Pointing DNS Directly vs. Reverse Proxy
When launching a new website, is it best to point DNS directly to your web host, or use a reverse proxy?
That will depend on multiple factors, including how quickly your new site goes live, whether the same URL is used for sites and applications on multiple hosts, and the requirements of your company’s IT department.
Table of contents
- Pointing DNS directly vs. using a reverse proxy
- Preparing to point DNS for a site migration
- Next steps
But first, let’s start with the basics.
Pointing DNS directly vs. using a reverse proxy
Both pointing DNS directly and a reverse proxy can route traffic to your website, but each option has ideal use cases.
What is DNS?
DNS stands for Domain Name System. Each website has two addresses:
- The text address that people use (e.g., example.com)
- The numerical address that web browsers and networks understand (e.g., 126.96.36.199)
DNS ties those two addresses together. When someone types “example.com” into a browser, the browser knows which numerical location to send them to—rather than having to connect websites via strings of numbers (like in the early days of the internet).
DNS directs traffic for all websites, but sometimes there’s a reverse proxy layer between the DNS and web visitors.
What is a reverse proxy?
A reverse proxy acts as an intermediary “hall monitor” for web traffic. It’s a server that sits in front of the web servers that host your site. Instead of pointing your DNS directly to your web host, you would point it to your proxy service, which would then direct your website’s visitors to your web host.
Should you point DNS directly or use a reverse proxy?
A reverse proxy can handle more complicated routing than DNS. For example, if you want visitors from example.com to go to a site on one particular web host, but visitors for example.com/blog (a subdirectory) to go to a site on a different host, you need a reverse proxy.
Note: subdomains (e.g. subsite.example.com) can be handled with DNS pointed directly.
Reverse proxies can offer security, performance, and stability improvements beyond what most web hosts offer, but they are more complex to set up than pointing DNS directly. This table is a high-level comparison to help inform a conversation with your company’s IT team about which option is best for your website(s).
|Point DNS directly if…||Use a reverse proxy if…|
|You’re hosting all your content on one web host, and/or only using root domains (example.com) or subdomains (subdomain.example.com).||Your main website lives on one web host but your blog lives on another, and the blog is a subdirectory of your main website URL (e.g., example.com/blog).|
|You need to migrate your site quickly and don’t have time or resources to configure and test a proxy setup before launch.||You have plenty of time to test and launch a proxy setup.|
|You don’t have specific security or performance concerns because you’re migrating to a very secure, scalable, performant host (e.g., WordPress VIP).||Your web host does not provide adequate security, performance, or scalability.|
|All the traffic for your website URL goes to the same place.||Your site and mobile app both use the same URL and you need something to direct traffic accordingly.|
|Your host has a built-in CDN (like WordPress VIP).||You want to use a content delivery network (CDN), but your current web host doesn’t provide a built-in CDN.|
Preparing to point DNS for a site migration
If you’re migrating your website to a new host, part of your launch plan will involve pointing DNS or your reverse proxy to the new host. Pointing DNS is almost always easier than pointing a proxy, which requires extra steps.
Note: Work closely with your systems administrator early in the website migration process to determine the exact requirements for pointing your domain to the new host. Check back near launch day to ensure your resources are aligned to point the DNS or proxy at the correct time.
If you’re pointing DNS directly, note these two things before launch:
In the past, most DNS pointed using an “A Record,” where the A stands for Address. If you’re using an A Record, find out the IP address for your new site as soon as possible, so your systems administrator is prepared for launch day.
Depending on your DNS registrar, you may have options beyond the A Record for pointing DNS, like ALIAS, ANAME, or CNAME. These types of records point to a text URL your web host owns, instead of an IP address. This is often a better, more permanent way to point DNS than an A Record, because your web host’s IP addresses may change over time.
Preparing to point a reverse proxy for a site migration
Reverse proxies tend to be one of those “single points of failure” that can turn a smooth launch into a rocky one, so build in plenty of testing time—ideally a few weeks before launch.
What kind of configuration does a reverse proxy need?
Prior to launch, your development team and systems administrator need to configure several things. Depending on your site and proxy’s unique setup, your configuration steps may include:
- Setting the origin where the reverse proxy should direct traffic to (ensuring people get to your site). This is usually a text-based link visible only to the web hosting company.
- Setting request headers as required from your web host for Host HTTP, True-Client-IP HTTP, and X-Proxy-Verification.
- Forwarding the domain’s .well-known/acme-challenge/* route, or installing a custom TLS certificate for the domain.
- Allowing access to the site for the support techs at your web host.
- Setting DNS for public-facing URLs.
- Documenting the details of the reverse proxy for your team and your web host.
Learn more about reverse proxy configuration for WordPress VIP.
How to test a reverse proxy
Test your proxy configuration thoroughly before launching your website to confirm traffic will arrive at your new site successfully. This is typically done with a testing URL and a non-production environment on your web host.
Run a cURL command
If you want details about traffic destination to diagnose proxy configuration issues, run a cURL command (client for URLs). This can be done in your Terminal (Mac), Windows Command Prompt (PC) or Command Line (Linux).
The command looks something like:
curl -I https://example.com/blog/
The response to that command should include headers sent by your host, alongside the headers sent by the proxy server.
Update hosts file
Another testing approach includes updating your hosts file. A hosts file is a text file on your computer that lists IP addresses and URLs.
Update the hosts file to tell your computer to look at a website other than where DNS is pointing it to. By updating the hosts file with the site’s URL and the IP address of your web host, you can determine if the site is showing as expected when the reverse proxy is bypassed. If it is, then the issue is at the proxy level, not at your web host’s level.
Ultimately, your website’s unique needs will determine the best way to direct traffic when your site launches. Start those conversations with your systems administrator early in the website development process so you can effectively plan configuration requirements and testing time.
If you’re migrating to WordPress VIP, check with your technical account manager for recommendations.
Learn more about DNS and reverse proxy in WordPress VIP’s extensive documentation library.