GitBook bypassing Cloudflare DNS to route traffic to their domain

GitBook CEO, here.<p>We use Cloudflare to serve HTTPS traffic for all custom hostnames configured by our users.<p>When a user configures a custom hostname, they point their DNS via CNAME to one of our domains (which, at the end of the chain points to Cloudflare). We then request Cloudflare (using their Cloudflare for SaaS product) to generate an SSL certificate for this hostname and serve the traffic properly.<p>When users move away from GitBook, they often don&#x27;t remove their content from GitBook and only change the DNS on their side. We don&#x27;t request to remove the hostname from Cloudflare for SaaS until the content is deleted from GitBook, as the goal is to avoid breaking links for URLs that are still pointing to GitBook.<p>We&#x27;d expect Cloudflare to always use the DNS setup of the domain as the primary factor for deciding where to route the traffic.<p>We don&#x27;t know the rationale behind why Cloudflare routing continues internally routing the traffic to GitBook when the domain is no longer pointing to the GitBook hostname. But it is not us doing that intentionally.<p>Our support can help unblock this situation by manually removing this domain from our Cloudflare for SaaS. You can reach out at support@gitbook.com.

Seriously Cloudflare? A delayed generic signup modal on a forum while I&#x27;m trying to read a post?<p><a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;QDEjlQ3" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;QDEjlQ3</a><p>My reasons to dislike CF keep growing.

I had the same issue migrating an app off of Render (they also use Cloudflare for app routing).<p>Cloudflare would refuse to route to my new IP for hours on end. Incredibly frustrating and I almost pulled my DNS off of CF as a result.<p>I was able to work around it by disabling the orange cloud for the domain for a couple hours, then turning it back on, which must have reset some sort of cache on CF&#x27;s end.<p>Ultimately, it&#x27;s not a DNS issue, it&#x27;s an internal CF routing issue - it only happens with CDN (orange cloud) on. It seems CF&#x27;s just caching the orange cloud&#x27;s original route (via the SaaS provider) way too long internally somewhere and it&#x27;s not being cleared when the route is changed off of the SaaS.

I experienced this today when migrating away from GitBook and I thought I was going crazy.<p>I had changed the CNAME pointing to GitBook to my new service, and dig etc was reporting that it had propagated correctly. BUT the URL was still resolving to GitBook.<p>I was pulling my hair out and questioning my entire understanding of how DNS works.<p>From what I can tell Cloudflare &quot;partners&quot; can introduce redirect rules that are prioritized over our own Cloudflare DNS rules. This sounds completely insane to me, there&#x27;s no way SaaS providers should be able to hijack control of DNS like this.

This seems to have zero to do with DNS and everything to do with how Cloudflare routes traffic inside their network.<p>I&#x27;m sure if you change the destination to somewhere outside Cloudflare, your traffic will hit the intended target.

&gt; The old SaaS provider should remove your configuration when you are no longer a customer of theirs. If they have not, you should contact them and ask them to do so.<p>The point of moving DNS records are precisely NOT needing to do this.

This seems wild to me.<p>So reading this, their SaaS SSL solution basically takes over your hostname if configured with a SaaS provider?<p>Does Cloudflare require any verification before hand?

Cloudflare is turning Internet into a giant Minitel and it&#x27;s beautiful.

&gt; The old SaaS provider should remove your configuration when you are no longer a customer of theirs.<p>Could someone explain why this is necessary? Simple terms if possible, I don&#x27;t know DNS or CloudFlare very well.

I recently helped a small site migrate from cloudflare to IPFS with dnslink using Fleek. I understand how certain types of customers might need cloudflare’s scale and tools. But for a small, static html+js it’s completely overkill and introduces a ton of complexity. Plus the uptime and speed benefits of having the site on IPFS are great for anyone who’s using a browser extension that supports it are a big plus.

(I work at Cloudflare)<p>We are going to change the way this works so that the authoritative DNS dictates the behaviour, rather than the internal state where we currently require SSL for SaaS providers to manage off-boarding of their own customers. This work has been planned for some time and we&#x27;re very pleased it will be done soon!<p>Current ETA for this is December.