This article describes the purpose, benefits, and limitations of enabling a CNAME setup for a Cloudflare domain.
A CNAME setup allows a customer to maintain authoritative DNS outside of Cloudflare. It allows individual subdomains to benefit from Cloudflare's services without requiring updates for a domain's registration to point to Cloudflare's nameservers for DNS resolution.
The logical flow of a DNS lookup for a domain on a CNAME setup is shown in the diagram below:
Activating CNAME setup for a domain
Review our guide that explains the benefits and limitations of a CNAME setup
2. Upgrade the domain to a Business plan or higher as needed.
4. In Advanced Actions, select Convert to CNAME DNS Setup.
5. Select Convert.
5. Once you finish, add the new TXT record to your authoritative DNS.
6. After a few hours, Cloudflare will have verified the TXT record and sent a confirmation email.
7. Provision Universal SSL for the domain.
(Optional) Provision Cloudflare Universal SSL for CNAME setup
Cloudflare's Universal SSL certificate will be deployed once:
- A domain is activated on the CNAME setup
- Proper Domain Control Validation (DCV) records have been added to authoritative DNS. To change your DCV method, see Change DCV Method.
To provision a Universal SSL certificate, follow the instructions in our developer documentation.
Adding DNS records to a CNAME setup
Once a CNAME setup is enabled, DNS records must be updated in both Cloudflare's DNS app and your authoritative DNS:
1. Add an A or CNAME record in the Cloudflare DNS app for the subdomain.
2. Edit the corresponding CNAME record in your authoritative DNS to append .cdn.cloudflare.net to the hostname.
For example, when configuring www.example.com on a CNAME setup with Cloudflare, the CNAME record in authoritative DNS would need to point to www.example.com.cdn.cloudflare.net:
www.example.com CNAME www.example.com.cdn.cloudflare.net
CNAME records can be added to your authoritative DNS for each subdomain to be proxied to Cloudflare.
The CNAME setup has two limitations:
- DDOS protection for attacks against DNS infrastructure is only available for the delegated subdomain records.
- Only subdomains, not the root domain, can use Cloudflare's services. This limitation is imposed by Internet DNS specifications.