From 30c6e5368aa08b0544f9287407bdba5c87658430 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 22 Jan 2026 15:32:59 +0000 Subject: [PATCH 01/17] Review original FAQ and recreate top-level and more focused --- src/content/docs/dns/faq.mdx | 116 +++++++++++++++++ src/content/docs/dns/troubleshooting/faq.mdx | 128 +------------------ 2 files changed, 118 insertions(+), 126 deletions(-) create mode 100644 src/content/docs/dns/faq.mdx diff --git a/src/content/docs/dns/faq.mdx b/src/content/docs/dns/faq.mdx new file mode 100644 index 00000000000000..7951e3c2849eb5 --- /dev/null +++ b/src/content/docs/dns/faq.mdx @@ -0,0 +1,116 @@ +--- +pcx_content_type: faq +title: FAQ +sidebar: + order: 21 +--- + +import { Render } from "~/components"; + +Refer to the sections bellow for frequently asked questions and their answers regarding Cloudflare authoritative DNS. + +--- + +## Cloudflare offerings + +### Is Cloudflare a free DNS (domain nameserver) provider? + +Yes. Cloudflare offers [free DNS services](https://www.cloudflare.com/dns) to customers on all plans. Note that: + +- You do not need to change your hosting provider to use Cloudflare. +- You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers. + +### Does Cloudflare charge for or limit DNS queries? + +Cloudflare never limits or caps DNS queries, but the pricing depends on your plan level. + +For customers on Free, Pro, or Business plans, Cloudflare does not charge for DNS queries.For customers on Enterprise plans, Cloudflare uses the number of monthly DNS queries as a pricing input to generate a custom quote. + +### Does Cloudflare offer domain masking? + +No. Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). However, we do offer URL forwarding through [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). + +### Can subdomains be added directly to Cloudflare? + +Yes. Enterprise customers can add subdomains directly to Cloudflare via [subdomain support](/dns/zone-setups/subdomain-setup/). + +--- + +## Nameservers + +### Where can I find my Cloudflare nameservers? + +Under the **DNS** app of your Cloudflare account, review the **Cloudflare Nameservers**. + +The IP address associated with a specific Cloudflare nameserver can be retrieved via a dig command or a third-party DNS lookup tool hosted online such as [whatsmydns.net](https://www.whatsmydns.net/): + +```sh +dig kate.ns.cloudflare.com +``` + +```sh output +kate.ns.cloudflare.com. 68675 IN A 173.245.58.124. +``` + +### Where do I change my nameservers to point to Cloudflare? + +Make the change at your registrar, which is where you registered your domain. This may or may not be your hosting provider. If you don't know who your registrar is for the domain, you can find this by doing a WHOIS search. You can use [ICANN Lookup](https://lookup.icann.org/), for example. + +:::caution + +Some country code TLDs may not be supported by ICANN Lookup. If that is the case, use a different WHOIS search tool. +::: + +Once you identify your registrar, follow the instructions in [change nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/#update-your-nameservers). + +### Why have I received an email: Your Name Servers have Changed? + +For domains where Cloudflare hosts the DNS, Cloudflare continuously checks whether the domain uses Cloudflare's nameservers for DNS resolution. If Cloudflare's nameservers are not used, the [domain status](/dns/zone-setups/reference/domain-status/) is updated from *Active* to *Moved* in the Cloudflare **Overview** app and an email is sent to the customer. + +This is important because, if a domain is in a _Moved_ state for a [long enough period of time](/dns/zone-setups/reference/domain-status/), it will be deleted from Cloudflare. + + + +--- + +## DNS records + +### Does Cloudflare limit the number of DNS records a domain can have? + +Yes. All customers have a limit on the number of DNS records they can create. + +- Free: 200 +- Pro: 3,500 +- Business: 3,500 +- Enterprise: 3,500 + +Free zones created before 2024-09-01 00:00:00 UTC have an increased limit of 1,000. + +:::note[For more DNS records] +If you are an Enterprise customer and require more DNS records, contact your account team. Cloudflare can support millions of DNS records on a single zone. +::: + +### How long does it take for a DNS change I made to push out? + +By default, any changes or additions you make to your Cloudflare zone file will take effect globally within 5 minutes, usually much less. + +Depending on the Time-to-Live (TTL) set on the previous [DNS record](/dns/manage-dns-records/how-to/create-dns-records/), old data may still remain cached until the TTL expires. Proxied records expire after 5 minutes ("Automatic"), but the TTL for unproxied records can be customized. + +If changes to records with large TTLs are anticipated, it may make sense to reduce the TTL ahead of time so that the change takes effect as quickly as possible. + +### Why can't I make ANY queries to Cloudflare DNS servers? + +`ANY` queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging. + +Because of Cloudflare's many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to `ANY` queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time. + +Refer to [Deprecating the DNS ANY meta-query type](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/) for details. The decision to block `ANY` does not affect DNS Firewall customers. + + +### How do I add ANAME records on Cloudflare? + + + +### Why are Cloudflare's A or AAAA records / IP addresses for my domain's DNS responses appearing? + +For DNS records proxied to Cloudflare, Cloudflare's IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website. \ No newline at end of file diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index 61fd39e352f6ed..42cdb2d4515df3 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -8,56 +8,6 @@ sidebar: import { Render, GlossaryTooltip } from "~/components"; -## Is Cloudflare a free DNS (domain nameserver) provider? - -Yes. Cloudflare offers [free DNS services](https://www.cloudflare.com/dns) to customers on all plans. Note that: - -1. You do not need to change your hosting provider to use Cloudflare. -2. You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers. - ---- - -## Does Cloudflare charge for or limit DNS queries? - -Cloudflare never limits or caps DNS queries, but the pricing depends on your plan level. - -For customers on Free, Pro, or Business plans, Cloudflare does not charge for DNS queries. - -For customers on Enterprise plans, Cloudflare uses the number of monthly DNS queries as a pricing input to generate a custom quote. - ---- - -## Where do I change my nameservers to point to Cloudflare? - -Make the change at your registrar, which is where you registered your domain. This may or may not be your hosting provider. If you don't know who your registrar is for the domain, you can find this by doing a WHOIS