Skip to content

Commit f671ba2

Browse files
[DNS] Proxy status use cases (#29789)
* Automated first pass * AI-assited: create dedicated page for common-scenarios * Automated: cross-check and add from CSUP Gdoc * Bring reference to common-scenarios higher on the page * Automated: prompted to correct limitation vs behavior by design * Manual: remove orange-to-orange and clarify expected behaviors intro * Move size and connection timeouts and refer to Fudamentals source * Re-ord headings to keep proxy and DNS-only cases more even * Defer to specify time limit and link to new _dc-mx content * Apply monospace to port number and error Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --------- Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com>
1 parent 7265f1b commit f671ba2

3 files changed

Lines changed: 129 additions & 6 deletions

File tree

src/content/docs/dns/proxy-status/index.mdx

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,14 @@ For proxied records, if your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimi
137137
Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling [Universal SSL](/ssl/edge-certificates/universal-ssl/), for example, could impact this behavior.
138138
:::
139139

140+
### Request and response size limits
141+
142+
Cloudflare enforces size limits on proxied requests. These limits vary by plan and cannot be bypassed while traffic is proxied. For the full list of connection and request limits, refer to [Connection limits](/fundamentals/reference/connection-limits/).
143+
144+
### Connection timeouts
145+
146+
Cloudflare enforces a default [Proxy Read Timeout](/fundamentals/reference/connection-limits/) between Cloudflare and your origin server. If your origin does not send an HTTP response within the defined time limit, Cloudflare returns a [`524` error](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524/). Enterprise customers can [increase the timeout value](/cache/how-to/cache-rules/settings/#proxy-read-timeout-enterprise-only).
147+
140148
---
141149

142150
## DNS-only records
@@ -146,3 +154,9 @@ When an A, AAAA, or CNAME record is **DNS-only** — shown as a gray cloud icon
146154
**DNS-only** is only recommended for records that do not serve web traffic, such as records used for email routing or third-party domain verification. For records that serve web traffic, **DNS-only** means your origin IP addresses are visible to anyone who queries the record, potentially exposing your server to bad actors and [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/). Cloudflare also cannot [optimize, cache, and protect](/fundamentals/concepts/how-cloudflare-works/) those requests or provide HTTP/HTTPS analytics on them.
147155

148156
<Render file="mix-proxied-and-unproxied" product="dns" />
157+
158+
### When to use DNS-only
159+
160+
Certain DNS records should be DNS-only because the services they support are not compatible with Cloudflare's HTTP proxy. Common examples include email records, domain verification records, SaaS-hosted websites, and non-HTTP services.
161+
162+
For a detailed list of scenarios, refer to [Use cases](/dns/proxy-status/use-cases/). For hard constraints on proxying, refer to [Proxying limitations](/dns/proxy-status/limitations/).

src/content/docs/dns/proxy-status/limitations.mdx

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,25 +13,27 @@ tags:
1313

1414
import { Render, GlossaryTooltip, Details } from "~/components";
1515

16-
This page describes expected limitations when <GlossaryTooltip term="proxy status">proxying DNS records</GlossaryTooltip>. For further information about proxying, refer to [How Cloudflare works](/fundamentals/concepts/how-cloudflare-works/).
16+
This page describes expected limitations when <GlossaryTooltip term="proxy status">proxying DNS records</GlossaryTooltip>. For further information about proxying, refer to [How Cloudflare DNS works](/fundamentals/concepts/how-cloudflare-works/).
17+
18+
For guidance on when to proxy records and when to use DNS only, refer to [Use cases](/dns/proxy-status/use-cases/).
1719

1820
## Proxy eligibility
1921

20-
Only A, AAAA, and CNAME DNS records that serve HTTP or HTTPS traffic can be proxied. Other record types cannot be proxied.
22+
Only A, AAAA, and CNAME records that serve HTTP or HTTPS traffic can be proxied. Other DNS record types cannot be proxied.
2123

2224
If you encounter a [CNAME record](/dns/manage-dns-records/reference/dns-record-types/#cname) that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.
2325

