Routing traffic through a DDoS scrubbing proxy via DNS is the right architecture. But it has one critical dependency: your origin server's IP address must never appear in public records. If an attacker discovers your real IP, they can target it directly — completely bypassing the proxy.
Common IP Leak Vectors
- Historical DNS records: tools like SecurityTrails show every IP your domain has ever pointed to. If you set up your proxy after your server was live, your old IP is in the database.
- Subdomains: mail.yourdomain.com, dev.yourdomain.com, ftp.yourdomain.com often resolve directly to origin.
- Email headers: SMTP servers send your origin IP in mail headers. Check your SPF/MX records.
- TLS certificates: old certs issued before the proxy might appear in Certificate Transparency logs showing your origin IP.
- Third-party trackers and analytics: some services resolve and log the IPs of servers they interact with.
- Application errors: stack traces, debug logs, or error pages that expose server metadata.
The IP Rotation Solution
The most reliable solution after moving to a proxy is to change your origin server's IP address. Contact your hosting provider for a new IP. Then ensure the new IP never appears in any public DNS record, ever.
Akarguard's Onboarding Checklist
Every new Akarguard customer gets an origin IP audit as part of onboarding. We scan for your IP across DNS history databases, CT logs, MX records, and common subdomain patterns — and tell you exactly where you're leaking before attackers find it.