search. You can use [ICANN Lookup](https://lookup.icann.org/), for example. - -:::caution - -Some country code TLDs may not be supported by ICANN Lookup. If that is the case, use a different WHOIS search tool. -::: - -Once you identify your registrar, follow the instructions in [change nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/#update-your-nameservers). - ---- - -## Does Cloudflare limit the number of DNS records a domain can have? - -Yes. All customers have a limit on the number of DNS records they can create. - -- Free: 200 -- Pro: 3,500 -- Business: 3,500 -- Enterprise: 3,500 - -Free zones created before 2024-09-01 00:00:00 UTC have an increased limit of 1,000. - -:::note[For more DNS records] - -If you are an Enterprise customer and require more DNS records, contact your account team. Cloudflare can support millions of DNS records on a single zone. - -::: - ---- ## Which record types can Cloudflare proxy? @@ -65,9 +15,9 @@ Only `A`, `AAAA`, and `CNAME` records can be proxied. Cloudflare will not proxy --- -## How do I add ANAME records on Cloudflare? +## Does Cloudflare support wildcard DNS entries? - +Cloudflare supports wildcard '\*' DNS records, both proxied and unproxied, on all plans. --- @@ -77,43 +27,6 @@ No. If you would like to do a redirect for a site not on Cloudflare, then set up Redirecting non-Cloudflare sites via `CNAME` records would cause a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the `CNAME` redirect for the domain (not on Cloudflare) would not know where to send the traffic to. ---- - -## Does Cloudflare support wildcard DNS entries? - -Cloudflare supports wildcard '\*' DNS records, both proxied and unproxied, on all plans. - ---- - -## How long does it take for a DNS change I made to push out? - -By default, any changes or additions you make to your Cloudflare zone file will take effect globally within 5 minutes, usually much less. - -Depending on the Time-to-Live (TTL) set on the previous [DNS record](/dns/manage-dns-records/how-to/create-dns-records/), old data may still remain cached until the TTL expires. Proxied records expire after 5 minutes ("Automatic"), but the TTL for unproxied records can be customized. - -If changes to records with large TTLs are anticipated, it may make sense to reduce the TTL ahead of time so that the change takes effect as quickly as possible. - ---- - -## Does Cloudflare offer domain masking? - -No. Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). However, we do offer URL forwarding through [Bulk Redirects](/rules/url-forwarding/bulk-redirects/). - ---- - -## Why can't I make ANY queries to Cloudflare DNS servers? - -`ANY` queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging. - -Because of Cloudflare's many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to `ANY` queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time. - -`ANY` is rarely used in production, but is often used in DNS reflection attacks, taking advantage of the lengthy answer returned by `ANY`. - -Instead of using `ANY` queries to list records, Cloudflare customers can get a better overview of their DNS records by logging in and checking their DNS app settings. - -The decision to block `ANY` queries was implemented for all Authoritative DNS customers in September 2015, and does not affect DNS Firewall customers. - -Read [Deprecating the DNS ANY meta-query type](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/) on the Cloudflare blog. --- @@ -145,33 +58,6 @@ After switching hosting providers or server IP addresses, update the IP addresse --- -## Where can I find my Cloudflare nameservers? - -Under the **DNS** app of your Cloudflare account, review the **Cloudflare Nameservers**. - -The IP address associated with a specific Cloudflare nameserver can be retrieved via a dig command or a third-party DNS lookup tool hosted online such as [whatsmydns.net](https://www.whatsmydns.net/): - -```sh -dig kate.ns.cloudflare.com -``` - -```sh output -kate.ns.cloudflare.com. 68675 IN A 173.245.58.124. -``` - ---- - -## Why are Cloudflare's A or AAAA records / IP addresses for my domain's DNS responses appearing? - -For DNS records proxied to Cloudflare, Cloudflare's IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website. - ---- - -## Can subdomains be added directly to Cloudflare? - -Only Enterprise customers can add subdomains directly to Cloudflare via [Subdomain Support](/dns/zone-setups/subdomain-setup/). - ---- ## 403 Authentication error when creating DNS records using Terraform @@ -217,16 +103,6 @@ Third-party tools can sometimes fail to return correct DNS results if a recursiv --- -## Why have I received an email: Your Name Servers have Changed? - -For domains where Cloudflare hosts the DNS, Cloudflare continuously checks whether the domain uses Cloudflare’s nameservers for DNS resolution. If Cloudflare's nameservers are not used, the [domain status](/dns/zone-setups/reference/domain-status/) is updated from *Active* to *Moved* in the Cloudflare **Overview** app and an email is sent to the customer. - -This is important because, if a domain is in a _Moved_ state for a [long enough period of time](/dns/zone-setups/reference/domain-status/), it will be deleted from Cloudflare. - - - ---- - ## Why am I getting a warning for hostname not covered even if I have a custom certificate? If the [custom certificate](/ssl/edge-certificates/custom-certificates/) has been in place before our new certificate management pipeline, the following warning is displayed but can be discarded. From 55c3e8470ced1a671309fb22bf828f1c6401e802 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 22 Jan 2026 15:57:14 +0000 Subject: [PATCH 02/17] AI-assisted: replace Details component with h2 --- src/content/docs/dns/dns-firewall/faq.mdx | 28 ++++++++--------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/src/content/docs/dns/dns-firewall/faq.mdx b/src/content/docs/dns/dns-firewall/faq.mdx index f408cf77c05778..d56b707ea253b0 100644 --- a/src/content/docs/dns/dns-firewall/faq.mdx +++ b/src/content/docs/dns/dns-firewall/faq.mdx @@ -9,29 +9,25 @@ head: content: FAQs — DNS Firewall --- -import { Details, GlossaryTooltip } from "~/components"; +import { GlossaryTooltip } from "~/components"; -
+Consider the answers for frequently asked questions about Cloudflare DNS Firewall. -DNS Firewall alternates between a customer's nameservers, using an algorithm is more likely to send queries to the faster upstream nameservers than slower nameservers. +## How does DNS Firewall choose a backend nameserver to query upstream? -
+DNS Firewall alternates between a customer's nameservers, using an algorithm is more likely to send queries to the faster upstream nameservers than slower nameservers. -