2426
<Details header="Non-proxiable targets">
2527

2628
- Exact match:
27-
- `dkim2.mcsv.net` ([Mailchimp documentation](https://mailchimp.com/help/set-up-email-domain-authentication/))
29+
- `dkim2.mcsv.net` ([Mailchimp documentation](https://mailchimp.com/help/set-up-email-domain-authentication/))
2830
- `dkim3.mcsv.net` ([Mailchimp documentation](https://mailchimp.com/help/set-up-email-domain-authentication/))
2931
- `zmverify.zoho.com` ([Zoho documentation](https://www.zoho.com/mail/help/adminconsole/domain-verification.html))
3032
- `dkim.infusionmail.com` ([Keap documentation](https://help.keap.com/help/dmarc))
3133
- Exact match or subdomain of:
32-
- `dkim.amazonses.com` ([Amazon SES documentation](https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html#just-verify-domain-proc))
34+
- `dkim.amazonses.com` ([Amazon SES documentation](https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html#just-verify-domain-proc))
3335
- Subdomain of:
34-
- `onmicrosoft.com` ([Microsoft documentation](https://learn.microsoft.com/defender-office-365/email-authentication-dkim-configure))
36+
- `onmicrosoft.com` ([Microsoft documentation](https://learn.microsoft.com/defender-office-365/email-authentication-dkim-configure))
3537
- `dkim.intercom.io` ([Intercom documentation](https://www.intercom.com/help/articles/9744849-connect-your-email-support-channel))
3638
- `acm-validations.aws` ([AWS certificate manager documentation](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html))
3739

@@ -57,4 +59,4 @@ For enhanced security, we recommend rolling your origin IP addresses at your hos
5759

