Cloudflare DNS Cheatsheet and Local Record Checker

Routes supported web records through Cloudflare so visitors see Cloudflare edge addresses instead of your origin.

Use it for HTTP or HTTPS traffic on A, AAAA, and CNAME records when you want CDN, WAF, cache, Workers, redirects, or DDoS protection. Do not use it for mail or arbitrary TCP service discovery records.

A  www  203.0.113.10  Proxied  Auto

Publishes the DNS answer directly without sending traffic through Cloudflare.

Keep MX, TXT, CAA, SRV, NS, SOA, and most verification records DNS-only. Also use DNS-only temporarily when debugging origin reachability or protocol issues that Cloudflare proxying can mask.

MX  @  10 mail.example.com  DNS-only  300

Lets Cloudflare manage cache duration, especially for proxied records whose public answer is Cloudflare edge infrastructure.

For proxied records, Auto TTL is the normal daily setting. For DNS-only cutovers, set a short explicit TTL before the migration so resolvers stop caching the old target quickly.

CNAME  www  example.pages.dev  Proxied  Auto

Cloudflare can accept a CNAME-like target at the zone apex and answer clients with address records.

This is provider behavior, not portable zone-file syntax. It is useful for SaaS targets at example.com, but exports and imports still deserve review because another DNS provider may reject the same shape.

CNAME  @  my-site.hosting.example  Proxied  Auto

Point a hostname to IPv4 or IPv6 addresses; these are the most common Cloudflare proxy candidates.

Use A for IPv4 and AAAA for IPv6. If the record is proxied, Cloudflare hides the origin address from normal DNS answers; if DNS-only, the address is published directly.

A  api  203.0.113.20  Proxied  Auto

Alias a subdomain to another hostname, commonly for SaaS, Pages, load balancers, and CDNs.

A CNAME name normally cannot also have TXT, MX, A, or AAAA records at the same name. Move verification TXT to the exact name the vendor asks for, or use a different subdomain.

CNAME  docs  cname.vercel-dns.com  Proxied  Auto

A record such as *.example.com catches otherwise undefined first-level subdomains.

Wildcards do not override an exact record. Use them carefully with proxying because a broad wildcard can accidentally expose preview apps or route unknown hostnames to the wrong origin.

CNAME  *  fallback.example.net  Proxied  Auto

MX routes inbound mail and points to mail exchanger hostnames, not Cloudflare proxied web origins.

Never orange-cloud MX. The MX target should be a hostname with address records, and mail setup should be paired with SPF, DKIM, and DMARC TXT records.

MX  @  10 aspmx.l.google.com  DNS-only  3600

SPF is a TXT value starting with v=spf1; publishing two policies on the same name causes receiver-side errors.

When adding a sender, merge include mechanisms into the existing SPF record instead of creating a second TXT. Also watch the SPF 10-DNS-lookup limit as vendors pile up.

TXT  @  "v=spf1 include:_spf.google.com include:sendgrid.net ~all"  DNS-only  300

DKIM stores public keys on selector names, while DMARC publishes policy at _dmarc.

Keep both DNS-only. Start DMARC with p=none while collecting reports, then move gradually toward quarantine or reject after every sender aligns.

TXT  _dmarc  "v=DMARC1; p=none; rua=mailto:dmarc@example.com"  DNS-only  300

CAA tells certificate authorities which issuers may create certificates for the domain.

Use CAA when you want tighter certificate issuance control. Include the CA used by Cloudflare Universal SSL and any external CA your team actually uses, or renewals can fail.

CAA  @  0 issue "letsencrypt.org"  DNS-only  3600

DNSSEC signs DNS answers; Cloudflare can host signed zones, but the registrar DS record must match.

Turn it on after delegation is stable, then copy the DS record to the registrar. Mismatched or stale DS records cause validation failures that look like the domain vanished.

Registrar DS must match the Cloudflare DNSSEC panel

Cloudflare becomes authoritative only after the registrar points the domain to the assigned Cloudflare nameservers.

Do not invent nameserver hostnames or reuse names from another zone. Copy the exact two assigned nameservers, and keep the previous DNS provider unchanged until delegation is observed globally.

Registrar NS: ada.ns.cloudflare.com, max.ns.cloudflare.com

Cloudflare can import common zone-file syntax, but provider-specific pseudo records deserve manual review.

Review apex aliases, flattened CNAMEs, provider verification TXT, and records with unusual quoting. After import, compare record counts and inspect every mail-related row before changing nameservers.

www  300  IN  CNAME  example.pages.dev.

Lower DNS-only TTL before a migration, verify the new target, then raise it again after the change is stable.

A TTL of 300 seconds is a common operating value before cutover. Very long TTLs on DNS-only A, AAAA, CNAME, or MX records make rollback and traffic shifts slower than expected.

A  @  203.0.113.10  DNS-only  300

A proxied hostname can still leak the origin through sibling DNS records, old history, mail records, or direct hostnames.

Use separate origins when possible, lock origin firewall rules to Cloudflare egress ranges, and avoid publishing origin-only hostnames like origin.example.com unless access is restricted.

Do not leave origin.example.com as DNS-only if it points to the same protected host

When a change looks wrong, compare Cloudflare authoritative answers with public recursive resolver answers.

Authoritative answers show what Cloudflare is serving now; recursive answers show what users may still receive from cache. Mismatches are expected until TTLs expire.

dig @ada.ns.cloudflare.com www.example.com A +short