+## How long does DNS Firewall cache a stale object? DNS Firewall sets cache longevity according to allocated memory. As long as there is enough allocated memory, Cloudflare does not clear items from the cache forcefully, even when the TTL expires. This feature allows Cloudflare to serve stale objects from cache if your nameservers are offline. -
- -
+## Does the DNS Firewall cache SERVFAIL? Yes. `SERVFAIL` is treated like any other negative answer for caching purposes. The default TTL is 30 seconds. You can use the [API](/api/resources/dns_firewall/methods/edit/) to set a different `negative_cache_ttl`. -
- -
+## Does DNS Firewall support EDNS Client Subnet (ECS)? Yes. Often, DNS providers want to see a client's IP via EDNS Client Subnet (ECS) ([RFC 7871](https://www.rfc-editor.org/rfc/rfc7871.html)) because they serve geographically specific DNS answers based on the client's IP. With EDNS Client Subnet enabled, the DNS Firewall will forward the client's IP subnet along with the DNS query to the upstream nameserver. @@ -50,19 +46,13 @@ EDNS limits the effectiveness of the DNS cache. Some resolvers might not be sending any EDNS data. When you set the `ecs_fallback` parameter to `true` via the [API](/api/resources/dns_firewall/methods/edit/), DNS Firewall will forward the IP subnet of the resolver instead only if there is no EDNS data present in incoming the DNS query. -
- -
+## Does DNS Firewall cache negative answers? Yes. The default TTL is 30 seconds. You can set `negative_cache_ttl` via the [API](/api/resources/dns_firewall/methods/edit/). This will affect the TTL of responses with status `REFUSED`, `NXDOMAIN`, or `SERVFAIL`. -
- -
+## How can I set PTR records for nameserver hostnames? To set up PTR records for the DNS Firewall cluster IPs that point to your nameserver hostnames, use the following API endpoints: - [Show DNS Firewall Cluster Reverse DNS](/api/resources/dns_firewall/subresources/reverse_dns/methods/get/) - [Update DNS Firewall Cluster Reverse DNS](/api/resources/dns_firewall/subresources/reverse_dns/methods/edit/) - -
From 2504880e0a79526e7957d1acb95c7b22592ba4b6 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 22 Jan 2026 16:04:56 +0000 Subject: [PATCH 03/17] Add description and link DNS Firewall from auth DNS FAQ --- src/content/docs/dns/dns-firewall/faq.mdx | 3 ++- src/content/docs/dns/faq.mdx | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/dns/dns-firewall/faq.mdx b/src/content/docs/dns/dns-firewall/faq.mdx index d56b707ea253b0..037c7a734b6a8e 100644 --- a/src/content/docs/dns/dns-firewall/faq.mdx +++ b/src/content/docs/dns/dns-firewall/faq.mdx @@ -1,9 +1,10 @@ --- -title: FAQ +title: DNS Firewall FAQ pcx_content_type: faq description: Find answers to common questions about Cloudflare's DNS Firewall, including cache behavior, EDNS support, and setting PTR records. sidebar: order: 4 + label: FAQ head: - tag: title content: FAQs — DNS Firewall diff --git a/src/content/docs/dns/faq.mdx b/src/content/docs/dns/faq.mdx index 7951e3c2849eb5..dd6c25e68e26a6 100644 --- a/src/content/docs/dns/faq.mdx +++ b/src/content/docs/dns/faq.mdx @@ -1,13 +1,14 @@ --- pcx_content_type: faq title: FAQ +description: Find answers to common questions about Cloudflare's authoritative DNS. sidebar: order: 21 --- import { Render } from "~/components"; -Refer to the sections bellow for frequently asked questions and their answers regarding Cloudflare authoritative DNS. +The sections bellow cover frequently asked questions about Cloudflare authoritative DNS. For DNS Firewall, refer to [DNS Firewall FAQ](/dns/dns-firewall/faq/). --- From 24f881efc72fe08c6f60bec94e7681c86888248f Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 22 Jan 2026 17:48:40 +0000 Subject: [PATCH 04/17] Delete questions already covered elsewhere in the docs --- src/content/docs/dns/troubleshooting/faq.mdx | 28 -------------------- 1 file changed, 28 deletions(-) diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index 42cdb2d4515df3..17b1d45e2315b7 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -9,16 +9,6 @@ sidebar: import { Render, GlossaryTooltip } from "~/components"; -## Which record types can Cloudflare proxy? - -Only `A`, `AAAA`, and `CNAME` records can be proxied. Cloudflare will not proxy any other [DNS record types](/dns/manage-dns-records/reference/dns-record-types/). - ---- - -## Does Cloudflare support wildcard DNS entries? - -Cloudflare supports wildcard '\*' DNS records, both proxied and unproxied, on all plans. - --- ## Can I CNAME a domain not on Cloudflare to a domain that is on Cloudflare? @@ -28,14 +18,6 @@ No. If you would like to do a redirect for a site not on Cloudflare, then set up Redirecting non-Cloudflare sites via `CNAME` records would cause a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the `CNAME` redirect for the domain (not on Cloudflare) would not know where to send the traffic to. ---- - -## Why do I have to remove my `DS` record when signing up for Cloudflare? - - - -For more help, refer to [Enabling DNSSEC in Cloudflare](/dns/dnssec/). - --- ## What happens when I remove the `DS` record? @@ -101,16 +83,6 @@ Third-party tools can sometimes fail to return correct DNS results if a recursiv - [Purging your DNS cache at Google](https://developers.google.com/speed/public-dns/cache) - [Purging your DNS cache locally](https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/) ---- - -## Why am I getting a warning for hostname not covered even if I have a custom certificate? - -If the [custom certificate](/ssl/edge-certificates/custom-certificates/) has been in place before our new certificate management pipeline, the following warning is displayed but can be discarded. -`This hostname is not covered by a certificate.` - -The warning will be gone when you upload a new custom certificate, or start using another type of certificate for this hostname. - - --- ## I've updated my CNAME to a new SaaS provider, but I still see content from the old provider From 45b07d1b9eac0d3ed5714ea9a462dfa2b5a2be13 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 22 Jan 2026 18:26:53 +0000 Subject: [PATCH 05/17] AI-assisted: integrate questions as info into existing topics --- src/content/docs/dns/dnssec/index.mdx | 2 + .../how-to/create-dns-records.mdx | 6 +++ .../reference/dns-record-types.mdx | 4 ++ .../dns/manage-dns-records/reference/ttl.mdx | 4 ++ src/content/docs/dns/proxy-status/index.mdx | 8 ++- src/content/docs/dns/troubleshooting/faq.mdx | 50 ------------------- .../docs/dns/zone-setups/full-setup/setup.mdx | 6 +++ 7 files changed, 28 insertions(+), 52 deletions(-) diff --git a/src/content/docs/dns/dnssec/index.mdx b/src/content/docs/dns/dnssec/index.mdx index b7926b4e79dbe7..a47c4d468d1e90 100644 --- a/src/content/docs/dns/dnssec/index.mdx +++ b/src/content/docs/dns/dnssec/index.mdx @@ -18,6 +18,8 @@ import { Render } from "~/components" +Removing the DS record at your registrar starts a DNSSEC unsigning process. This is expected when you are moving authoritative DNS providers, because it allows you to update your