Complete cloudflare dns setup guide with step-by-step instructions. Configure A, CNAME, MX, and TXT records for your domain correctly.
ReviewMyDNS is a free DNS propagation checker that queries 50+ global DNS servers to verify your DNS records. Check A, AAAA, MX, CNAME, TXT, NS, and SOA records instantly.
Cloudflare is not just a DNS host — it is also a global CDN, DDoS mitigation platform, and application firewall. This makes Cloudflare DNS configuration unique: every A, AAAA, and CNAME record has a proxy toggle that no other major DNS provider offers. When you enable the proxy (orange cloud), traffic routes through Cloudflare's global edge network before reaching your server. When disabled (grey cloud / DNS only), Cloudflare functions as a standard authoritative nameserver and returns your server's real IP to all queries.
Cloudflare operates over 300 data centre locations worldwide using anycast routing. DNS changes you make in the Cloudflare dashboard typically propagate to all Cloudflare edge nodes within 1 to 5 minutes — far faster than most DNS providers. External resolvers still cache results for the duration of the TTL, but Cloudflare's end of propagation is near-instant.
When you add a domain to Cloudflare, the platform assigns two unique nameservers to your account — for example, alice.ns.cloudflare.com and bob.ns.cloudflare.com. These nameservers are specific to your Cloudflare account, not shared globally. To activate Cloudflare, log into your domain registrar (GoDaddy, Namecheap, Google Domains, etc.), navigate to Nameservers or DNS Settings, and replace the existing nameservers with Cloudflare's assigned pair. Nameserver changes take 24-48 hours to propagate globally. The Cloudflare dashboard shows your domain status as Pending Nameserver Update until propagation completes, then switches to Active.
The proxy toggle (the cloud icon next to each record) is the most important and Cloudflare-specific decision you make for each record:
Only A, AAAA, and CNAME records can be toggled. MX, TXT, NS, and SOA records are always DNS Only — there is no proxy option for those record types.
Adding an A record (website): In the DNS tab, click Add record, set Type to A, enter @ for the root domain or a subdomain name such as www, enter your server's IPv4 address, set TTL to Auto, and enable the orange proxy cloud. Click Save. The record appears immediately in your zone and propagates to Cloudflare's edge within 5 minutes.
Adding a CNAME at the root domain (CNAME Flattening): Standard DNS prohibits CNAME records at the zone apex, but Cloudflare resolves the target hostname to an IP at query time and returns an A record to clients. To use it, add a CNAME record with Name set to @ and Target pointing to a hostname like your-app.netlify.app or your-project.vercel.app. This CNAME Flattening feature is unique to Cloudflare and not available on providers like GoDaddy or Namecheap without manual IP resolution.
Adding MX records for email: Set Type to MX, Name to @, Mail server to your email provider's hostname (e.g., aspmx.l.google.com for Google Workspace or mail.protection.outlook.com for Microsoft 365), and Priority to the value your provider specifies. For multiple MX records, use priorities 1, 5, 10 as Google requires. MX records cannot be proxied — Cloudflare hides the proxy toggle for MX records automatically.
Adding TXT records for email authentication: Set Type to TXT, Name to @ for SPF and DMARC, enter the full TXT value in quotes (e.g., v=spf1 include:_spf.google.com ~all), and set TTL to Auto. DKIM records use a selector subdomain like google._domainkey as the Name. Verify all three using the TXT record checker after propagation.
Error 1001 — DNS Resolution Error: The CNAME target configured in your Cloudflare zone cannot be resolved. This happens when you CNAME to a hostname that has been deleted or renamed — for example, an old Netlify deployment URL. Fix: update the CNAME to the new valid target hostname. Verify the target resolves with dig CNAME www.yourdomain.com or the DNS propagation checker.
Error 1014 — CNAME Cross-User Banned: A CNAME in your zone points to a Cloudflare-proxied hostname belonging to a different Cloudflare account. Cloudflare blocks cross-account CNAME chains to prevent abuse. Fix: switch the CNAME target to an unproxied hostname, or use an A record pointing directly to the destination server's IP address.
Error 522 — Connection Timed Out: Cloudflare reached your origin server but it did not respond in time. This is an origin server problem, not a DNS problem. Check that your server is running and that its firewall allows inbound traffic from Cloudflare's IP ranges. Your server must accept connections from Cloudflare's edge — not from end users directly — when the record is proxied.
Error 525 — SSL Handshake Failed: Cloudflare cannot establish a TLS connection to your origin server. This occurs when the SSL/TLS mode is set to Full or Full (Strict) but your origin has an invalid or expired certificate. Temporary fix: change the SSL/TLS mode in the Cloudflare dashboard to Flexible. Permanent fix: install a valid certificate on your origin, then switch back to Full (Strict) mode.
SSL pending after adding a proxied record: After adding a new proxied domain or subdomain, Cloudflare issues a Universal SSL certificate. Certificate generation takes up to 24 hours for new domains and 15 minutes to several hours for new subdomains on existing domains. If SSL is still pending after 24 hours, verify the record is proxied (orange cloud) and check the SSL/TLS section in the Cloudflare dashboard for specific error messages about certificate issuance.
For proxied records, Cloudflare uses TTL 300 (5 minutes) and serves the value from its own distributed cache to external resolvers. For DNS-only records, the TTL you set in the dashboard controls how long external resolvers cache the result. Setting TTL to Auto on a DNS-only record applies 300 seconds when the record is actively being modified and 1 hour otherwise.
After making a change, use the DNS propagation checker to see which global servers have your latest records. For proxied records, the checker returns Cloudflare's anycast IP addresses rather than your server's real IP — this is correct and expected. For DNS-only records, the checker returns your actual server IP. Compare your Cloudflare setup to GoDaddy DNS or Namecheap DNS to understand the workflow differences when switching providers.
After updating your nameservers at your registrar, verify activation with dig NS yourdomain.com. The response should show Cloudflare's two nameservers assigned to your account. The Cloudflare dashboard also changes the domain status from Pending to Active once propagation is confirmed. Once active, manage all DNS records exclusively in the Cloudflare dashboard. Do not add or edit records at your registrar — the registrar only controls which nameservers handle your domain, not the records themselves. See How to Find Your Nameservers for verification steps and Nameservers vs DNS Records for a full explanation of this relationship.