Setup

If you want to use Cloudflare as your primary DNS provider and manage your DNS records on Cloudflare, your domain should be using a full setup.

This means that you are using Cloudflare for your authoritative DNS nameservers.

Before you begin

Before you update your domain nameservers, make sure that you:

• Already own a domain name (such as example.com or cloudflare.com).

Note

If you do not already have a domain name ↗, get one at-cost through Cloudflare Registrar ↗.

All domains purchased through Cloudflare Registrar automatically use Cloudflare for authoritative DNS, which means you can skip the rest of this tutorial.

• Have previously created a Cloudflare account.
• Disabled DNSSEC at your registrar (where you bought your domain name).

Provider-specific instructions

This is not an exhaustive list of how to update DS records in other providers, but the following links may be helpful:

• DNSimple ↗
• Domaindiscount24 ↗
• DreamHost ↗
• Dynadot ↗
• Enom ↗
• Gandi ↗
• GoDaddy ↗
• Hostinger ↗
• Hover ↗
• InMotion Hosting ↗
• INWX ↗
• Joker.com ↗
• Name.com ↗
• Namecheap ↗
• NameISP ↗
• Namesilo ↗
• OVH ↗
• Squarespace ↗
• Registro.br ↗
• Porkbun ↗ (do not fill out keyData)
• TransIP ↗

Note

If your previous provider allows you to add DNSKEY records on the zone apex and use these records in responses to DNS queries, refer to this migration tutorial to learn how to migrate a zone with DNSSEC enabled.

Add site to Cloudflare

In the Cloudflare dashboard, add your domain.

If Cloudflare is unable to identify your domain as a registered domain, make sure you are using an existing top-level domain ↗ (.com, .net, .biz, or others).

Cloudflare requires your apex domain to be one level below a valid TLD defined in the Public Suffix List (PSL) ↗. Enterprise customers can onboard lower-level subdomains using Subdomain setup.

Review DNS records

When you start using Cloudflare’s nameservers for authoritative DNS and your zone is in a full setup, Cloudflare will become your primary DNS provider. This means that your DNS records in Cloudflare need to be accurate for your domain to work properly.

When you add a new site to Cloudflare, Cloudflare automatically scans for common records and adds them to the DNS zone. The records show up under the respective zone DNS > Records page.

Note

The DNS records quick scan is not automatically invoked in the following cases:

• If you choose Enterprise plan and, instead of the Quick Scan, choose to upload a DNS zone file or add records manually.
• If you add a zone via the API.

You can manually invoke the quick scan via API with the Scan DNS Records endpoint.

Note that the quick scan is a best effort attempt based on a predefined list of commonly used record names and types. You can read more about this in the reference page.

Since this scan is not guaranteed to find all existing DNS records, you need to review your records, paying special attention to the following record types:

• Zone apex records (example.com)
• Subdomain records (www.example.com or blog.example.com)
• Email records

Note

If you activate your domain on Cloudflare without setting up the correct DNS records for your domain and subdomain, your visitors may experience DNS_PROBE_FINISHED_NXDOMAIN errors.

Update your nameservers

Once you have added a domain (also known as a zone) to Cloudflare, that domain will receive two assigned authoritative nameservers.

Warning

If your domain is particularly sensitive to downtime, review our suggestions to minimize downtime.

Get nameserver names

1. Log in to the Cloudflare dashboard ↗ and select your account and domain.

2. On Overview, locate the nameserver names in 2. Replace with Cloudflare’s nameservers.

   

3. Keep this window open while you perform the next step.

Note

Cloudflare automatically assigns nameservers to a domain and these assignments cannot be changed. For more details, refer to Nameserver assignments.

Update your registrar

1. Log in to the admin account for your domain registrar. If you do not know your provider, use ICANN Lookup ↗.

Note

Depending on your use case, you may have to perform this step on the DNS records management of your domain parent zone, or at a domain reseller, instead. Refer to Nameservers for details.

2. Remove your existing authoritative nameservers.

3. Add the nameservers provided by Cloudflare. If their names are not copied exactly, your DNS will not resolve correctly.

Provider-specific instructions

This is not an exhaustive list of provider-specific instructions, but the following links may be helpful:

• Ionos ↗
• 101Domain ↗
• Amazon ↗
• Blacknight ↗
• BlueHost ↗
• DirectNIC ↗
• DNSMadeEasy ↗
• Domain.com ↗
• Dotster ↗
• DreamHost ↗
• EasyDNS ↗
• Enom ↗
• Fast Domain ↗
• FlokiNET ↗
• Gandi ↗
• GoDaddy ↗
• HostGator ↗
• Hostico ↗
• HostMonster ↗
• Hover ↗
• Internetdbs ↗
• iPage ↗
• MelbourneIT ↗
• Moniker ↗
• Name.com ↗
• Namecheap ↗
• Network Solutions ↗
• OVH ↗
• Porkbun ↗
• Rackspace ↗
• Register ↗
• Squarespace ↗
• Site5 ↗
• Softlayer ↗
• Yola ↗

Note

To avoid common issues, refer to our Nameserver replacement checklist.

Verify changes

Wait up to 24 hours while your registrar updates your nameservers.

When your domain is Active:

• You will receive an email from Cloudflare.
• Your domain will have a status of Active on the Websites page of your account.
• Online tools such as https://www.whatsmydns.net/ ↗ will show your Cloudflare-assigned nameservers (most of these tools use cached query results, so it may take longer for them to show the updated nameservers).
• CLI commands will show your Cloudflare-assigned nameservers

*Linux/Unix*
dig <DOMAIN_NAME> +trace @1.1.1.1
dig <DOMAIN_NAME> +trace @8.8.8.8

*Windows*
nslookup <DOMAIN_NAME> 1.1.1.1
nslookup <DOMAIN_NAME> 8.8.8.8

Note

If you see unexpected results, refer to our troubleshooting suggestions and check with your domain registrar.

Re-enable DNSSEC

When you updated your nameservers, you should have also disabled DNSSEC at your registrar.

You should now enable DNSSEC to protect from domain spoofing.