authoritative nameservers without DNSSEC validation failures. + *** ## Enable DNSSEC diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx index f28ccbbe9af308..e22f6ea221de73 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx @@ -67,6 +67,12 @@ To update part of a record with the API, use a [PATCH request](/api/resources/dn +### Update an origin IP address + +If your hosting provider changes or your origin IP address changes, update the **Content** value of the relevant DNS records (usually `A` or `AAAA` records). + +If you are not sure which IP address to use, refer to your hosting provider's documentation. + --- ## Delete DNS records diff --git a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx index 9560bdcb862f55..6b23dd72f5e871 100644 --- a/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx @@ -112,6 +112,10 @@ These records include the following fields: - If the **Proxy Status** is **DNS Only**, you can customize the value. - **Proxy status**: For more details, refer to [Proxied DNS records](/dns/proxy-status/). +:::note +A CNAME record does not perform an HTTP redirect. If you need to redirect visitors (for example, from one hostname to another), configure a redirect on your origin or use Cloudflare redirect features. Refer to [Redirect one domain to another](/fundamentals/manage-domains/redirect-domain/). +::: + #### Proxied CNAME records Observe the following aspects, especially before changing a CNAME record from proxied to DNS-only or vice versa: diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx index b7f0589bd85d8e..f2d9cde1ccdeef 100644 --- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx @@ -12,6 +12,10 @@ import { GlossaryTooltip } from "~/components"; Longer TTLs speed up [DNS lookups](https://www.cloudflare.com/learning/dns/what-is-dns/) by increasing the chance of cached results, but a longer TTL also means that updates to your records take longer to go into effect. +:::note +DNS results can look inconsistent across tools because recursive resolvers cache answers for the duration of the TTL. If you recently changed a record, wait for the TTL to expire or query your authoritative nameservers directly. +::: + ## Proxied records By default, all proxied records have a TTL of **Auto**, which is set to 300 seconds. This value cannot be edited. diff --git a/src/content/docs/dns/proxy-status/index.mdx b/src/content/docs/dns/proxy-status/index.mdx index a48e568ba92168..2f7ad3c08a5153 100644 --- a/src/content/docs/dns/proxy-status/index.mdx +++ b/src/content/docs/dns/proxy-status/index.mdx @@ -4,8 +4,6 @@ title: Proxy status sidebar: order: 7 label: Overview - group: - label: Proxy status --- import { Render, Example, Details, GlossaryTooltip } from "~/components"; @@ -59,6 +57,12 @@ Since only [records used for IP address resolution](/dns/manage-dns-records/refe It may take longer than five minutes for you to actually experience record changes, as your local DNS cache may take longer to update. ::: +### Originless and redirect-only setups + +If you need a placeholder address for an originless setup, you can use the reserved IPv6 address `100::` or the reserved IPv4 address `192.0.2.0` in a proxied DNS record. + +This allows you to route requests using products such as [Redirect Rules](/rules/url-forwarding/), [Page Rules](/rules/page-rules/), or [Workers](/workers/). + ### Mix proxied and unproxied If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied. diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index 17b1d45e2315b7..05e83d321b41fe 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -9,22 +9,6 @@ sidebar: import { Render, GlossaryTooltip } from "~/components"; ---- - -## Can I CNAME a domain not on Cloudflare to a domain that is on Cloudflare? - -No. If you would like to do a redirect for a site not on Cloudflare, then set up a traditional `301` or `302` redirect on your origin web server. - -Redirecting non-Cloudflare sites via `CNAME` records would cause a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the `CNAME` redirect for the domain (not on Cloudflare) would not know where to send the traffic to. - - ---- - -## What happens when I remove the `DS` record? - -When you remove your DS record, an invalidation process begins which results in the unsigning of your domain’s DNS records. This will allow your authoritative nameservers to be changed. If you are an existing customer, this will not affect your ability to use Cloudflare. New customers will need to complete this step before Cloudflare can be used successfully. - ---- ## Does Cloudflare support EDNS0 (extension mechanisms for DNS)? @@ -34,12 +18,6 @@ EDNS0 is the first approved set of mechanisms for [DNS extensions](http://en.wi --- -## What should I do if I change my server IP address or hosting provider? - -After switching hosting providers or server IP addresses, update the IP addresses in your Cloudflare **DNS** app. Your new hosting provider will provide the new IP addresses that your DNS should use.  To modify DNS record content in the **DNS** app, click on the IP address, and enter the new IP address. - ---- - ## 403 Authentication error when creating DNS records using Terraform @@ -57,34 +35,6 @@ Make sure the argument `zone_id = data.cloudflare_zones.example_com.zones[0].id` --- -## Why am I getting hundreds of random DNS records after adding my domain? - -This can happen when you had a wildcard `*` record configured at your previous authoritative DNS, and for some reason the wildcard record wasn't detected. You can remove these records in bulk [using the API](/api/resources/dns/subresources/records/methods/delete/). - -Alternatively, you can also: - -1. [Remove your domain](/fundamentals/manage-domains/remove-domain/) from Cloudflare. -2. Delete the wildcard record from your authoritative DNS. -3. [Re-add](/fundamentals/manage-domains/add-site/) the domain. - ---- - -## What IP should I use for parked domain / redirect-only / originless setup? - -In the case a placeholder address is needed for “originless” setups, use the IPv6 reserved address `100::` or the IPv4 reserved address `192.0.2.0` in your Cloudflare DNS to create a [proxied DNS record](/dns/proxy-status/) that can use Cloudflare [Redirect Rules](/rules/url-forwarding/), [Page Rules](/rules/page-rules/), or [Cloudflare Workers](/workers/). - ---- - -## Why are DNS queries returning incorrect results? - -Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. In this circumstance, purge your public DNS cache via these methods: - -- [Purging your DNS cache at OpenDNS](http://www.opendns.com/support/cache/) -- [Purging your DNS cache at Google](https://developers.google.com/speed/public-dns/cache) -- [Purging your DNS cache locally](https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/) - ---- - ## I've updated my CNAME to a new SaaS provider, but I still see content from the old provider When