General FAQ
Yes. Cloudflare offers free DNS services ↗ to customers in all plans. Note that:
- You do not need to change your hosting provider to use Cloudflare.
- You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers.
Cloudflare never limits or caps DNS queries, but the pricing depends on your plan level.
For customers on Free, Pro, or Business plans, Cloudflare does not charge for DNS queries.
For customers on Enterprise plans, Cloudflare uses the number of monthly DNS queries as a pricing input to generate a custom quote.
Make the change at your registrar, which may or may not be your hosting provider. If you don’t know who your registrar is for the domain, you can find this by doing a WHOis search. You can use ICANN Lookup ↗, for example.
Once you identify your registrar, follow the instructions in change nameservers to Cloudflare.
Yes. All customers have a limit on the number of DNS records they can create.
- Free zones created before
2024-09-01 00:00:00 UTC: 1,000 - Free zones created on or after
2024-09-01 00:00:00 UTC: 200 - Pro: 3,500
- Business: 3,500
- Enterprise: 3,500
Cloudflare does not proxy the following record types:
LOCMXNSSPFTXTSRVCAA
No. If you would like to do a redirect for a site not on Cloudflare, then set up a traditional 301 or 302 redirect on your origin web server.
Redirecting non-Cloudflare sites via CNAME records would cause a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the CNAME redirect for the domain (not on Cloudflare) would not know where to send the traffic to.
Cloudflare supports proxying wildcard ’*’ record for DNS management in all customer plans.
By default, any changes or additions you make to your Cloudflare zone file will push out in 5 minutes or less. Your local DNS cache may take longer to update; as such, propagation everywhere might take longer than 5 minutes.
This setting is controlled by the Time-to-Live (TTL) value on a DNS record. Proxied records update within 300 seconds (Auto), but the TTL for unproxied records can be customized.
No. Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). However, we do offer URL forwarding through Bulk Redirects.
ANY queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging.
Because of Cloudflare’s many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to ANY queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time.
ANY is rarely used in production, but is often used in DNS reflection attacks, taking advantage of the lengthy answer returned by ANY.
Instead of using ANY queries to list records, Cloudflare customers can get a better overview of their DNS records by logging in and checking their DNS app settings.
The decision to block ANY queries was implemented for all Authoritative DNS customers in September 2015, and does not affect Virtual DNS customers.
Read Deprecating the DNS ANY meta-query type ↗ in the Cloudflare blog.
Provider-specific instructions
This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:
For more help, refer to Enabling DNSSEC in Cloudflare.
When you remove your DS record, an invalidation process begins which results in the unsigning of your domain’s DNS records. This will allow your authoritative nameservers to be changed. If you are an existing customer, this will not affect your ability to use Cloudflare. New customers will need to complete this step before Cloudflare can be used successfully.
Yes, Cloudflare DNS supports EDNS0. EDNS0 is enabled for all Cloudflare customers. It is a building block for modern DNS implementations that adds support for signaling if the DNS Resolver (recursive DNS provider) supports larger message sizes and DNSSEC.
EDNS0 is the first approved set of mechanisms for DNS extensions ↗, originally published as RFC 2671 ↗.
After switching hosting providers or server IP addresses, update the IP addresses in your Cloudflare DNS app. Your new hosting provider will provide the new IP addresses that your DNS should use. To modify DNS record content in the DNS app, click on the IP address, and enter the new IP address.
Under the DNS app of your Cloudflare account, review the Cloudflare Nameservers.
The IP address associated with a specific Cloudflare nameserver can be retrieved via a dig command or a third-party DNS lookup tool hosted online such as whatsmydns.net ↗:
dig kate.ns.cloudflare.comkate.ns.cloudflare.com. 68675 IN A 173.245.58.124.For DNS records proxied to Cloudflare, Cloudflare’s IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website.
By default, only A and CNAME records that handle web traffic (HTTP and HTTPS) can be proxied to Cloudflare. All other DNS records should be toggled to a gray cloud. For further details, refer to our support guide.
Only Enterprise customers can add subdomains directly to Cloudflare via Subdomain Support.
Problem Description
Error: failed to create DNS record: HTTP status 403: Authentication error (10000) is returned when using Terraform with Cloudflare API.
Root Cause
Error seems to be misleading, as the error was found to be in customer code syntax, specifically: zone_id = data.cloudflare_zones.example_com.id
Solution
Make sure the argument zone_id = data.cloudflare_zones.example_com.zones[0].id. A more detailed use case can be found in this ↗ GitHub thread.
This can happen when you had a wildcard * record configured at your previous authoritative DNS. You can remove these records in bulk using the API.
You can also:
- Remove your domain from Cloudflare.
- Delete the wildcard record from your authoritative DNS.
- Re-add the domain.
In the case a placeholder address is needed for “originless” setups, use the IPv6 reserved address 100:: or the IPv4 reserved address 192.0.2.0 in your Cloudflare DNS to create a proxied DNS record that can use Cloudflare Redirect Rules, Page Rules, or Cloudflare Workers.
Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. In this circumstance, purge your public DNS cache via these methods:
- Purging your DNS cache at OpenDNS ↗
- Purging your DNS cache at Google ↗
- Purging your DNS cache locally ↗
No A, AAAA or CNAME record found means the Cloudflare DNS app lacks proper records for DNS resolution.
Add the missing DNS records to your domain.
For domains where Cloudflare hosts the DNS, Cloudflare continuously checks whether the domain uses Cloudflare’s nameservers for DNS resolution. If Cloudflare’s nameservers are not used, the domain status is updated from Active to Moved in the Cloudflare Overview app and an email is sent to the customer.
This is important because - if a domain is in a Moved state for a long enough period of time - it will be deleted from Cloudflare.
To recover a deleted domain, re-add it in Cloudflare just like you would for a new domain.
The DNS API cannot be used for domains with .cf, .ga, .gq, .ml, or .tk TLDs. Use the Cloudflare Dashboard for managing such TLDs.
Enterprise customer can contact Cloudflare Support to remove this limitation.
You can create CNAME records pointing to cdn.cloudflare.net in your local DNS to locally resolve hostnames through Cloudflare.
For example, if you need to resolve example.com through Cloudflare in your local DNS server, you need to create a CNAME record such as:
example.com CNAME example.com.cdn.cloudflare.net