Skip to main content
Lumos Gate Docs

DNS Setup

Configure DNS A and CNAME records to route traffic through your Lumos Gate shield server. Keep your origin IP hidden from attackers.

Overview

For Lumos Gate to protect your origin servers, all incoming traffic must flow through your shield VPS first. This means your domain's DNS records need to point to the shield VPS IP address -- not to your origin server. Once DNS is configured correctly, all traffic hits the shield VPS where HAProxy proxies it, the WAF filters it, and clean traffic is forwarded to your origin.

DNS setup is a critical step that must be completed before enabling SSL/TLS certificates. Without correct DNS, the ACME HTTP-01 challenge cannot reach your shield server, and certificate provisioning will fail.

Required DNS Records

Root Domain

Create an A record pointing your root domain to your shield VPS IP address:

Type: A
Name: @
Value: 203.0.113.10    (replace with your shield VPS IP)
TTL: 300

You can find your shield VPS IP address in Dashboard -> Servers -- it is displayed on the server detail page.

WWW Subdomain

For the www subdomain, you have two options:

Option A: CNAME record (recommended)

A CNAME avoids duplication -- if you change the shield VPS IP later, you only need to update the root A record.

Type: CNAME
Name: www
Value: yourdomain.com
TTL: 300

Option B: A record

Use this if your DNS provider does not support CNAME on www or if you want explicit control.

Type: A
Name: www
Value: 203.0.113.10    (replace with your shield VPS IP)
TTL: 300

Other Subdomains

For any subdomain you want to protect through Lumos Gate (e.g., api.yourdomain.com, app.yourdomain.com, staging.yourdomain.com), create an A record pointing to the shield VPS:

Type: A
Name: api
Value: 203.0.113.10    (replace with your shield VPS IP)
TTL: 300

Important: Each subdomain you want to route through Lumos Gate must also be added as a separate domain in the dashboard. Adding DNS records alone is not enough -- the domain must exist in your Lumos configuration so HAProxy knows how to route traffic for it. If HAProxy receives a request for a domain it does not know about, the request will be dropped.

Wildcard Domains

Lumos Gate does not currently support wildcard domain certificates or wildcard HAProxy routing. Each subdomain must be:

  1. Added as a separate DNS record pointing to the shield VPS
  2. Added as a separate domain in the Lumos dashboard

TTL Settings

Set a low TTL (Time To Live) on your DNS records:

ScenarioRecommended TTLReason
Initial setup60 secondsAllows you to quickly fix misconfigurations without waiting for DNS cache to expire
Normal operation300 seconds (5 min)Good balance between DNS caching performance and failover responsiveness
Stable, no failover600 seconds (10 min)Slightly better caching if you do not use DNS failover

Why low TTL matters for failover: If you use DNS failover, the TTL determines how quickly clients switch to the secondary server when the primary goes down. A 300-second TTL means clients will take at most 5 minutes to reach the healthy server after a failover event. A 3600-second (1 hour) TTL would mean up to 1 hour of downtime.

Tip: Start with a 60-second TTL during initial setup. Once you have verified everything works correctly (DNS resolves to shield VPS, SSL provisions successfully, traffic flows through the proxy), increase it to 300 seconds.

Cloudflare Users

If you manage your DNS through Cloudflare, there is an important setting you must change:

Warning: You MUST disable the Cloudflare proxy (orange cloud icon) for domains routed through Lumos Gate. Lumos Gate IS your proxy -- running traffic through two proxies causes SSL provisioning failures, WebSocket connection issues, and adds unnecessary latency.

How to Disable the Cloudflare Proxy

  1. Log in to your Cloudflare dashboard.
  2. Select your domain.
  3. Go to DNS -> Records.
  4. Find the A record for your domain.
  5. Click the orange cloud icon to turn it grey (DNS only).
  6. Click Save.

Your DNS record should show a grey cloud icon, meaning Cloudflare only provides DNS resolution without proxying traffic:

Type: A    Name: @    Content: 203.0.113.10    Proxy status: DNS only (grey cloud)

Why This Matters

IssueCause
SSL provisioning failsCloudflare proxy intercepts the ACME HTTP-01 challenge, preventing it from reaching the Lumos agent on your shield VPS
Double latencyTraffic goes User -> Cloudflare -> Shield VPS -> Origin instead of User -> Shield VPS -> Origin
Broken headersDouble-proxying can cause unexpected behavior with X-Forwarded-For, X-Real-IP, and other proxy headers
WebSocket issuesCloudflare may interfere with the WebSocket connections used between the dashboard and agents
Redundant featuresLumos Gate already provides WAF, DDoS protection (via your VPS provider), and SSL -- Cloudflare's proxy features are redundant

Note: You can still use Cloudflare as your DNS provider. Just make sure the proxy is disabled (grey cloud) for all domains routed through Lumos Gate. Cloudflare's DNS-only mode is fast, reliable, and free.