5860
## Windows authentication
5961

60-
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records.
62+
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records. NTLM authenticates at the TCP connection level (Layer 4), and Cloudflare does not guarantee that consecutive requests from the same client reuse the same TCP connection to the origin. This can cause repeated authentication prompts or authentication loops.
Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
---
2+
pcx_content_type: reference
3+
title: Use cases
4+
sidebar:
5+
order: 1
6+
---
7+
8+
import { GlossaryTooltip, Details } from "~/components";
9+
10+
This page lists common scenarios where DNS records should be <GlossaryTooltip term="proxy status">proxied</GlossaryTooltip> or set to DNS only, and describes aspects to keep in mind depending on your configuration. For background on how proxy status works, refer to [Proxy status](/dns/proxy-status/).
11+
12+
## Proxied records
13+
14+
You should proxy all A, AAAA, and CNAME records that serve HTTP or HTTPS web traffic. This includes records for:
15+
16+
- Your website or web application (for example, `example.com`, `www.example.com`)
17+
- Subdomains that serve web content (for example, `blog.example.com`, `app.example.com`)
18+
- API endpoints that accept HTTP/HTTPS requests and do not require origin IP validation
19+
20+
Proxied records benefit from [DDoS protection](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/), [caching](/cache/), [WAF](/waf/), and other Cloudflare security and performance features.
21+
22+
When traffic is proxied through Cloudflare, the following behaviors apply. You may need to adjust your origin configuration, depending on your use case.
23+
24+
### Source IP changes
25+
26+
Your origin server sees Cloudflare IP addresses as the source of all requests instead of the end-user's IP address. Applications that rely on the source IP for authentication, rate limiting, or geolocation will not function as expected without additional configuration.
27+
28+
Cloudflare includes the original visitor IP address in the [`CF-Connecting-IP`](/fundamentals/reference/http-headers/) and `X-Forwarded-For` request headers. Configure your origin server to read the visitor IP from these headers. For more information, refer to [Restoring original visitor IPs](/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/).
29+
30+
### Client certificate (mTLS) validation
31+
32+
When a record is proxied, TLS terminates at Cloudflare's global network. Cloudflare establishes a separate TLS connection to your origin server. This means the origin never receives the end-user's client certificate during the TLS handshake. You can achieve mTLS through the following:
33+
34+
- [Client certificates (mTLS)](/ssl/client-certificates/): validate client certificates between your end-users and Cloudflare.
35+
- [Authenticated Origin Pulls](/ssl/origin-configuration/authenticated-origin-pull/): Verify that traffic reaching your origin comes from Cloudflare.
36+
- [Forward a client certificate](/ssl/client-certificates/forward-a-client-certificate/): Forward client certificate details to your origin via HTTP headers.
37+
38+
### Header modifications
39+
40+
Cloudflare adds and modifies HTTP request headers when proxying traffic, including headers for [visitor IP identification](/fundamentals/reference/http-headers/), diagnostics, and connection management. Applications that expect a fixed number of headers or parse headers by position instead of by name may experience errors.
41+
42+
For a full list of headers that Cloudflare adds or modifies, refer to [HTTP request headers](/fundamentals/reference/http-headers/).
43+
44+
## DNS only
45+
46+
The following records should be set to DNS-only because the services they support are not compatible with Cloudflare's HTTP proxy. Proxying these records causes the associated service to break.
47+
48+
### Email
49+
50+
MX records cannot be proxied. If an A or AAAA record is used exclusively for email (for example, `mail.example.com`), it should also be set to DNS-only.
51+
52+
Cloudflare does not proxy SMTP traffic on port `25` by default. Proxying a record that handles email traffic causes mail servers to connect to Cloudflare's IP addresses instead of your mail server. This prevents email delivery.
53+
54+
Use a dedicated hostname for email that is separate from your proxied web traffic hostname. If your MX record points to the same hostname as your website, Cloudflare [dynamically prepends](/dns/manage-dns-records/troubleshooting/unexpected-dns-records/#_dc-mx-and-dc--subdomains) `_dc-mx` to the hostname in the response for the MX record. This ensures that mail or service traffic bypasses the Cloudflare proxy and reaches your server directly.
55+
56+
:::note
57+
You can proxy SMTP traffic if you have [Cloudflare Spectrum](/spectrum/) configured for [SMTP](/spectrum/reference/configuration-options/#smtp).
58+
:::
59+
60+
### Domain verification
61+
62+
Third-party services often require CNAME or TXT records to verify domain ownership. Proxying a verification CNAME record returns Cloudflare IP addresses instead of the expected verification target. The third-party service cannot match the response and verification fails.
63+
64+
Common services that require DNS-only verification records:
65+
66+
- Google Workspace
67+
- AWS Certificate Manager (`acm-validations.aws`)
68+
- Squarespace (`verify.squarespace.com`)
69+
- Amazon Amplify
70+
71+
Set domain verification records to **DNS Only** until verification completes. Some services require the record to be DNS-only permanently.
72+
73+
### SaaS-hosted websites
74+
75+
If your site is hosted on a SaaS platform (for example, [Wix](/dns/manage-dns-records/reference/vendor-specific-records/#wix), Squarespace, Webflow), the platform serves your site from its own infrastructure. Proxying the DNS record pointing to a SaaS platform causes one or more of the following issues:
76+
77+
- **SSL errors**: Both Cloudflare and the SaaS platform attempt to terminate SSL, which causes certificate mismatches or handshake failures.
78+
- **Redirect loops**: Both services try to redirect HTTP to HTTPS, which creates an infinite loop.
79+
- **Broken pages or assets**: The platform rejects requests that do not come directly from the expected DNS resolution.
80+
81+
If your SaaS platform does not explicitly support Cloudflare's proxy, set the record to **DNS-only**. Refer to [vendor-specific DNS records](/dns/manage-dns-records/reference/vendor-specific-records/) for platform-specific guidance.
82+
83+
:::note
84+
Some SaaS platforms are integrated with Cloudflare through [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/). For example, Shopify uses [O2O](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/shopify/), which allows proxied records to work correctly.
85+
:::
86+
87+
### Non-HTTP services
88+
89+
Records used for FTP, SSH, RDP, game servers, or other non-HTTP protocols must be DNS-only. Cloudflare's proxy only handles HTTP and HTTPS traffic. Proxying these records routes the traffic to Cloudflare, which drops the non-HTTP connection.
90+
91+
To proxy non-HTTP protocols, use [Cloudflare Spectrum](/spectrum/).
92+
93+
### Other CDN or proxy providers
94+
95+
If a CNAME record points to another CDN or proxy provider (for example, AWS CloudFront, Akamai, Fastly), proxying it through Cloudflare can cause conflicts between the two proxies:
96+
97+
- **SSL negotiation failures**: Both proxies attempt to terminate TLS, which creates certificate chain errors.
98+
- **Routing loops**: Each proxy forwards requests back to the other.
99+
- **Connectivity errors**: The upstream CDN rejects requests from Cloudflare's IP addresses.
100+
101+
Cloudflare automatically [prevents proxying](/dns/proxy-status/limitations/#proxy-eligibility) for some known targets. For targets that are not automatically blocked, set the record to **DNS-only** if you experience connectivity issues.
102+
103+
### API and webhook origin validation
104+
105+
Some third-party services validate the origin IP address of incoming API calls or webhook deliveries. When you proxy the DNS record for an endpoint that sends outbound requests or receives webhooks, the remote service sees Cloudflare's IP addresses instead of your server's IP address. This causes the validation to fail.
106+
107+
If a third-party service requires IP-based validation and does not accept [Cloudflare's IP ranges](https://www.cloudflare.com/ips/), set the record for that service to **DNS-only**.

0 commit comments

Comments
 (0)