To do CloudFlare the nostr way:

Services (behind a firewall) can pay public servers to give them a tunnel to a public ip address. They could do that to several servers at once, where the provider's sole business could be fending of spam. If one of em causes too much spam you could just cut it off.

An interesting thought i'm having now is you could selectively reveal some of your ip addresses to your WoT, so your service always stays up for them, even if you're under attack through the publicly known IP's.

I did a half-assed experiment named 'NoPorts' that would provide such a service. Anyone that likes to further explore this concept should join nostr:nprofile1qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcqyzpanxdpfp39c0fthqv67vrycrm2ztta4z8k3vkxjgsl8f6xzuw3jddlvze in March next year!

PS: The local dns part of this image is nice, but not necessary.