Get help with common issues related to the Cloudflare DNS app.
- Where can I learn more about DNS?
- Is Cloudflare a free DNS (domain nameserver) provider?
- Does Cloudflare charge for or limit DNS queries?
- Where do I change my nameservers to point to Cloudflare?
- Can I use Cloudflare without changing my nameservers to Cloudflare?
- Does Cloudflare limit number of DNS records a domain can have?
- Which record types does Cloudflare not proxy?
- Can I CNAME a domain not on Cloudflare to a domain that is on Cloudflare?
- Does Cloudflare support wildcard DNS entries?
- How long does it take for a DNS change I made to push out?
- Does Cloudflare offer domain masking?
- Why can't I make ANY queries to Cloudflare DNS servers?
- Why do I have to remove my DS record when signing up for Cloudflare?
- What happens when I remove the DS record?
- Does Cloudflare support EDNS0 (extension mechanisms for DNS)?
- What should I do if I change my server IP address or hosting provider?
- Where can I find my Cloudflare name servers?
- Should the cloud icon beside my DNS record be orange or gray?
- Can subdomains be added directly to Cloudflare?
- What is CNAME Flattening?
- Cloudflare Name server Assignment
- 403 Authentication error when creating DNS records using Terraform
Where can I learn more about DNS?
Please visit the Cloudflare Learning Center DNS guides.
Is Cloudflare a free DNS (domain nameserver) provider?
Yes. Cloudflare offers free DNS services to customers in all plans. Note that:
- You do not need to change your hosting provider to use Cloudflare.
- You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers.
As of October 2018, you can transfer your domain to Cloudflare Registrar.
Does Cloudflare charge for or limit DNS queries?
Cloudflare never limits or caps DNS queries, but the pricing depends on your plan level.
For customers on Free, Pro, or Business plans, Cloudflare does not charge for DNS queries.
For customers on Enterprise plans, Cloudflare uses the number of monthly DNS queries as a pricing input to generate a custom quote. Any overages will not be charged.
Where do I change my nameservers to point to Cloudflare?
Make the change at your registrar, which may or may not be your hosting provider. If you don't know who your registrar is for the domain, you can find this by doing a WHOis search. Follow the instructions in change nameservers to Cloudflare.
Can I use Cloudflare without changing my nameservers to Cloudflare?
Yes. If you can't change to our nameservers — which is what allows us to proxy your site traffic — you have two options:
Does Cloudflare limit number of DNS records a domain can have?
Yes. Currently Free, Pro, and Business customers have a limit on the number of DNS records they can create.
If you are an Enterprise customer you can contact your Account team if you require more DNS records.
Which record types does Cloudflare not proxy?
Cloudflare does not proxy the following record types:
Can I CNAME a domain not on Cloudflare to a domain that is on Cloudflare?
No. If you would like to do a redirect for a site not on Cloudflare, then set up a traditional 301 or 302 redirect on your origin web server.
Redirecting non-Cloudflare sites via CNAME records would cause a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the CNAME redirect for the domain (not on Cloudflare) wouldn't know where to send the traffic to.
Does Cloudflare support wildcard DNS entries?
Yes. Cloudflare supports the wildcard '*' record for DNS management in all customer plans.
Free, Pro, and Business plans
Non-enterprise customers can create but not proxy wildcard records.
If you create wildcard records, these wildcard subdomains are served directly without any Cloudflare performance, security, or apps. As a result, Wildcard domains get no cloud (orange or grey) in the Cloudflare DNS app. If you are adding a `*` CNAME or A Record, make sure the record is grey clouded in order for the record to be created.
To get Cloudflare protection on a wildcard subdomain (for example: www), define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNS app. In this example, you would add "www" as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare's proxy is enabled.
Wildcards are only valid in the left-most subdomain label. For example, it's not possible to add sub.*.example.com, but it's possible to add *.sub.example.com.
Enterprise customers can create and proxy wildcard records. To learn more about the Enterprise plan, contact us.
How long does it take for a DNS change I made to push out?
By default, any changes or additions you make to your Cloudflare zone file will push out in 5 minutes or less. Your local DNS cache may take longer to update; as such, propagation everywhere might take longer than 5 minutes.
