cloudflare · RebeccaTamachiro · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026
@@ -1,37 +1,34 @@
 ---
-title: FAQ
+title: DNS Firewall FAQ
 pcx_content_type: faq
 description: Find answers to common questions about Cloudflare's DNS Firewall, including cache behavior, EDNS support, and setting PTR records.
 sidebar:
   order: 4
+  label: FAQ
 head:
   - tag: title
     content: FAQs — DNS Firewall
 ---
 
-import { Details, GlossaryTooltip } from "~/components";
+import { GlossaryTooltip } from "~/components";
 
-<Details header="How does DNS Firewall choose a backend nameserver to query upstream?">
+Consider the answers for frequently asked questions about Cloudflare DNS Firewall.
 
-DNS Firewall alternates between a customer's nameservers, using an algorithm is more likely to send queries to the faster upstream nameservers than slower nameservers.
+## How does DNS Firewall choose a backend nameserver to query upstream?
 
-</Details>
+DNS Firewall alternates between a customer's nameservers, using an algorithm is more likely to send queries to the faster upstream nameservers than slower nameservers.
 
-<Details header="How long does DNS Firewall cache a stale object?">
+## How long does DNS Firewall cache a stale object?
 
 DNS Firewall sets cache longevity according to allocated memory.
 
 As long as there is enough allocated memory, Cloudflare does not clear items from the cache forcefully, even when the TTL expires. This feature allows Cloudflare to serve stale objects from cache if your nameservers are offline.
 
-</Details>
-
-<Details header="Does the DNS Firewall cache SERVFAIL?">
+## Does the DNS Firewall cache SERVFAIL?
 
 Yes. `SERVFAIL` is treated like any other negative answer for caching purposes. The default TTL is 30 seconds. You can use the [API](/api/resources/dns_firewall/methods/edit/) to set a different `negative_cache_ttl`.
 
-</Details>
-
-<Details header="Does DNS Firewall support EDNS Client Subnet (ECS)?">
+## Does DNS Firewall support EDNS Client Subnet (ECS)?
 
 Yes. Often, DNS providers want to see a client's IP via <GlossaryTooltip term="EDNS Client Subnet (ECS)">EDNS Client Subnet (ECS)</GlossaryTooltip> ([RFC 7871](https://www.rfc-editor.org/rfc/rfc7871.html)) because they serve geographically specific DNS answers based on the client's IP. With EDNS Client Subnet enabled, the DNS Firewall will forward the client's IP subnet along with the DNS query to the upstream nameserver.
 
@@ -50,19 +47,13 @@ EDNS limits the effectiveness of the DNS cache.
 
 Some resolvers might not be sending any EDNS data. When you set the `ecs_fallback` parameter to `true` via the [API](/api/resources/dns_firewall/methods/edit/), DNS Firewall will forward the IP subnet of the resolver instead only if there is no EDNS data present in incoming the DNS query.
 
-</Details>
-
-<Details header="Does DNS Firewall cache negative answers?">
+## Does DNS Firewall cache negative answers?
 
 Yes. The default TTL is 30 seconds. You can set `negative_cache_ttl` via the [API](/api/resources/dns_firewall/methods/edit/). This will affect the TTL of responses with status `REFUSED`, `NXDOMAIN`, or `SERVFAIL`.
 
-</Details>
-
-<Details header="How can I set PTR records for nameserver hostnames?">
+## How can I set PTR records for nameserver hostnames?
 
 To set up PTR records for the DNS Firewall cluster IPs that point to your nameserver hostnames, use the following API endpoints:
 
 - [Show DNS Firewall Cluster Reverse DNS](/api/resources/dns_firewall/subresources/reverse_dns/methods/get/)
 - [Update DNS Firewall Cluster Reverse DNS](/api/resources/dns_firewall/subresources/reverse_dns/methods/edit/)
-
-</Details>
@@ -18,6 +18,8 @@ import { Render } from "~/components"
 
 <Render file="dnssec-enabled-migration" product="dns" />
 
+Removing the DS record at your registrar starts a DNSSEC unsigning process. This is expected when you are moving authoritative DNS providers, because it allows you to update your authoritative nameservers without DNSSEC validation failures.
+
 ***
 
