How to setup Virtual DNS:
First of all, welcome to Virtual DNS! Here are the steps for how to get started.
Before you begin, you may want to change the IP addresses of your nameservers to brand new IP addresses. The reason to do that is to prevent any attacker from circumventing Virtual DNS and targeting your nameservers directly. You want to make sure all of your traffic has to go through Virtual DNS to reach your nameservers.
The next thing you will want to do is login to the Virtual DNS management panel, available in the CloudFlare dashboard. Your account team at CloudFlare will have enabled that for your account when you signed up for Virtual DNS.
To login, go to cloudflare.com/login. Next, find your user email or username in the top right corner, and click on that. That will bring up a menu of accounts you are a part of.
Click on the account you use Virtual DNS in. It may be in “My Settings” if Virtual DNS is in your personal account, or it may be under an organization’s settings if you use Virtual DNS for an organization.
Now click on the Virtual DNS tab in your account settings.
Virtual DNS works on a “cluster” basis. A cluster is a group of nameservers that all store the same DNS zone data.
To add your first DNS cluster, click the “Add Virtual DNS Cluster” button.
A modal will pop up with a form you will need to fill in. The first field you will need to enter is a name for the DNS cluster. The name will appear inside your Virtual DNS management panel for you as reference.
Next, enter in your nameserver IP addresses. This will tell CloudFlare where to find your nameservers to fetch DNS answers from.
Next, set the minimum and maximum cache TTL that Virtual DNS should respect on any DNS record it proxies from your nameservers. Virtual DNS will respect any TTL on the DNS records within the boundaries you set. We recommend a minimum of 30 seconds and a maximum of 1 hour.
Then, choose whether you want Virtual DNS to answer ANY queries. If the ANY Query toggle is set to “off”, then Virtual DNS will deprecate ANY queries and instead respond to ANY with an HINFO record like this:
cloudflare.com. 3788 IN HINFO "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any"
This is in accordance with the IETF Internet Draft, “Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY”.
Once you are done, click ‘continue’.
On the following page, you will see the new Virtual DNS IP Addresses that CloudFlare has assigned to your nameservers. They will take one hour to take effect worldwide.
After you wait one hour, you can test that the addresses work by doing DNS lookups against them for domains on your nameservers and making sure you are getting correct responses.
Once you have verified that the IP’s are working, you may switch your nameservers to use these new IP addresses. This will start your DNS traffic flowing through Virtual DNS.
That’s it! Welcome to Virtual DNS.
How can I add multiple members of my team to manage Virtual DNS?
The Virtual DNS dashboard supports multi-user. To get multi-user enabled for your account, reach out to your account team at CloudFlare and they can enable it for you.
Once Virtual DNS is enabled for your account, you can add members of your team to manage Virtual DNS together.
To do so, login to the CloudFlare dashboard at cloudflare.com/login. Click on your user email or username in the upper right corner, and select the multi-user organization you use for Virtual DNS.
Now that you are in that organization’s settings, click on the “Members” tab.
You can add members to your team by typing in their email addresses and clicking “invite”.
Members need DNS Administrator or Super Administrator permission to be able to see and manage Virtual DNS.
If you would like to additionally require two-factor authentication for all users in that organization, click on the “Organization” tab, and click “Require Two-Factor”.