Reputation: 615
Cloudflare wildcard DNS entry - still Protected If target IS a CloudFlare Worker?
I see that in CloudFlare’s DNS FAQs they say this about wildcard DNS entries:
Non-enterprise customers can create but not proxy wildcard records.
If you create wildcard records, these wildcard subdomains are served directly without any Cloudflare performance, security, or apps. As a result, Wildcard domains get no cloud (orange or grey) in the Cloudflare DNS app. If you are adding a * CNAME or A Record, make sure the record is grey clouded in order for the record to be created.
What I’m wondering is if one would still get the benefits of CloudFlares infrastructure of the target of the wildcard CNAME record IS a Cloudflare Worker, like my-app.my-zone.workers.dev? I imagine that since this is a Cloudflare controlled resource, it would still be protected for DDoS for example. Or is it that much of the Cloudflare security and performance happening at this initial DNS stage that will be lost even if the target is a Cloudflare worker?
Also posted to CloudFlare support: https://community.cloudflare.com/t/wildcard-dns-entry-protection-if-target-is-cloudflare-worker/359763
Upvotes: 1
Views: 450
Answers (1)
Reputation: 1103
I believe you are correct that there will be some basic level of Cloudflare services in front of workers, but I don't think you'll be able to configure them at all if accessing the worker directly (e.g. a grey-cloud CNAME record pointed at it). Documentation here is a little fuzzy on the Cloudflare side of things however.
They did add functionality a little while back to show the order of operations of their services, and Workers seem to be towards the end (meaning everything sits in front). However, I would think this only applies if you bind it to a route that is covered under a Cloudflare-enabled DNS entry.
https://blog.cloudflare.com/traffic-sequence-which-product-runs-first/
The good news is you should be able to test this fairly easily. For example, you can:
- Setup a worker with a test route
- Point a DNS-only (grey cloud) record at it
- Confirm you can make a request to worker
- Add a firewall rule to block the rest route
- See if you can still make the request to worker
This will at least give you an answer on whether your zone settings apply when accessing a worker (even through a grey cloud / wildcard DNS entry). Although it will not answer what kind of built-in / non-configurable services there are in front of workers.
Upvotes: 0
Related Questions
- Cloudflare Worker fetch() global does not respect Cloudflare worker routes
- Cloudflare Worker redirect stripping auth headers
- Cloudflare workers security and visibility
- cloudflare worker rewrite Host Header
- How can I have a CloudFlare worker respond to incoming HTTP requests from users?
- Cloudflare worker redirections
- Cloudflare worker to redirect to new URL doesn’t work
- Use Cloudflare to access AWS S3 with wildcard record subdomain
- Control cloudflare origin server using workers
- Request to Cloudflare DNS from Cloudflare worker not returning the DNS result