 ## Enable DNSSEC

@@ -0,0 +1,117 @@
+---
+pcx_content_type: faq
+title: FAQ
+description: Find answers to common questions about Cloudflare's authoritative DNS.
+sidebar:
+  order: 21
+---
+
+import { Render } from "~/components";
+
+The sections bellow cover frequently asked questions about Cloudflare authoritative DNS. For DNS Firewall, refer to [DNS Firewall FAQ](/dns/dns-firewall/faq/).
+
+---
+
+## Cloudflare offerings
+
+### Is Cloudflare a free DNS (domain nameserver) provider?
+
+Yes. Cloudflare offers [free DNS services](https://www.cloudflare.com/dns) to customers on all plans. Note that:
+
+- You do not need to change your hosting provider to use Cloudflare.
+- You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers.
+
+### Does Cloudflare charge for or limit DNS queries?
+
+Cloudflare never limits or caps DNS queries, but the pricing depends on your plan level.
+
+For customers on Free, Pro, or Business plans, Cloudflare does not charge for DNS queries.For customers on Enterprise plans, Cloudflare uses the number of monthly DNS queries as a pricing input to generate a custom quote.
+
+### Does Cloudflare offer domain masking?
+
+No. Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). However, we do offer URL forwarding through [Bulk Redirects](/rules/url-forwarding/bulk-redirects/).
+
+### Can subdomains be added directly to Cloudflare?
+
+Yes. Enterprise customers can add subdomains directly to Cloudflare via [subdomain support](/dns/zone-setups/subdomain-setup/).
+
+---
+
+## Nameservers
+
+### Where can I find my Cloudflare nameservers?
+
+Under the **DNS** app of your Cloudflare account, review the **Cloudflare Nameservers**.
+
+The IP address associated with a specific Cloudflare nameserver can be retrieved via a dig command or a third-party DNS lookup tool hosted online such as [whatsmydns.net](https://www.whatsmydns.net/):
+
+```sh
+dig kate.ns.cloudflare.com
+```
+
+```sh output
+kate.ns.cloudflare.com.    68675    IN    A    173.245.58.124.
+```
+
+### Where do I change my nameservers to point to Cloudflare?
+
+Make the change at your registrar, which is where you registered your domain. This may or may not be your hosting provider. If you don't know who your registrar is for the domain, you can find this by doing a WHOIS search. You can use [ICANN Lookup](https://lookup.icann.org/), for example.
+
+:::caution
+
+Some country code TLDs may not be supported by ICANN Lookup. If that is the case, use a different WHOIS search tool.
+:::
+
+Once you identify your registrar, follow the instructions in [change nameservers to Cloudflare](/dns/zone-setups/full-setup/setup/#update-your-nameservers).
+
+### Why have I received an email: Your Name Servers have Changed?
+
+For domains where Cloudflare hosts the DNS, Cloudflare continuously checks whether the domain uses Cloudflare's nameservers for DNS resolution. If Cloudflare's nameservers are not used, the [domain status](/dns/zone-setups/reference/domain-status/) is updated from *Active* to *Moved* in the Cloudflare **Overview** app and an email is sent to the customer.
+
+This is important because, if a domain is in a _Moved_ state for a [long enough period of time](/dns/zone-setups/reference/domain-status/), it will be deleted from Cloudflare.
+
+<Render file="recover-deleted-domain" product="dns" />
+
+---
+
+## DNS records
+
+### Does Cloudflare limit the number of DNS records a domain can have?
+
+Yes. All customers have a limit on the number of DNS records they can create.
+
+- Free: 200
+- Pro: 3,500
+- Business: 3,500
+- Enterprise: 3,500
+
+Free zones created before 2024-09-01 00:00:00 UTC have an increased limit of 1,000.
+
+:::note[For more DNS records]
+If you are an Enterprise customer and require more DNS records, contact your account team. Cloudflare can support millions of DNS records on a single zone.
+:::
+
+### How long does it take for a DNS change I made to push out?
+
+By default, any changes or additions you make to your Cloudflare zone file will take effect globally within 5 minutes, usually much less.
+
+Depending on the Time-to-Live (TTL) set on the previous [DNS record](/dns/manage-dns-records/how-to/create-dns-records/), old data may still remain cached until the TTL expires. Proxied records expire after 5 minutes ("Automatic"), but the TTL for unproxied records can be customized.
+
+If changes to records with large TTLs are anticipated, it may make sense to reduce the TTL ahead of time so that the change takes effect as quickly as possible.
+
+### Why can't I make ANY queries to Cloudflare DNS servers?
+
+`ANY` queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging.
+
+Because of Cloudflare's many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to `ANY` queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time.
+
+Refer to [Deprecating the DNS ANY meta-query type](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/) for details. The decision to block `ANY` does not affect DNS Firewall customers.
+
+
+### How do I add ANAME records on Cloudflare?
+
+<Render file="aname-alias-callout" product="dns" />
+
+### Why are Cloudflare's A or AAAA records / IP addresses for my domain's DNS responses appearing?
+
+For DNS records proxied to Cloudflare, Cloudflare's IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website.
@@ -67,6 +67,12 @@ To update part of a record with the API, use a [PATCH request](/api/resources/dn
 
