I've used CloudFlare and it's great. But in this specific case we control the server IP address but we don't own the domain so can't use CloudFlare unfortunately because the domain owner isn't ready to migrate his DNS to CloudFlare. I would really love to have WAF+DDOS protection without changing DNS servers, is that possible? Just to be clear, the end result should be a reverse proxy (protected) IP address that the domain owner will put in the A DNS record. Achieving the same as what cloudflare offers but without migrating DNS servers..
SnapOverflow
Cloudflare has a bring your own IPs similar to other filtering as a service providers. Note that you need to manage your own prefix and announce to the internet, then authorize the service provider to advertise this.
Previously, enabling network security proxy with only DNS is possible because you were using their IPs providing their name based shared hosting. Your own IPs requires a bit of network design.