven't heard back. I think either he's busy or it's the language barrier. Sigh...

however your host does the change to make cloudflare resolve the main domain name, the same thing needs to be put in place for the mail server, so it resolves through cloudflare.

The host wasn't really involved with CloudFlare. CloudFlare has free accounts and I knew of them from the SEO and other forums, so I just signed up an account there for my site, independent of the host. WordPress also has a CloudFlare plugin, but it doesn't really do anything beyond signing you up.

What CloudFlare does is simply to change your nameservers to CloudFlare nameservers. They have nice, big, strong, DDOS-protected servers. Additionally, they can scan browsers accessing your site to screen out suspicious traffic, blacklisted IP's, proxies, etc. Someone trying to get your IP either sees no IP or a CloudFlare IP. If someone gets your real IP, such as if they already had it before you got CloudFlare or they have a resolver, then if you have a Pro subscription they will launch a cached version of your site while you are down.

It doesn't help protect the mail, FTP, or other stuff though. I actually went out and found a teenager who runs a booter service and asked about this. He said that his understanding is that the mail packets contain the IP (even though it's encrypted?) so there's basically no way to beat the resolver that he knows of, other than to stop having a mail server. Presumably the same thing applies to FTP.

That's really speculation though, as I supposed we'd need to see the source of the resolver to know for sure how it works and thus how to get around it. I'm just trying to think if there are any potential solutions that I could give a try, other than the subdomain name change that's pending...

Edited by whitehat
Link to comment
Share on other sites

Well, on the surface, you can get all services to resolve through cloudflare, and I know it can be done, just not how. I think you need to have your host change your "a" records or cname records for things liek mail.server.com and ftp.server.com to resolve, in the same manner they do for the main www server. As for mail bouncing, it might be possible you can get your real mail servers IP passed through cloudflare with an attack such as, say your site is www.widgets.com and its on cloudflare, and your true email is say bob@widgets.com(this is assuming you get the mail service working with cloudflare of course). Sending email to bob, might get cleaned and stripped to use cloudflares service as the IP resolver. However, try sending an email to say asajshajshajkshakj@widets.com on purpose, to a non working address, and wait for the mailer daemon on your mail server to kick in, which will send back an rfc error about the address not found, something like a 500 error email attachment, and send back a text attachment like delivery report.dat or such, depending on the mail server at your host, and open that puppy up, and chances are, the true email servers domain name or IP will be in the MTA response. (most likely the name itself)

You can try this with just about any host, even for ones that when you do DNS lookups like nslookup for mx records and they deny results or show none, sending a mail message to a non working address at the same domain, can yield mailer daemon replies with the true email servers address, unless cloudflare 1, filters it, or 2, you setup a catch all mail address for any unknown recipients, to keep people from receiving the message, like say setup a mailbox called junk@widgets.com as your catch all, and email rules that any mail caught or received at junk@widgets.com, just gets deleted, instead of sending back messages.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...