This setting is controlled by the Time-to-Live (TTL) value on a DNS record. Proxied records update within 300 seconds (Auto), but the TTL for unproxied records can be customized.
Does Cloudflare offer domain masking?
No. Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). We only offer URL forwarding through Page Rules.
Why can't I make ANY queries to Cloudflare DNS servers?
ANY queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging.
Because of Cloudflare's many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to ANY queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time.
ANY is rarely used in production, but is often used in DNS reflection attacks, taking advantage of the lengthy answer returned by ANY.
Instead of using ANY queries to list records, Cloudflare customers can get a better overview of their DNS records by logging in and checking their DNS app settings.
The decision to block ANY queries was implemented for all Authoritative DNS customers in September 2015, and does not affect Virtual DNS customers.
Read Deprecating the DNS ANY meta-query type in the Cloudflare blog.
Why do I have to remove my DS record when signing up for Cloudflare?
Cloudflare supports DNSSEC. If a DS record is present at your registrar while using Cloudflare, you will run into connectivity errors such as SERVFAIL when using a validating resolver like Google and noErrror from non-validating ones.
Here is an example of what an error would look like: ╰─➤ dig dnssec-failed.org @22.214.171.124 <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org @126.96.36.199 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dnssec-failed.org. IN AWith DNSSEC support, Cloudflare provides the DS record that must be uploaded to your parent when you enable DNSSEC for your domain.
What happens when I remove the DS record?
When you remove your DS record, an invalidation process begins which results in the unsigning of your domain’s DNS records. This will allow your authoritative nameservers to be changed. If you are an existing customer, this will not affect your ability to use Cloudflare. New customers will need to complete this step before Cloudflare can be used successfully.
Does Cloudflare support EDNS0 (extension mechanisms for DNS)?
Yes, Cloudflare DNS supports EDNS0. EDNS0 is enabled for all Cloudflare customers. It is a building block for modern DNS implementations that adds support for signaling if the DNS Resolver (recursive DNS provider) supports larger message sizes and DNSSEC.
What should I do if I change my server IP address or hosting provider?
After switching hosting providers or server IP addresses, update the IP addresses in your Cloudflare DNS app. Your new hosting provider will provide the new IP addresses that your DNS should use. To modify DNS record content in the DNS app, click on the IP address, and enter the new IP address.
Where can I find my Cloudflare name servers?
Under the DNS app of your Cloudflare account, review the Cloudflare Nameservers.
The IP address associated with a specific Cloudflare nameserver can be retrieved via a dig command or a third-party DNS lookup tool hosted online such as whatsmydns.net:
dig kate.ns.cloudflare.com kate.ns.cloudflare.com. 68675 IN A 188.8.131.52.
Should the cloud icon beside my DNS record be orange or gray?
By default, only A and CNAME records that handle web traffic (HTTP and HTTPs) can be proxied to Cloudflare. All other DNS records should be toggled to a gray cloud. For further details, see our support guide.
Can subdomains be added directly to Cloudflare?
Only Enterprise customers can add subdomains directly to Cloudflare via Subdomain Support.
What is CNAME Flattening?
We needed a method to allow CNAME records for the root of the domain, but still follow the RFC and return an IP address for any query for the root record. To accomplish this, we extended our authoritative DNS infrastructure to, in certain cases, act as a kind of DNS resolver. What happens is that, if there's a CNAME at the root, rather than returning that record directly we recurse through the CNAME chain ourselves until we find an A Record. At that point, we return the IP address associated with the A Record. This, effectively, "flattens" the CNAME chain. For more details on this please see our blog post.
Cloudflare Name server Assignment
We don't guarantee the same name servers assigned to all zones within an Organization account. Cloudflare domains on Business or Enterprise plans can set Custom Nameservers at Cloudflare. Please follow these instructions to get started.
403 Authentication error when creating DNS records using Terraform
Error: failed to create DNS record: HTTP status 403: Authentication error (10000) is returned when using Terraform with Cloudflare API.
Error seems to be misleading, as the error was found to be in customer code syntax, specifically: zone_id = data.cloudflare_zones.example_com.id
Make sure the argument
zone_id = data.cloudflare_zones.example_com.zones.id. A more detailed use case can be found in this Github thread.