a SaaS provider is leveraging our [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) solution, they create a [Custom Hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) on their Cloudflare zone. diff --git a/src/content/docs/dns/zone-setups/full-setup/setup.mdx b/src/content/docs/dns/zone-setups/full-setup/setup.mdx index ea36a57ab8206a..73ff1d1b578e99 100644 --- a/src/content/docs/dns/zone-setups/full-setup/setup.mdx +++ b/src/content/docs/dns/zone-setups/full-setup/setup.mdx @@ -73,6 +73,12 @@ When you start using Cloudflare's nameservers for authoritative DNS and your zon +### Unexpected DNS records after import + +If you see many unexpected DNS records after adding your domain, a wildcard (`*`) record at your previous authoritative DNS provider may have been imported into Cloudflare in a way that creates additional records. + +Review your imported records and remove any records that you do not need. For more background on wildcard behavior, refer to [Wildcard DNS records](/dns/manage-dns-records/reference/wildcard-dns-records/). + ## Update your nameservers From 87f62075f4272817b9df3baa9fe41929dd80dd36 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 10:20:21 +0000 Subject: [PATCH 06/17] Remove redundancy from dnssec and add note to before-you-begin --- src/content/docs/dns/dnssec/index.mdx | 2 -- src/content/partials/registrar/before-you-begin.mdx | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/dns/dnssec/index.mdx b/src/content/docs/dns/dnssec/index.mdx index a47c4d468d1e90..b7926b4e79dbe7 100644 --- a/src/content/docs/dns/dnssec/index.mdx +++ b/src/content/docs/dns/dnssec/index.mdx @@ -18,8 +18,6 @@ import { Render } from "~/components" -Removing the DS record at your registrar starts a DNSSEC unsigning process. This is expected when you are moving authoritative DNS providers, because it allows you to update your authoritative nameservers without DNSSEC validation failures. - *** ## Enable DNSSEC diff --git a/src/content/partials/registrar/before-you-begin.mdx b/src/content/partials/registrar/before-you-begin.mdx index 72dec09f95e1d5..99c90e6696e537 100644 --- a/src/content/partials/registrar/before-you-begin.mdx +++ b/src/content/partials/registrar/before-you-begin.mdx @@ -23,7 +23,7 @@ import { Render, Details, GlossaryTooltip } from "~/components" If you are onboarding an existing domain to Cloudflare, make sure DNSSEC **is disabled** at your registrar. Otherwise, your domain will experience connectivity errors when you change your nameservers. 1. Take note of the TTL value for the DS record at your current registrar. -2. Remove DS records at your current registrar. +2. Remove DS records at your current registrar[^1]. 3. Wait at least the time corresponding to the DS record TTL. It is usually 24 hours, but refer to the value you got in step 1. 4. Follow the steps to [transfer your domain](/registrar/get-started/transfer-domain-to-cloudflare/#set-up-a-domain-transfer) to Cloudflare Registrar. @@ -32,3 +32,5 @@ If you are onboarding an existing domain to Cloudflare, make sure DNSSEC **is di
+ +[^1]: Removing the DS record at your registrar starts a DNSSEC unsigning process. This is expected when you are moving authoritative DNS providers, because it allows you to update your authoritative nameservers without DNSSEC validation failures. \ No newline at end of file From b3c040103f58a91f65ee191e7e09b126d264fe21 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 10:41:22 +0000 Subject: [PATCH 07/17] Group originless and update-origin-address in new how-to section --- .../how-to/create-dns-records.mdx | 42 ++++++++++++------- src/content/docs/dns/proxy-status/index.mdx | 6 --- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx index e22f6ea221de73..bf8d374e63c046 100644 --- a/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx +++ b/src/content/docs/dns/manage-dns-records/how-to/create-dns-records.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { GlossaryTooltip, Render, TabItem, Tabs, Details, DashButton } from "~/components"; +import { GlossaryTooltip, Render, TabItem, Tabs, Details, DashButton, DirectoryListing } from "~/components"; Consider the sections below for step-by-step instructions on managing DNS records at Cloudflare. @@ -15,7 +15,11 @@ To better understand what DNS records are, refer to [Overview](/dns/manage-dns-r If your domain is added to Cloudflare by a hosting partner, manage your DNS records via the hosting partner. ::: -## Create DNS records +--- + +## Basic operations + +### Create DNS records @@ -43,9 +47,7 @@ For specific API examples, refer to [DNS record types](/dns/manage-dns-records/r ---- - -## Edit DNS records +### Edit DNS records @@ -67,15 +69,7 @@ To update part of a record with the API, use a [PATCH request](/api/resources/dn -### Update an origin IP address - -If your hosting provider changes or your origin IP address changes, update the **Content** value of the relevant DNS records (usually `A` or `AAAA` records). - -If you are not sure which IP address to use, refer to your hosting provider's documentation. - ---- - -## Delete DNS records +### Delete DNS records @@ -99,6 +93,22 @@ To delete records with the API, use a [DELETE request](/api/resources/dns/subres --- -## Batch record changes +## Use cases + +### Update an origin IP address + +If your hosting provider changes or your origin IP address changes, update the **Content** value of the relevant DNS records (usually `A` or `AAAA` records). + +If you are not sure which IP address to use, refer to your hosting provider's documentation. + +### Originless setups + +If you need a placeholder address for an originless setup (also referred to as parked domain or redirect-only), you can use the reserved IPv6 address `100::` or the reserved IPv4 address `192.0.2.0` in a proxied DNS record. + +This allows you to route requests using products such as [Redirect Rules](/rules/url-forwarding/), [Page Rules](/rules/page-rules/), or [Workers](/workers/). + +--- + +## Further guidance -For guidance on how to apply several changes to your zone records in just one action, refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/). \ No newline at end of file + \ No newline at end of file diff --git a/src/content/docs/dns/proxy-status/index.mdx b/src/content/docs/dns/proxy-status/index.mdx index 2f7ad3c08a5153..cb7a6855ab6ff4 100644 --- a/src/content/docs/dns/proxy-status/index.mdx +++ b/src/content/docs/dns/proxy-status/index.mdx @@ -57,12 +57,6 @@ Since only [records used for IP address resolution](/dns/manage-dns-records/refe It may take longer than five minutes for you to actually experience record changes, as your local DNS cache may take longer to update. ::: -### Originless and redirect-only setups - -If you need a placeholder address for an originless setup, you can use the reserved IPv6 address `100::` or the reserved IPv4 address `192.0.2.0` in a proxied DNS