Cloudflare DNS Setup Guide

## Cloudflare DNS Setup Guide Cloudflare is one of the most popular DNS providers in the world, offering fast global resolution via Anycast DNS infrastructure, a free tier, and a suite of security and performance features. Migrating to Cloudflare DNS typically takes 15–30 minutes, and many sites see measurable performance improvements from the reduced DNS lookup latency alone. ## Step 1: Add Your Site to Cloudflare 1. Log in at [dash.cloudflare.com](https://dash.cloudflare.com) 2. Click **Add a Site**, enter your domain name, and choose a plan (Free works for most use cases) 3. Cloudflare scans your existing DNS records and imports them The auto-import catches most records (A, CNAME, MX, TXT), but always review the results carefully. Common misses include: - CAA records - SRV records - Subdomain records at deeper levels - Legacy records the scanner could not resolve Add any missing records manually before proceeding. ## Step 2: Update Nameservers at Your Registrar Cloudflare assigns you two nameservers — unique per account, in the format `xxx.ns.cloudflare.com`. Go to your registrar and replace the current NS records with Cloudflare's. Each registrar is different: - **Namecheap:** Domain List > Manage > Nameservers > Custom DNS - **GoDaddy:** My Products > DNS > Nameservers > Change > Custom - **Google Domains / Squarespace:** DNS > Name Servers > Use custom name servers - **Porkbun:** Domain Management > Authoritative Nameservers Save the changes and wait. NS record changes propagate on the registrar's schedule — usually within minutes to a few hours, but up to 48 hours in some cases. ## Step 3: Verify Nameserver Delegation Cloudflare's dashboard shows "Pending Nameserver Update" until it detects your NS records pointing to their nameservers. You can manually verify: ```bash dig example.com NS ``` When the output shows `xxx.ns.cloudflare.com`, Cloudflare is active for your domain. ## Proxy Mode vs DNS-Only Mode This is Cloudflare's most distinctive feature. Each DNS record can be either **proxied** (orange cloud) or **DNS-only** (grey cloud). **Proxied (orange cloud):** - Traffic flows through Cloudflare's edge network before reaching your server - Your origin server's IP is hidden — visitors see Cloudflare's IPs - Enables CDN caching, DDoS protection, Web Application Firewall, SSL termination, and other Cloudflare features - Available for A, AAAA, and CNAME records pointing to web services - Forces HTTPS between Cloudflare and users (with SSL configured) **DNS-only (grey cloud):** - Cloudflare simply resolves the IP; traffic goes directly to your server - Origin IP is visible to the public - No CDN or security features - Required for MX targets, mail servers, FTP, SSH, and non-HTTP services **What to proxy:** Your main website's A/CNAME records (root domain, `www`). **What NOT to proxy:** MX targets, mail servers, API servers that require IP-based access controls, anything using non-HTTP protocols. ## Configuring DNS Records in Cloudflare The Cloudflare DNS dashboard is straightforward: 1. Click **DNS** in the left sidebar 2. Click **Add record** 3. Select type, enter name and value, set proxy mode and TTL For proxied records, Cloudflare sets TTL to "Auto" (300 seconds). For DNS-only records, you can set any TTL from 60 seconds (free plan) or 30 seconds (paid). ## SSL/TLS Mode After enabling Cloudflare, configure SSL mode under **SSL/TLS > Overview**: | Mode | Description | |------|-------------| | Off | HTTP only — never use | | Flexible | HTTPS to users, HTTP to origin — not recommended | | Full | HTTPS to users, HTTPS to origin (any cert) | | Full (Strict) | HTTPS to users, valid cert required at origin | **Always use Full or Full (Strict).** Flexible mode creates a false sense of security — traffic between Cloudflare and your origin is unencrypted. Full (Strict) requires a valid certificate at your origin (Let's Encrypt works). ## DNSSEC Cloudflare supports DNSSEC with one-click setup: 1. Go to **DNS > Settings > DNSSEC** 2. Click **Enable DNSSEC** 3. Cloudflare generates a DS record for you 4. Add that DS record at your registrar After adding the DS record, DNSSEC validation is active — DNS responses for your domain are cryptographically signed and resolvers can verify they have not been tampered with. ## DNS over HTTPS and DNS over TLS Cloudflare operates public DNS over HTTPS (DoH) and DNS over TLS (DoT) resolvers at `1.1.1.1` and `1.0.0.1`. These are separate from your authoritative DNS setup — they are resolvers users can configure on their devices or routers to encrypt DNS queries. ## Useful Cloudflare Features **Always Use HTTPS:** Redirect HTTP to HTTPS automatically (SSL/TLS > Edge Certificates). **Automatic HTTPS Rewrites:** Fix mixed-content warnings by rewriting HTTP URLs in HTML responses. **HSTS:** Enable HTTP Strict Transport Security headers (SSL/TLS > Edge Certificates > HSTS). **Page Rules / Transform Rules:** Redirect specific URLs, rewrite headers, or apply custom cache settings. **Bot Management:** (Pro+) Block or challenge known bot traffic before it reaches your server. ## After Setup Checklist - [ ] All DNS records imported correctly (especially MX and TXT) - [ ] SSL mode set to Full or Full (Strict) - [ ] Proxied records show orange cloud for the intended records - [ ] Mail server records (MX targets, mail subdomain A records) are DNS-only - [ ] DNSSEC enabled and DS record added at registrar - [ ] Test email sending and receiving - [ ] Test website loads correctly over HTTPS ## Next Steps - DNS During Domain Migration — manage TTLs and plan the full migration - DNS TTL: Choosing the Right Value — understand Cloudflare's TTL behavior - DNS Troubleshooting Guide — fix issues after migration