Bug Fix: Cloudflare Trace IP Detection Returning Proxy IP
Problem
Some users reported that the Cloudflare trace-based IP detection was returning Cloudflare proxy IPs instead of their actual public address. This affected both IPv4 and IPv6 detection.
Root Cause
The primary trace URLs were connecting to Cloudflare's DNS resolver IPs (1.0.0.1 and [2606:4700:4700::1001]) rather than the Cloudflare CDN endpoint. This caused two issues:
- TLS SNI mismatch — Connecting to a raw IP address over HTTPS produces no valid SNI (Server Name Indication), while the
Hostheader was overridden toone.one.one.one. This mismatch caused Cloudflare's edge to route requests through an unexpected path, resulting in a proxy IP appearing in theip=field of the trace response. - Wrong service endpoint — The
/cdn-cgi/traceendpoint on the 1.1.1.1 DNS resolver infrastructure behaves differently than on the Cloudflare CDN, particularly for users behind Cloudflare WARP, Zero Trust, or certain ISP transparent proxies.
Fix
Replaced the primary trace URL with https://cloudflare.com/cdn-cgi/trace, matching the officially recommended method (curl -4 https://cloudflare.com/cdn-cgi/trace). The existing build_split_client mechanism — which binds to 0.0.0.0 (IPv4) or [::] (IPv6) — already guarantees the correct address family at the socket level, so literal IPs were never necessary. The Host header override has been removed since SNI and Host now match naturally.
The fallback URL (https://api.cloudflare.com/cdn-cgi/trace) remains unchanged for environments where cloudflare.com is intercepted (e.g. Cloudflare WARP/Zero Trust).
Affected Provider
cloudflare.trace(the default IP detection provider)