How Cloudflare works
The Cloudflare global network ↗ can improve the security, performance, reliability, and privacy of anything connected to the Internet, such as your website, SaaS application, or corporate network.
To optimize your website or web application, Cloudflare acts as a DNS provider ↗ for your domain, and a reverse proxy ↗ for your web traffic.
We support a few different setups for using Cloudflare as a DNS provider. A full DNS setup is the most common, where Cloudflare becomes the primary authoritative DNS provider for your domain, after you connect your domain to Cloudflare. This means we respond to DNS queries for your domain, and you manage its DNS records via the Cloudflare dashboard or API.
When Cloudflare receives a DNS query for your domain, our response is determined by the configuration set in your DNS table, including the value of the record, the record’s proxy eligibility, and its proxy status.
If the domain’s status is active and the queried DNS record is set to proxied
, then Cloudflare responds with an anycast IP address, instead of the value defined in your DNS table. This effectively re-routes the HTTP/HTTPS
requests to the Cloudflare network, instead of directly reaching the targeted the origin server ↗.
In contrast, if the queried DNS record is set to DNS only
, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means HTTP/HTTPS
requests route directly to the origin server and are not processed or protected by Cloudflare.
All DNS records in your DNS table have a proxy status, indicating whether or not HTTP/HTTPS
traffic for that record will route through Cloudflare on its way between the client and the origin server. If the domain’s status is active, all HTTP/HTTPS
requests for proxied DNS records route through Cloudflare.
As these requests pass through our network, they are processed according to your configuration. Subsequently, legitimate requests are forwarded to the origin server.
Refer to our Load Balancing reference architecture to learn more about advanced ways to forward traffic to your origins (or other endpoints), as well as our CDN reference architecture to learn more about how Cloudflare processes and optimizes your web traffic.
In the Cloudflare dashboard, find out which DNS records are proxied by selecting your domain and navigating to the DNS records tab.
Type | Name | Content | Proxy status | TTL | Actions |
---|---|---|---|---|---|
A | blog | 192.0.2.1 | Proxied | Auto | Edit |
A | shop | 192.0.2.2 | DNS only | Auto | Edit |
In the example DNS table above, there are two DNS records. The record with the name blog
has the proxy on, while the record named shop
has the proxy off (that is, DNS only
).
When the browser initiates a HTTP/HTTPS
request to blog.example.com
, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates a HTTP/HTTPS
request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. Cloudflare forwards it to the configured origin server, which is 192.0.2.1
.
When the browser initiates a HTTP/HTTPS
request to shop.example.com
, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, DNS only
), Cloudflare will answer with 192.0.2.2
. Finally, the browser initiates a HTTP/HTTPS
request to the server hosted at 192.0.2.2
.