DNS Propagation

After updating your DNS records, propagation times vary:

ScenarioTypical Time
Low TTL (60-300s), same DNS provider1-5 minutes
Standard TTL (300-600s)5-30 minutes
High TTL (3600s+) or provider change30-60 minutes
Worst case (globally cached with high TTL)Up to 48 hours

Verifying Propagation

Use dig or nslookup to confirm your DNS records point to the shield VPS.

Check from your local machine:

dig +short yourdomain.com
# Expected output: your shield VPS IP
# Example:
203.0.113.10

Check with nslookup (works on all platforms including Windows):

nslookup yourdomain.com
# Look for "Address: 203.0.113.10" in the output

Check from Google's DNS (to verify global propagation):

dig @8.8.8.8 yourdomain.com +short
# Should return the same shield VPS IP
203.0.113.10

Check from Cloudflare's DNS:

dig @1.1.1.1 yourdomain.com +short
203.0.113.10

Verify HTTP connectivity through the shield:

curl -I http://yourdomain.com
# Should return a response from HAProxy (even if it is a 503 or redirect)
# If it times out or refuses connection, DNS may not have propagated yet

Important: Do not enable SSL in the Lumos dashboard until DNS propagation is complete. The ACME HTTP-01 challenge requires Let's Encrypt to reach your shield VPS via the domain name. If DNS still points elsewhere, the challenge will fail. Verify with dig before toggling SSL.

Step-by-Step Setup

Here is the complete setup flow from start to finish:

1. Find Your Shield VPS IP

Go to Dashboard -> Servers and note the IP address of your shield server. This is the IP you will use in your DNS records.

2. Log In to Your DNS Provider

Access your DNS management panel. Common providers:

  • Cloudflare -- dash.cloudflare.com (remember to disable proxy)
  • GoDaddy -- dcc.godaddy.com -> DNS Management
  • Namecheap -- ap.www.namecheap.com -> Domain List -> Manage -> Advanced DNS
  • Route 53 -- AWS Console -> Route 53 -> Hosted Zones

3. Update or Create DNS Records

Create or update the following records:

Type: A     Name: @      Value: <shield-vps-ip>    TTL: 60
Type: CNAME Name: www    Value: yourdomain.com      TTL: 60

If you have additional subdomains to protect, add A records for each:

Type: A     Name: api    Value: <shield-vps-ip>    TTL: 60
Type: A     Name: app    Value: <shield-vps-ip>    TTL: 60

4. Wait for Propagation

Verify with dig:

dig +short yourdomain.com
# Must return your shield VPS IP before proceeding

If the output still shows the old IP, wait a few more minutes and try again. With a 60-second TTL, propagation should complete within 1-5 minutes.

5. Add the Domain in Lumos

Go to Dashboard -> Domains -> Add Domain and configure:

  • Domain: yourdomain.com
  • Origin IP: Your origin server's IP (e.g., 10.0.0.5 if using WireGuard, or the public IP)
  • Origin Port: The port your origin listens on (e.g., 80, 8080)
  • Server: Select your shield server

6. Enable SSL

Once DNS is confirmed (step 4), toggle SSL on for the domain. The agent will automatically provision a Let's Encrypt certificate. See SSL/TLS for the full provisioning lifecycle and troubleshooting.

7. Verify End-to-End

# Verify HTTPS works
curl -I https://yourdomain.com
# Should return HTTP/2 200 (or your application's response)

# Verify HTTP redirects to HTTPS
curl -I http://yourdomain.com
# Should return HTTP/1.1 301 with Location: https://yourdomain.com/

8. Lock Down the Origin

After verifying traffic flows correctly through the shield, configure your origin firewall to only accept connections from the shield VPS IP. See Origin Firewall for instructions. This prevents attackers from bypassing the shield by connecting directly to your origin.

9. Increase TTL

Once everything is stable, increase your DNS TTL to 300 seconds for normal operation:

Type: A     Name: @      Value: <shield-vps-ip>    TTL: 300

Multiple Shield Servers

If you have multiple shield servers for redundancy, your DNS configuration depends on your failover strategy:

Manual Failover

Point the A record to your primary shield VPS. If the primary goes down, manually update the DNS record to point to the secondary. This approach is simple but requires manual intervention and is limited by DNS TTL propagation time.

