DNS proxy for P2P ports

[fabtreb]

We turned off DNS proxy for seed node DNS records as CloudFlare does not support proxying TCP/UDP traffic using the standard "cloudflare_record" Terraform resource.

A quick look around suggested CloudFlare spectrum as the solution to this requirement. We still want DDOS protection on our public endpoints so either this, or another solution would be desirable to achieve the same masking/protection.

Our P2P ports are still open to the world, so we should lock our IP ranges to Cloudflare to have 100% confidence in this.

[corverroos]

One additional requirement is that geth (and possible halo), needs to be configured with an "advertising IP". This as to be the IP address of the LB/proxy. And since LBs and Proxies have multiple dynamic IPs in general, I'm not sure how we would do that. Maybe it isn't required and one can run without a advertising IP (for seed nodes at least), but I don't think this would work for fullnode P2P for example, since the seed node would share the fullnode IP with the node trying to connect, so it has to be correct.

[brid]

You can run geth without that I know for sure, since we do that for RPC. It's not very "P2P" as you get a lot of outgoing (and return) connections but no incoming ones. This is in a scenario where you run behind a NAT or on a private IP range but behind a load balancer etc.

Probably not what we want when trying to bootstrap our own network, but easier on a huge network.

[brid]

Looks like GCP has something similar to AWS Shield where it offers another level of DDOS protection you can configure for instances with public IPs:

https://cloud.google.com/armor/docs/advanced-network-ddos