DNS Settings - dns only or proxied

DNS & Network
#1

Hi guys

I was wondering which records should be set up as DNS Only and which records should be Proxied.
At the moment my website www.savesmart.be and cname subdomain https://mijn.savesmart.be is not reachable.

I appreciate your help.

Cloudfare3
Cloudfare3684×808 152 KB

Regards

Kristof

#2

Greetings,

Thank you for asking.

Kindly, edit your post and mask/hide (redact) the IP addresses on the shared screenshot due to the privacy concern. Thank you in advance.

Furthermore, may I suggest:

  1. A & AAAA smtp → switch them to :grey: (DNS-only)
  2. A & AAAA pop → switch them to :grey: (DNS-only)

Works fine from my end right now (I assume it’s set to :grey: (DNS-only) now?) → over HTTPS:

mijn CNAME:

Screenshot 2022-02-09 at 19-26-33 Mijn SaveSmart - Makelaars Adviseurs - Login
Screenshot 2022-02-09 at 19-26-33 Mijn SaveSmart - Makelaars Adviseurs - Login1920×1056 78.3 KB

www website (redirection from www to non-www works fine):

Screenshot 2022-02-09 at 19-32-52 SaveSmart
Screenshot 2022-02-09 at 19-32-52 SaveSmart1920×1065 141 KB

Might be some DNS cache at your local ISP provider (maybe you need to flush your DNS or restart router).

I see you have got the TLSA record added … but seems like the DNSSEC is not enabled at Cloudflare dashboard and no DS record found (yet) at the domain registrar? (if you are trying to accomplish DANE obviously)

Have you tried accessing it using a different Web browser, or a VPN connection, or even mobile data (4G LTE, cellular)?

May I ask do you get any error when you proxy and switch to :orange: the mijn hostname? Should be fine with proxy :orange:

savesmart.be, www and mijn can be proxied and set to :orange:, while email related hostnames (DNS records) should be set to :grey: (DNS-only).

#3

Hi Fritex

Thanks for the help and lookup.
I’ve switched all mail related records to DNS-only.

I have flushed my DNS en reregistered it but it still doesn’t work at Chrome or Edge.
But it is resolving on my mobiles 4G data. So I guess it will resolve after a couple of hours?

For mijn. that’s pointing to suitedash. In their manual they explicit ask to not set Proxied in Cloudfare but to use DNS only. That’s why i’ve set it to dns only ;-).

I took the TLSA records from the standard dns settings of my hosting provider. But there isn’t a DS record there. So is it ok to remove those TLSA records on Cloudfare?

#4

Another thing, what’s your current encryption mode?

#5

It’s set to Full

#6

So I thought :wink:

That should be Full Strict

#7

Are you sure that will work out?
I tried that before and it all broke down :slight_smile:

So this are the settings now (removes those tlsa records)

Cloudfare3
Cloudfare3658×814 36.1 KB

#8

Whether it will work depends on your setup of course, but as far as I remember you had a setup which was not properly configured and never fixed that. Hence the question.

Right now it is as if you had no SSL in the first place because it’s not verified. You really want to fix that.

#9

I’ve set it to Full strict now :wink: Hope it works fine.

#10

The two TLSA records I see are associated with hostnames that are :orange:. Unless you are using Custom Certificates (i.e. certs that you obtained for a CA, and uploaded to Cloudflare, and that cover those two hostnames) you need to delete the TLSA records.

TLSA records are to validate that the certificate presented by a server match the TLSA record. Unless you control the certificate being presented to users you really cannot use TLSA. Eventually the Cloudflare managed certificate will change, and your site will be broken until you update the TLSA records. (Just FYI, it will not really break. No browser that I am aware of will check TLSA records!)

You should make the ftp records :grey:

The three NS records can be deleted, they are not doing anything in your own zone.

You have a few multiple level hostnames like www.mijn.savesmart.be. The Cloudflare universal certificates only cover one level of subdomain. If those hostnames are used with HTTPS traffic you will need to subscribe to the Advanced Certificate Manager product, or make them :grey: also.

#11

The two TLSA records I see are associated with hostnames that are :orange:. Unless you are using Custom Certificates (i.e. certs that you obtained for a CA, and uploaded to Cloudflare, and that cover those two hostnames) you need to delete the TLSA records.

Done that

You should make the ftp records :grey:

These were :grey:, so should be ok now.

The three NS records can be deleted, they are not doing anything in your own zone.

I removed them.

You have a few multiple level hostnames like www.mijn.savesmart.be . The Cloudflare universal certificates only cover one level of subdomain. If those hostnames are used with HTTPS traffic you will need to subscribe to the Advanced Certificate Manager product, or make them :grey: also.

I’ve set them to :grey:

Thanks all for the help, I think it’s solved now.

#12

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.