record. - -This allows you to route requests using products such as [Redirect Rules](/rules/url-forwarding/), [Page Rules](/rules/page-rules/), or [Workers](/workers/). - ### Mix proxied and unproxied If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied. From 2fce56066b5c46154fd07dd9b18ca62a61b14c98 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 11:01:19 +0000 Subject: [PATCH 08/17] Restore #why-are-dns-queries-returning-incorrect-results --- src/content/docs/dns/troubleshooting/faq.mdx | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index 05e83d321b41fe..11c61212fc078e 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -46,3 +46,12 @@ In this case there are 2 ways forward: - (*Recommended*) Ask the new SaaS provider to provision a specific custom hostname for you instead of the wildcard (`mystore.example.com` instead of `*.example.com`). - Ask the Super Administrator of your account to contact [Cloudflare Support](/support/contacting-cloudflare-support/) to request an update of the SaaS configuration. +--- + +## Why are DNS queries returning incorrect results? + +Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. In this circumstance, purge your public DNS cache via these methods: + +- [Purging your DNS cache at OpenDNS](http://www.opendns.com/support/cache/) +- [Purging your DNS cache at Google](https://developers.google.com/speed/public-dns/cache) +- [Purging your DNS cache locally](https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/) \ No newline at end of file From 3700e98e15be9c50a620a7a22ef89f1d7bc59f78 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 11:02:06 +0000 Subject: [PATCH 09/17] Remove note from ttl.mdx --- src/content/docs/dns/manage-dns-records/reference/ttl.mdx | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx index f2d9cde1ccdeef..b7f0589bd85d8e 100644 --- a/src/content/docs/dns/manage-dns-records/reference/ttl.mdx +++ b/src/content/docs/dns/manage-dns-records/reference/ttl.mdx @@ -12,10 +12,6 @@ import { GlossaryTooltip } from "~/components"; Longer TTLs speed up [DNS lookups](https://www.cloudflare.com/learning/dns/what-is-dns/) by increasing the chance of cached results, but a longer TTL also means that updates to your records take longer to go into effect. -:::note -DNS results can look inconsistent across tools because recursive resolvers cache answers for the duration of the TTL. If you recently changed a record, wait for the TTL to expire or query your authoritative nameservers directly. -::: - ## Proxied records By default, all proxied records have a TTL of **Auto**, which is set to 300 seconds. This value cannot be edited. From 295b1b2671bacd1ef5f75b388ba51f0f8d28c2fa Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 11:26:32 +0000 Subject: [PATCH 10/17] Integrate extra records question as troubleshooting topic --- public/__redirects | 1 + ...-record.mdx => unexpected-dns-records.mdx} | 32 ++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) rename src/content/docs/dns/manage-dns-records/troubleshooting/{acme-challenge-txt-record.mdx => unexpected-dns-records.mdx} (66%) diff --git a/public/__redirects b/public/__redirects index ab887a6116f041..67f62c3129e43d 100644 --- a/public/__redirects +++ b/public/__redirects @@ -499,6 +499,7 @@ /dns/manage-dns-records/how-to/dns-load-balancing/ /dns/manage-dns-records/how-to/round-robin-dns/ 301 /dns/manage-dns-records/how-to/create-root-domain/ /dns/manage-dns-records/how-to/create-zone-apex/ 301 /dns/manage-dns-records/reference/proxied-dns-records/ /dns/proxy-status/ 301 +/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record/ /dns/manage-dns-records/troubleshooting/unexpected-dns-records/#acme_challenge-txt-records 301 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301 /dns/zone-setups/partial-setup/convert-partial-to-full/ /dns/zone-setups/conversions/convert-partial-to-full/ 301 /dns/zone-setups/partial-setup/convert-partial-to-secondary/ /dns/zone-setups/conversions/convert-partial-to-secondary/ 301 diff --git a/src/content/docs/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record.mdx b/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx similarity index 66% rename from src/content/docs/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record.mdx rename to src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx index aea592732498c4..f8571539aa0dba 100644 --- a/src/content/docs/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record.mdx +++ b/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx @@ -1,20 +1,44 @@ --- -title: Unexpected _acme-challenge TXT records +title: Unexpected DNS records pcx_content_type: troubleshooting sidebar: order: 11 - label: Unexpected TXT records + label: Unexpected DNS records --- import { GlossaryTooltip } from "~/components" +## Additional records after import + +You find several unexpected DNS records after adding your domain to Cloudflare. + +### Cause + +A wildcard (`*`) record at your previous authoritative DNS provider may have been imported into Cloudflare in a way that creates additional records. + +### Solution + +To solve this issue, you can do one of the following: + +- [Delete records in bulk](/dns/manage-dns-records/how-to/batch-record-changes/#delete-records-in-bulk). + +- Remove and re-add your domain: + + 1. [Remove your domain](/fundamentals/manage-domains/remove-domain/) from Cloudflare. + 2. Delete the wildcard record from your authoritative DNS. + 3. [Re-add](/fundamentals/manage-domains/add-site/) the domain. + +--- + +## acme_challenge TXT records + You might notice TXT records like `_acme-challenge.` are returned by your domain but cannot be found on the DNS tab of your Cloudflare dashboard. -## Causes +### Cause These records are automatically created to allow Cloudflare edge certificates ([universal](/ssl/edge-certificates/universal-ssl/), [advanced](/ssl/edge-certificates/advanced-certificate-manager/), and [backup](/ssl/edge-certificates/backup-certificates/)) to be provisioned. `_acme-challenge` records are required by certificate authorities (CAs) so that they can verify your domain ownership before issuing the SSL/TLS certificate. For details, refer to [Domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/). -## Solution +### Solution As these records are tied to the certificates, they cannot be deleted from the DNS tab of your Cloudflare dashboard. From 2f84d0138dcea8d819bf5ffa5d22097e0e46bafa Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 11:28:42 +0000 Subject: [PATCH 11/17] Remove additional unexpected behavior from setup guide --- src/content/docs/dns/zone-setups/full-setup/setup.mdx | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/content/docs/dns/zone-setups/full-setup/setup.mdx b/src/content/docs/dns/zone-setups/full-setup/setup.mdx index 73ff1d1b578e99..ea36a57ab8206a 100644 --- a/src/content/docs/dns/zone-setups/full-setup/setup.mdx +++ b/src/content/docs/dns/zone-setups/full-setup/setup.mdx @@ -73,12 +73,6 @@ When you start using Cloudflare's nameservers for authoritative DNS and your zon -### Unexpected DNS records after import - -If you see many unexpected DNS records after adding your domain, a wildcard (`*`) record at your previous authoritative DNS provider may have been imported into Cloudflare in a way that creates additional records. - -Review your imported records and remove any records that you do not need. For more background on wildcard behavior, refer to [Wildcard DNS records](/dns/manage-dns-records/reference/wildcard-dns-records/). - ## Update your nameservers From b46ba72193b4deaacc9035539eb339f4f0c181ae Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 13:23:20 +0000 Subject: [PATCH 12/17] Add purge public DNS cache info to troubleshooting --- .../troubleshooting/unexpected-dns-records.mdx | 16 ++++++++++++++++ src/content/docs/dns/troubleshooting/faq.mdx | 12 +----------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx b/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx index f8571539aa0dba..26f358720f6af5 100644 --- a/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx +++ b/src/content/docs/dns/manage-dns-records/troubleshooting/unexpected-dns-records.mdx @@ -49,4 +49,20 @@ If you want to remove these records: * [Disable Universal SSL](/ssl/edge-certificates/universal-ssl/disable-universal-ssl/) to remove the records related to universal and backup certificates. * [Delete advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#delete-a-certificate) to remove the records related to advanced certificates. +--- + +## Incorrect results for DNS queries + +You notice DNS queries returning incorrect results even after you waited for the [TTL](/dns/manage-dns-records/reference/ttl/) to expire. + +### Cause + +Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. + +### Solution + +In this circumstance, purge your public DNS cache via these methods: +- [Purge your DNS cache at OpenDNS](http://www.opendns.com/support/cache/) +- [Purge your DNS cache at Google](https://developers.google.com/speed/public-dns/cache) +- [Purge your DNS cache locally](https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/) \ No newline at end of file diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index 11c61212fc078e..c52398f6bd3044 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -44,14 +44,4 @@ This is expected as per the [Certificate and hostname priority](https://develope In this case there are 2 ways forward: - (*Recommended*) Ask the new SaaS provider to provision a specific custom hostname for you instead of the wildcard (`mystore.example.com` instead of `*.example.com`). -- Ask the Super Administrator of your account to contact [Cloudflare Support](/support/contacting-cloudflare-support/) to request an update of the SaaS configuration. - ---- - -## Why are DNS queries returning incorrect results? - -Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. In this circumstance, purge your public DNS cache via these methods: - -- [Purging your DNS cache at OpenDNS](http://www.opendns.com/support/cache/) -- [Purging your DNS cache at Google](https://developers.google.com/speed/public-dns/cache) -- [Purging your DNS cache locally](https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/) \ No newline at end of file +- Ask the Super Administrator of your account to contact [Cloudflare Support](/support/contacting-cloudflare-support/) to request an update of the SaaS configuration. \ No newline at end of file From 24f4fb4a657b5b715db5949cde1bb18134a385dc Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 13:31:07 +0000 Subject: [PATCH 13/17] Move EDNS0 into new FAQ page --- src/content/docs/dns/faq.mdx | 6 ++++++ src/content/docs/dns/troubleshooting/faq.mdx | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/content/docs/dns/faq.mdx b/src/content/docs/dns/faq.mdx index dd6c25e68e26a6..c09dbc81c49bd2 100644 --- a/src/content/docs/dns/faq.mdx +++ b/src/content/docs/dns/faq.mdx @@ -35,6 +35,12 @@ No. Cloudflare does not offer domain masking or DNS redirect services (your host Yes. Enterprise customers can add subdomains directly to Cloudflare via [subdomain support](/dns/zone-setups/subdomain-setup/). +### Does Cloudflare support EDNS0 (extension mechanisms for DNS)? + +Yes, EDNS0 is a building block for modern DNS implementations and is enabled for all Cloudflare customers. EDNS0 adds support for signaling if the DNS Resolver (recursive DNS provider) supports larger message sizes and DNSSEC. + +EDNS0 is the first approved set of mechanisms for [DNS extensions](http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS), originally published as [RFC 2671](https://www.rfc-editor.org/rfc/rfc2671.html). + --- ## Nameservers diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index c52398f6bd3044..ec24b1eafc5fc1 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -9,13 +9,6 @@ sidebar: import { Render, GlossaryTooltip } from "~/components"; - -## Does Cloudflare support EDNS0 (extension mechanisms for DNS)? - -Yes, Cloudflare DNS supports EDNS0. EDNS0 is enabled for all Cloudflare customers. It is a building block for modern DNS implementations that adds support for signaling if the DNS Resolver (recursive DNS provider) supports larger message sizes and DNSSEC. - -EDNS0 is the first approved set of mechanisms for [DNS extensions](http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS), originally published as [RFC 2671](https://datatracker.ietf.org/doc/html/rfc2671). - --- From 7cabe7b59e8052991e6d10d0b276bb733890ac6b Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 13:44:51 +0000 Subject: [PATCH 14/17] Move SaaS provider question into CF4SaaS troubleshooting --- .../reference/troubleshooting.mdx | 11 +++++++++++ src/content/docs/dns/troubleshooting/faq.mdx | 15 +-------------- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx index ee25ba619d2a65..45b86736845e63 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx @@ -42,6 +42,17 @@ If you encounter other 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX Er --- +## Old SaaS provider content after updating a CNAME + +When switching SaaS providers, an older configuration can take precedence if the old provider provisioned a specific custom hostname and the new provider provisioned a wildcard custom hostname. This is expected as per the [certificate and hostname priority](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/#hostname-priority). + +In this case there are two ways forward: + +- (Recommended) Ask the new SaaS provider to provision a specific custom hostname for you instead of the wildcard - `mystore.example.com` instead of `*.example.com`. +- Ask the Super Administrator of your account to contact [Cloudflare Support](/support/contacting-cloudflare-support/) to request an update of the SaaS configuration. + +--- + ## Custom