Type: A    Name: @    Value: 203.0.113.10    (primary shield)

DNS Round-Robin

Create multiple A records pointing to different shield VPS IPs. Traffic is distributed roughly evenly across all servers by DNS resolvers, but failed servers are not automatically removed from rotation.

Type: A    Name: @    Value: 203.0.113.10    (shield 1)
Type: A    Name: @    Value: 198.51.100.20   (shield 2)

Limitation: DNS round-robin does not detect server health. If one shield goes down, some users will still be sent to the failed server until the record is manually removed.

Use a single A record and let Lumos Gate's DNS failover system automatically update the record when a shield server goes down. The WebSocket server runs health checks every 5 minutes. When a primary server is detected as down, the DNS record is automatically switched to the secondary server. When the primary recovers, DNS is switched back.

This approach requires:

  • A supported DNS provider with API access (currently Cloudflare)
  • DNS provider credentials configured in the Lumos dashboard
  • At least two shield servers assigned to the domain
  • Failover configured in the domain settings
Type: A    Name: @    Value: 203.0.113.10    (managed automatically by Lumos)
TTL: 300

See the Failover documentation for full setup instructions.

DNS Records to Avoid

After setting up Lumos Gate, audit all your DNS records to make sure none of them expose your origin server IP. The entire purpose of Lumos Gate is to hide the origin -- any DNS record that reveals it defeats that purpose.

Records That May Leak Your Origin IP

Record TypeRiskAction
A record for originDirect IP exposureRemove or update to point to shield VPS
MX recordIf your origin also handles email, the MX record reveals the IPUse a separate mail server (Google Workspace, Proton Mail, etc.)
SPF/TXT recordMay contain ip4: directives with origin IPRemove origin IP from SPF, use the mail server IP instead
Direct-access subdomaine.g., direct.yourdomain.com or server.yourdomain.com pointing to originDelete these records
Historical DNSOld records cached in DNS history databases (SecurityTrails, ViewDNS.info)Cannot be removed, but rotating your origin IP mitigates the risk

Audit Checklist

# Check all DNS records for your domain
dig yourdomain.com ANY +noall +answer

# Check common subdomains that might leak the origin
for sub in direct server origin mail ftp cpanel webmail; do
  echo -n "$sub.yourdomain.com -> "
  dig +short $sub.yourdomain.com
done

# Check MX records
dig MX yourdomain.com +short

# Check SPF record for IP leaks
dig TXT yourdomain.com +short | grep spf

Tip: After completing your DNS audit, consider checking historical DNS databases like SecurityTrails or ViewDNS.info to see if your origin IP was previously exposed. If it was, consider migrating your origin to a new IP address for maximum security. See the Origin Firewall guide for additional origin protection strategies.

Provider-Specific Notes

AWS Route 53

Route 53 supports all needed record types. You can use Alias records for the root domain if needed. Set the TTL to 300 seconds. If using Route 53 for failover, note that Lumos currently only supports Cloudflare for automatic DNS failover management.

GoDaddy / Namecheap

Both providers support standard DNS records. The minimum TTL on some Namecheap plans is 60 seconds, which is ideal for initial setup. GoDaddy's minimum may vary by plan.

Next Steps

  • Domain Management -- Add domains to Lumos after configuring DNS
  • SSL/TLS -- Enable automatic HTTPS (requires DNS to be configured first)
  • Failover -- Set up automatic DNS failover for high availability
  • Multiple Servers -- Assign domains to multiple shield servers
  • Origin Firewall -- Lock down your origin after verifying the proxy works
  • WireGuard -- Encrypt shield-to-origin traffic over a private tunnel
  • Servers -- Manage your shield servers and find their IP addresses
  • Troubleshooting -- Common DNS and connectivity issues

On this page

Overview
Required DNS Records
Root Domain
WWW Subdomain
Other Subdomains
Wildcard Domains
TTL Settings
Cloudflare Users
How to Disable the Cloudflare Proxy
Why This Matters
DNS Propagation
Verifying Propagation
Step-by-Step Setup
1. Find Your Shield VPS IP
2. Log In to Your DNS Provider
3. Update or Create DNS Records
4. Wait for Propagation
5. Add the Domain in Lumos
6. Enable SSL
7. Verify End-to-End
8. Lock Down the Origin
9. Increase TTL
Multiple Shield Servers
Manual Failover
DNS Round-Robin
Automatic Failover (Recommended)
DNS Records to Avoid
Records That May Leak Your Origin IP
Audit Checklist
Provider-Specific Notes
AWS Route 53
GoDaddy / Namecheap
Next Steps