Cloudflare DNS records are assessed for proxy configuration by checking if A, AAAA, and CNAME records are proxied through Cloudflare to benefit from DDoS protection, WAF, and caching capabilities.
Risk
Unproxied DNS records expose origin server IP addresses directly to the internet.
- Confidentiality: origin IP exposure enables targeted reconnaissance and attacks
- Integrity: direct access to origin bypasses WAF and security controls
- Availability: origin is exposed to DDoS attacks without Cloudflare protection
Run this check with Prowler CLI
prowler cloudflare --checks dns_record_proxied
Recommendation
Enable the Cloudflare proxy (orange cloud) for DNS records that should be protected.
- Proxied records benefit from DDoS protection, WAF, and caching
- Origin server IP addresses are hidden from public DNS queries
- Apply defense in depth by combining proxy protection with origin hardening
- Some record types (MX, TXT) cannot be proxied by design
Remediation
Terraform
Other
- Log in to the Cloudflare dashboard and select your account and domain
- Go to DNS > Records
- For each A, AAAA, or CNAME record that should be protected
- Click Edit and toggle Proxy status to Proxied (orange cloud)
- Save the changes and verify traffic flows through Cloudflare
Source Code
Resource Type
DNSRecord