hostname in Moved status To move a custom hostname back to an Active status, send a [PATCH request](/api/resources/custom_hostnames/methods/edit/) to restart the hostname validation. A Custom Hostname in a Moved status is deleted after 7 days. diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index ec24b1eafc5fc1..e884f394cfd04d 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -24,17 +24,4 @@ Error seems to be misleading, as the error was found to be in customer code synt **Solution** -Make sure the argument `zone_id = data.cloudflare_zones.example_com.zones[0].id`. A more detailed use case can be found in [this](https://github.com/cloudflare/terraform-provider-cloudflare/issues/913) GitHub thread. - ---- - -## I've updated my CNAME to a new SaaS provider, but I still see content from the old provider - -When a SaaS provider is leveraging our [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) solution, they create a [Custom Hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) on their Cloudflare zone. -Then a [CNAME record needs to be created](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/how-it-works/) on the client zone, to point to the SaaS provider service. -When changing SaaS providers, if the old SaaS provider provisioned a specific custom hostname for the record (`mystore.example.com`) and the new SaaS provider provisioned a wildcard custom hostname (`*.example.com`), the old custom hostname will still take precedence. -This is expected as per the [Certificate and hostname priority](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/#hostname-priority). - -In this case there are 2 ways forward: -- (*Recommended*) Ask the new SaaS provider to provision a specific custom hostname for you instead of the wildcard (`mystore.example.com` instead of `*.example.com`). -- Ask the Super Administrator of your account to contact [Cloudflare Support](/support/contacting-cloudflare-support/) to request an update of the SaaS configuration. \ No newline at end of file +Make sure the argument `zone_id = data.cloudflare_zones.example_com.zones[0].id`. A more detailed use case can be found in [this](https://github.com/cloudflare/terraform-provider-cloudflare/issues/913) GitHub thread. \ No newline at end of file From d93f3137340a1589ae4173c4bdb109d7be37dc23 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 13:49:04 +0000 Subject: [PATCH 15/17] Remove seemingly outdated Terraform FAQ entry --- src/content/docs/dns/troubleshooting/faq.mdx | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx index e884f394cfd04d..02699fff99af56 100644 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ b/src/content/docs/dns/troubleshooting/faq.mdx @@ -10,18 +10,3 @@ import { Render, GlossaryTooltip } from "~/components"; --- - - -## 403 Authentication error when creating DNS records using Terraform - -**Problem Description** - -`Error: failed to create DNS record: HTTP status 403: Authentication error (10000)` is returned when using Terraform with Cloudflare API. - -**Root Cause** - -Error seems to be misleading, as the error was found to be in customer code syntax, specifically: zone_id = data.cloudflare_zones.example_com.id - -**Solution** - -Make sure the argument `zone_id = data.cloudflare_zones.example_com.zones[0].id`. A more detailed use case can be found in [this](https://github.com/cloudflare/terraform-provider-cloudflare/issues/913) GitHub thread. \ No newline at end of file From 8557fad10ef328563dad473e28c43c6a255f6895 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 13:53:20 +0000 Subject: [PATCH 16/17] Remove old FAQ page and redirect to new one --- public/__redirects | 1 + src/content/docs/dns/troubleshooting/faq.mdx | 12 ------------ 2 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 src/content/docs/dns/troubleshooting/faq.mdx diff --git a/public/__redirects b/public/__redirects index 67f62c3129e43d..2b04c18251609d 100644 --- a/public/__redirects +++ b/public/__redirects @@ -501,6 +501,7 @@ /dns/manage-dns-records/reference/proxied-dns-records/ /dns/proxy-status/ 301 /dns/manage-dns-records/troubleshooting/acme-challenge-txt-record/ /dns/manage-dns-records/troubleshooting/unexpected-dns-records/#acme_challenge-txt-records 301 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301 +/dns/troubleshooting/faq/ /dns/faq/ 301 /dns/zone-setups/partial-setup/convert-partial-to-full/ /dns/zone-setups/conversions/convert-partial-to-full/ 301 /dns/zone-setups/partial-setup/convert-partial-to-secondary/ /dns/zone-setups/conversions/convert-partial-to-secondary/ 301 /dns/zone-setups/reference/nameserver-assignment/ /dns/nameservers/nameserver-options/#assignment-method 301 diff --git a/src/content/docs/dns/troubleshooting/faq.mdx b/src/content/docs/dns/troubleshooting/faq.mdx deleted file mode 100644 index 02699fff99af56..00000000000000 --- a/src/content/docs/dns/troubleshooting/faq.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -pcx_content_type: faq -source: https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ -title: General FAQ -sidebar: - order: 1 ---- - -import { Render, GlossaryTooltip } from "~/components"; - - ---- From 516a157b3caa9d2c7aede3ae7f7f619be8f9d47e Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 23 Jan 2026 14:46:03 +0000 Subject: [PATCH 17/17] Fix broken links --- .../start/advanced-settings/worker-as-origin.mdx | 2 +- src/content/docs/fundamentals/reference/troubleshooting.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin.mdx index 0a4ce6c34a4356..8dfaa57ee0fd59 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin.mdx @@ -32,7 +32,7 @@ You do not need to add individual Worker routes for each custom hostname. The wi ## Set up a Worker as your fallback origin -1. In your SaaS zone, [create and set a fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin). Ensure the fallback origin only has an [originless DNS record](/dns/troubleshooting/faq/#what-ip-should-i-use-for-parked-domain--redirect-only--originless-setup): +1. In your SaaS zone, [create and set a fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin). Ensure the fallback origin only has an [originless DNS record](/dns/manage-dns-records/how-to/create-dns-records/#originless-setups): - **Example**: `service.example.com AAAA 100::` 2. In that same zone, navigate to **Workers Routes**. diff --git a/src/content/docs/fundamentals/reference/troubleshooting.mdx b/src/content/docs/fundamentals/reference/troubleshooting.mdx index b69e7b6493eac1..5a1623f508b4e9 100644 --- a/src/content/docs/fundamentals/reference/troubleshooting.mdx +++ b/src/content/docs/fundamentals/reference/troubleshooting.mdx @@ -40,7 +40,7 @@ When you [set up Cloudflare](/fundamentals/account/), you may experience the fol ## General resources -* [DNS FAQ](/dns/troubleshooting/faq/) +* [DNS FAQ](/dns/faq/) * [SSL/TLS FAQ](/ssl/troubleshooting/faq/) ## Is Cloudflare attacking me