English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

Understanding Secondary DNS Override

  • Updated

Learn how Secondary DNS Override allows proxying for Secondary DNS records transferred to Cloudflare.

Overview

Secondary Override allows customers to have Cloudflare as their Secondary DNS provider while proxying traffic to benefit from Cloudflare's security and performance features.  Additionally, it allows:  

  • Proxied (orange-clouded) secondary DNS records (A, AAAA, CNAME), and
  • CNAME record at the root domain.

With traditional secondary DNS, DNS records are transferred from your authoritative DNS provider to Cloudflare in a read-only manner. Customers that want Cloudflare to act as a proxy for select hostnames can orange-cloud Secondary DNS records. Additionally, customers that are unable to set a CNAME record at the root of their zone due to either RFC restrictions or inability of their DNS provider to export ALIAS or ANAME records, can do so via Secondary Override.

Set up Secondary DNS Override

If you're currently on a partial setup and want to use secondary DNS, contact your Cloudflare Account Team.

Prerequisites

  1. Add a Secondary DNS zone to Cloudflare and verify that DNS records are transferred.
  2. Request your Account Team to enable Secondary Override. 
  3. (Highly recommended) Only list Cloudflare’s nameservers at your domain’s registrar to ensure that DNS queries to different nameservers don't yield varying responses.  

Proxy Secondary DNS records

Use the DNS records API to proxy (orange cloud) a DNS record.  Ensure the record you add has the same name as the transferred record that you are orange clouding. Cloudflare only looks at the name and the proxy status, so the content does not matter.  

After proxying (orange clouding) a Secondary DNS record, any additional records added under that hostname through the authoritative DNS provider are automatically proxied. This applies to all A and AAAA records under that domain.  Directly proxy records from the list of DNS records in the Cloudflare DNS app by toggling the proxied cloud icon to an orange cloud. 

Verify that a record is orange clouded 

Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns.  Records proxied by Cloudflare return Cloudflare IPs

Without a hidden primary, a DNS query does not return Cloudflare IPs for proxied hostnames when the query is served by the authoritative DNS provider's nameservers.

 

Add a CNAME record at the apex for Secondary Zone Override

  1. Log into your Cloudflare Account.
  2. Select the appropriate domain.
  3. Click on the DNS app.
  4. Click Add CNAME Record in the top-right corner of the DNS record table.
  5. Fill in the appropriate fields. Customers can only add a record with Type CNAME and at the apex. Once the override record is added, it appears at the top of the DNS table.
The Cloudflare API only allows a CNAME record uploaded to the root domain for Secondary DNS. For other records added to Secondary DNS, the API may show the record as successfully uploaded, but Cloudflare will not serve that record.

Once a Secondary Override CNAME at the apex record is added, existing A or AAAA records at the root are deactivated and customers can view those deactivated records by checking the View Inactive Records box. To re-activate the A or AAAA records at the root, remove the CNAME record.

Related resources

 

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Ask the Community Submit a request