Learn how Secondary DNS Override allows proxying for Secondary DNS records transferred to Cloudflare.
Overview
Secondary Override allows customers to have Cloudflare as their Secondary DNS provider while proxying traffic to benefit from Cloudflare's security and performance features. Additionally, it allows:
- Proxied (orange-clouded) secondary DNS records (A, AAAA, CNAME), and
- CNAME record at the root domain.
With traditional secondary DNS, DNS records are transferred from your authoritative DNS provider to Cloudflare in a read-only manner. Customers that want Cloudflare to act as a proxy for select hostnames can orange-cloud Secondary DNS records. Additionally, customers that are unable to set a CNAME record at the root of their zone due to either RFC restrictions or inability of their DNS provider to export ALIAS or ANAME records, can do so via Secondary Override.
Set up Secondary DNS Override
Prerequisites
- Add a Secondary DNS zone to Cloudflare and verify that DNS records are transferred.
- Request your Account Team to enable Secondary Override.
- (Highly recommended) Only list Cloudflare’s nameservers at your domain’s registrar to ensure that DNS queries to different nameservers don't yield varying responses.
Proxy Secondary DNS records
Use the DNS records API to proxy (orange cloud) a DNS record. Ensure the record you add has the same name as the transferred record that you are orange clouding. Cloudflare only looks at the name and the proxy status, so the content does not matter.
After proxying (orange clouding) a Secondary DNS record, any additional records added under that hostaname through the authoritative DNS provider are automatically proxied. This applies to all A and AAAA records under that domain. Directly proxy records from the list of DNS records in the Cloudflare DNS app by toggling the proxied cloud icon to an orange cloud.
Verify that a record is orange clouded
Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return Cloudflare IPs.
Add a CNAME record at the apex for Secondary Zone Override
- Log into your Cloudflare Account.
- Select the appropriate domain.
- Click on the DNS app.
- Click Add CNAME Record in the top-right corner of the DNS record table.
- Fill in the appropriate fields. Customers can only add a record with Type CNAME and at the apex. Once the override record is added, it appears at the top of the DNS table.
Once a Secondary Override CNAME at the apex record is added, existing A or AAAA records at the root are deactivated and customers can view those deactivated records by checking the View Inactive Records box. To re-active the A or AAAA records at the root, remove the CNAME record.