← route

LSN 04/10 DNS 12 MIN TIER FREE

DNS, the part you'll touch daily

Record types, the orange cloud, CNAME flattening, and the configs that catch people out.

Before this: 03 Putting your domain on Cloudflare

The DNS dashboard is where you will spend most of your time on Cloudflare in the first few months. It is also the source of most self-inflicted outages, so it pays to understand exactly what each record does.

Record types

A short reference for the ones that come up constantly:

  • A. Maps a hostname to an IPv4 address. Example: @203.0.113.5.
  • AAAA. Same as A, but IPv6. Add one alongside the A if your origin has an IPv6 address.
  • CNAME. Alias one hostname to another. Example: wwwyoursite.com. The browser resolves the target’s A/AAAA next.
  • TXT. Arbitrary string. Used for SPF, DKIM, DMARC, domain verification, ACME challenge.
  • MX. Mail exchanger. Where mail for @yoursite.com is delivered. Has a priority number; lower is preferred.
  • NS. Nameserver delegation. You normally only see these at the apex (set by the registrar) or when delegating a subdomain to another DNS provider.
  • SRV. Service location. Specifies host and port for a named service. Used by some protocols (Matrix, XMPP, Minecraft).
  • CAA. Restricts which certificate authorities are allowed to issue certs for the domain. Cloudflare handles this automatically for proxied records.

Cloudflare also supports a few proprietary record types under the hood, like the LOC record and the SVCB/HTTPS records for protocol hints, but you can ignore those until you need them.

The orange cloud

Every A, AAAA, and CNAME record in Cloudflare DNS has a little cloud icon next to it. Orange means proxied: requests for that hostname go through Cloudflare’s network before reaching the IP. Grey means DNS-only: Cloudflare just answers the lookup and the visitor connects directly to the IP.

The implications are large.

When a record is proxied:

  • The IP visitors see in nslookup is a Cloudflare anycast IP, not your origin. Your origin IP is hidden, which helps against direct DDoS attacks.
  • HTTPS is terminated at the Cloudflare edge, using their certificate for your domain. They re-encrypt to your origin if you have a certificate there, or connect over HTTP (less secure) if you do not.
  • Cache, WAF, Workers, Page Rules, Cache Rules, Bot Fight Mode all apply.
  • Only ports 80, 443, and a handful of others are proxied. Custom ports go around Cloudflare even if the record is orange.

When a record is DNS-only:

  • Cloudflare is purely a name lookup. The visitor connects directly to your IP.
  • None of the proxy features apply.
  • Use this for anything that is not HTTP/HTTPS, or for cases where you need the unfiltered connection.

Apex records and CNAME flattening

Standard DNS has a rule: you cannot put a CNAME on the apex (the root domain). The apex must resolve to an IP via an A or AAAA record. This is awkward when your hosting provider only gives you a hostname like yoursite.pages.dev, not a stable IP.

Cloudflare solves this with CNAME flattening. You can put a CNAME on the apex in the dashboard. When a resolver asks Cloudflare for the apex’s A record, Cloudflare follows the CNAME chain itself and returns the final IP. The resolver sees an A record; everyone is happy.

This is why Pages projects can have custom apex domains. Without flattening, you would need a service like ALIAS records (not standard) or a static IP.

Email records

Mail does not go over HTTP, so MX records cannot be proxied. They must be grey-cloud. Same for the supporting TXT records:

  • SPF in a TXT record at the apex, e.g. v=spf1 include:_spf.google.com ~all
  • DKIM in TXT records at provider-specified subdomains
  • DMARC in a TXT at _dmarc

When you import a domain into Cloudflare, the email TXTs and MX usually come through correctly. The thing to double-check is that they stayed grey-cloud and that nothing got accidentally proxied.

TTL

For proxied records, TTL is set to Auto and Cloudflare manages it. For DNS-only records, you can pick a TTL (60s up to a day). Default of Auto is fine.

When planning a move (changing origin IP, switching mail provider), lower the TTL on the affected records to 60 seconds 24 hours before the change. Resolvers will pick up the new TTL on their next refresh, then the change itself propagates within a minute. Bump the TTL back up afterward.

A realistic config

For a site with a static deploy on Cloudflare Pages, mail on Fastmail, and a status page on a separate VPS, the DNS often looks like:

A      @       192.0.2.10       DNS-only  ; status page IP (or use a CNAME for status)
CNAME  www     yoursite.pages.dev  Proxied
CNAME  blog    yoursite.pages.dev  Proxied
CNAME  status  status-vps          DNS-only
MX     @       in1-smtp.messagingengine.com  priority 10  DNS-only
MX     @       in2-smtp.messagingengine.com  priority 20  DNS-only
TXT    @       v=spf1 include:spf.messagingengine.com ?all
TXT    fm1._domainkey   k=rsa; p=...   ; DKIM
TXT    _dmarc  v=DMARC1; p=quarantine; rua=mailto:dmarc@yoursite.com

Each line is one record. The cloud column drives proxy behavior; the priority column applies only to MX.

DNS is fiddly. When in doubt, check dig +short <type> <hostname> and trace the chain manually. The Cloudflare dashboard’s debug section also shows what each record resolves to live.