sfw/fix
Cloudflare 1000 high

Cloudflare Error 1000: DNS Points to Prohibited IP

A proxied Cloudflare record points back at a Cloudflare IP or stacks a second proxy, creating a loop.

What you see

Error 1000
DNS points to prohibited IP
You've requested a page on a website that is part of the Cloudflare network. The host is configured as a CNAME / A record pointing to a Cloudflare IP...

What’s actually happening

Cloudflare returns a 1000 error page rather than reaching your origin. The orange-clouded DNS record resolves to an IP Cloudflare itself owns, so a request would loop back into Cloudflare instead of hitting a real server. Typically appears when someone pastes a Cloudflare edge IP into an A record, or chains a CNAME through another proxy that ultimately lands on Cloudflare space.

Common causes

  • A proxied A record points at a Cloudflare-owned IP range (104.16.0.0/13, 172.64.0.0/13, 198.41.128.0/17, etc.) instead of the real origin
  • A CNAME (orange cloud) targets a hostname that itself resolves to a Cloudflare IP, stacking Cloudflare in front of Cloudflare
  • A second reverse proxy or CDN sits in front of Cloudflare and forwards traffic back into Cloudflare's network
  • Someone copied the resolved (proxied) IP of the domain and pasted it back into the A record, pointing the zone at its own edge
  • An origin that is itself behind Cloudflare is used as the backend for another Cloudflare-proxied hostname

How to fix it

  1. Point the A record at the real origin IPIn Cloudflare DNS, replace the A record value with your server's actual public IP (the one your host/VPS/load balancer gives you), not a 104.x / 172.64.x / 198.41.x address. Keep the orange cloud on; Cloudflare proxies to the true origin and the loop is gone.
  2. Fix CNAMEs that resolve into CloudflareRun 'dig +short yourdomain.com' through a non-Cloudflare resolver to see where the record really lands. If a CNAME target resolves to Cloudflare space, repoint it at a non-Cloudflare origin or grey-cloud it.
  3. Remove the duplicate proxy layerIf another CDN/proxy fronts Cloudflare and points back at it, collapse the chain — terminate at one proxy, and have the backend be your actual origin, not Cloudflare again.
  4. For Cloudflare for SaaS, use the right targetSaaS custom hostnames should CNAME to the fallback origin or the value the provider specifies, never to a generic Cloudflare edge IP. Set it to the documented target.

Stop it recurring

Always put your origin server's real IP in the A record — never the proxied IP that resolving the domain returns.

Related errors

Cloudflare Error 1014: CNAME Cross-User Banned

high

Cloudflare blocked a proxied CNAME because it targets a hostname proxied under a different Cloudflare account.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.

SERVFAIL DNS Response Code

high

The resolver tried to answer but couldn't get a valid response, usually from broken authoritative DNS or DNSSEC.