CNAME setup is a manual process available to paid Cloudflare plans only at the Business or Enterprise plan level.
With CNAME setup, authoritative DNS remains elsewhere, and one or more CNAMEs are delegated to Cloudflare for acceleration and security.
Interested in CNAME setup?
First, contact Cloudflare with the domain you would like to set up via CNAME.
Use the subject line "CNAME setup <domain>" for faster review.
Allowing for CNAME setup is entirely at the discretion of Cloudflare. We're always curious to learn how we can improve our DNS to meet your needs.
If approved for CNAME setup - per our review process and policies - the process is described below.
- Create a Cloudflare account and start adding your website, following the normal process.
- STOP at Step 4 of the setup, where the website instructions ask you to change your nameservers. Do not change your nameservers.
- Respond to your Cloudflare ticket with the domain name, the account email address. The Business and Enterprise plans offer custom cert upload, but you'll also have a Cloudflare-issued wildcart cert which may need extra verification step for CNAME setup.
- A unique TXT record will be emailed to you by your Cloudflare contact.
- Add the TXT record to your authoritative DNS on the root record, with the subdomain host cloudflare-verify.example.com (replace example.com, of course). The TXT record value will be a number (e.g. 856172357-3825555). Leave this TXT record in place.
- Cloudflare will verify the presence of the TXT record automatically and email you confirmation of completion. (This may take a few hours.)
- Add CNAME(s) to your authoritative DNS provider following the format provided (more detail below).
- You're done!
All requests accelerated and protected by Cloudflare will come from the Cloudflare IP addresses. Please make sure to whitelist all Cloudflare's IPs -- if you throttle or rate-limit these requests, your website will appear to be offline.
In Step 2 of adding your website, toggle the clouds to orange for the subdomain(s) you want Cloudflare enabled for. For the other subdomains, mark them as gray.
Limitations of CNAME setup
Domains using CNAME setup have two limitations:
- The DDOS protection for attacks against DNS infrastructure is only available for the delegated records.
- Cloudflare's security and acceleration benefits are only available on delegated subdomains, such as www.example.com. The root domain, such as example.com, cannot be protected or accelerated via Cloudflare. This is due to DNS RFCs.
To send root domain traffic to Cloudflare, you may add a redirect on your webserver (.htaccess file or similar) to forward traffic to the subdomains proxied by Cloudflare.
When you reach Step 7 above, after verification of your TXT record is complete, use these formats.
The edit to the CNAME on your authoritiative DNS editor (not in Cloudflare's DNS settings) is to append .cdn.cloudflare.net to the entire hostname. The format of the CNAME record will be like this:
www.domain.com CNAME www.domain.com.cdn.cloudflare.net
You can add one or as many CNAMEs as you like to your authoritative DNS. Make sure there is a corresponding record in the Cloudflare DNS Settings that is marked with an orange cloud. Make sure the record(s) you want are enabled by toggling the clouds to orange. Replace EXAMPLE.COM with your domain in the URLs below.
The logical flow of a CNAME lookup is shown in the diagram below:
Decide on your Cloudflare Settings. The defaults are fine, but you can start to get a feel for the options. Replace EXAMPLE.COM with your domain in the URL below.
More on SSL
If you need the Cloudflare-issued SSL with CNAME setup, you must always have CNAME verification records in place to verify the domain, you can use this Cloudflare API call to obtain SSL verification CNAME records to trigger the certificate to be issued.
You may also upload your custom SSL certification as a Business or Enterprise customer.
Turning Cloudflare Off
Once the record is live, you'll have two ways to disable Cloudflare, if you ever need to.
1) On the Cloudflare DNS Settings page, disable the proxy (click the cloud to Grey). You'll still use Cloudflare DNS for that record, if your authoritative DNS doesn't change, but it will be DNS only: you will receive no security or acceleration benefits from using Cloudflare.
2) Remove the CNAME record pointing to Cloudflare from your authoritative DNS.