 </TabItem> </Tabs>
 
+### Update an origin IP address
+
+If your hosting provider changes or your origin IP address changes, update the **Content** value of the relevant DNS records (usually `A` or `AAAA` records).
+
+If you are not sure which IP address to use, refer to your hosting provider's documentation.
+
 ---
 
 ## Delete DNS records

@@ -112,6 +112,10 @@ These records include the following fields:
   - If the **Proxy Status** is **DNS Only**, you can customize the value.
 - **Proxy status**: For more details, refer to [Proxied DNS records](/dns/proxy-status/).
 
+:::note
+A CNAME record does not perform an HTTP redirect. If you need to redirect visitors (for example, from one hostname to another), configure a redirect on your origin or use Cloudflare redirect features. Refer to [Redirect one domain to another](/fundamentals/manage-domains/redirect-domain/).
+:::
+
 #### Proxied CNAME records
 
 Observe the following aspects, especially before changing a CNAME record from <GlossaryTooltip term="proxy status" link="/dns/proxy-status/">proxied</GlossaryTooltip> to DNS-only or vice versa:

@@ -12,6 +12,10 @@ import { GlossaryTooltip } from "~/components";
 
 Longer TTLs speed up [DNS lookups](https://www.cloudflare.com/learning/dns/what-is-dns/) by increasing the chance of cached results, but a longer TTL also means that updates to your records take longer to go into effect.
 
+:::note
+DNS results can look inconsistent across tools because recursive resolvers cache answers for the duration of the TTL. If you recently changed a record, wait for the TTL to expire or query your authoritative nameservers directly.
+:::
+
 ## Proxied records
 
 By default, all <GlossaryTooltip term="proxy status" link="/dns/proxy-status/">proxied records</GlossaryTooltip> have a TTL of **Auto**, which is set to 300 seconds. This value cannot be edited.

@@ -4,8 +4,6 @@ title: Proxy status
 sidebar:
   order: 7
   label: Overview
-  group:
-    label: Proxy status
 ---
 
 import { Render, Example, Details, GlossaryTooltip } from "~/components";
@@ -59,6 +57,12 @@ Since only [records used for IP address resolution](/dns/manage-dns-records/refe
 It may take longer than five minutes for you to actually experience record changes, as your local DNS cache may take longer to update.
 :::
 
+### Originless and redirect-only setups
+
+If you need a placeholder address for an originless setup, you can use the reserved IPv6 address `100::` or the reserved IPv4 address `192.0.2.0` in a proxied DNS record.
+
+This allows you to route requests using products such as [Redirect Rules](/rules/url-forwarding/), [Page Rules](/rules/page-rules/), or [Workers](/workers/).
+
 ### Mix proxied and unproxied
 
 If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied.
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,8 @@ import { Render } from "~/components" @@
     <Render file="dnssec-enabled-migration" product="dns" />
+    Removing the DS record at your registrar starts a DNSSEC unsigning process. This is expected when you are moving authoritative DNS providers, because it allows you to update your authoritative nameservers without DNSSEC validation failures.
     ***
     ## Enable DNSSEC
@@ Expand Down @@