Afraid to hand over DNS

I have used CloudFlare in the past on low-traffic sites, but we’re investigating using it on a site that needs incredible reliability. We’ve been running our DNS on Amazon’s Route 53 for years, and I’m hesitant to hand it over to to CloudFlare, given that it’s such a big change.

I’m aware there’s a CNAME setup, but we have most of our web traffic going to root domain, not a subdomain, so I’m assuming that won’t work here.

How can I ensure that CloudFlare doesn’t immediately have unintended consequences as soon as we start pointing DNS? Since DNS can take up to 48 hours to propagate, I worry that there’s no way to simply undo this in the event of something unforeseen.

Are all Cloudflare features able to be disabled to start, so that we can slowly turn on over time? How do most people mitigate this risk?

You can move over just the DNS without turning on any Cloudflare features. Meaning you would not be using the CDN at all, you would just be using the DNS features (DNS nameservers) that Cloudflare runs and provides to all sites by default.

You can check reliability here: https://www.dnsperf.com/#!dns-providers,World,uptime and https://www.dnsperf.com/dns-provider/cloudflare. The uptime numbers since Oct 16 seem a bit suspect, but I’ll let someone in the know comment on them. Edit: Something seems to be going on with DNSPerf, as NameCheap has also suffered from the same Oct 16 hit/bug: https://www.dnsperf.com/dns-provider/namecheap. And yet, DigitalOcean (which uses Cloudflare in front of it for all its DNS) hasn’t suffered the same way: https://www.dnsperf.com/dns-provider/digitalocean. :shrug:

Note also that Cloudflare doesn’t allow you to use multiple DNS providers at the same time (which you’d undoubtedly want to use if you need “incredible reliability”) unless you are on an Enterprise Plan iirc. With any other provider, like Route 53, you can have nameservers from multiple providers configured, giving your site that incredible reliability you’re looking for.

More broadly, if you aren’t looking at Cloudflare for DDoS protection and/or can’t afford the Enterprise plan, then there are better DNS providers out there. Route 53 isn’t/wasn’t one of them last time I checked, FYI. :slight_smile:

2 Likes

Thanks so much for the quick response. When I highlighted needing reliability, I wasn’t questioning Cloudflare’s reputation, I was questioning my ability to transition to Cloudflare without hiccups.

You can move over just the DNS without turning on any Cloudflare features

Can you elaborate on how I do this? It is simply by disabling the ‘proxy’ option in the DNS settings for each entry?

It looks like there’s some stuff in a few of the feature’s (such as firewall/ddos protection) that’s already enabled.

Ah, I misunderstood. My bad.

:orange: and :grey: are your best friends. Only with :orange: will any CDN features turn on. If you have :grey: on all your DNS records, then no Cloudflare features will be used for your account. Alternatively, if you are afraid (like, really afraid), you can hit “Pause Cloudflare on Site” at the bottom of the Dashboard for your domain. This will ensure that only the DNS is functional, and nothing else. Even if there are any :orange: DNS records, the pause will make sure they are not used.

Other than that, it is a very simple copy/transfer of zone records. You can export from Route 53, import into Cloudflare, then check them line by line (don’t skip this last step, I’m telling you). Once you’re happy, make sure all your records are :grey:, then and only then change your nameservers at your registrar. It’s really as simple as that…

(Note also that changes can take up to a week to fully propagate to the nether regions of the internet, no matter what your TTLs are. You won’t lose sleep over that, however, as it’s just what is…

This is wonderful, thank you macktoy! Your advice, and knowing there is a “Pause Cloudflare on Site” option, gives me the confidence to move forward.

Much appreciated!

Yw.

Since you’re afraid of the Cloudflare firewall/DDoS protection for some reason, I will mention (for completeness) that Cloudflare DNS probably has some DDoS measures in place … but these are not configurable at the customer level. Route 53 has these too. As do all other providers. They are less sensitive than regular server firewalls though as DNS servers generally remain performant even in the worst of circumstances and need less coddling.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.