Global SSL config impacts even DNS-only records

Today I noticed creating a cname dns only record it behaves kind of like if it was proxied.

You have a newly connected domain1 to cloudflare, the default SSL settings is flexible. You create a CNAME record pointing to a domain2 where your web runs, generate a Lets encrypt certificate for domain1, but then, instead of working normally, visiting domain1 in browser results in http->https->http->https loop. Going back to cloudflare dashboard, changing the SSL to full/none, the web starts working suddenly.

As of my knowledge, the SSL settings should only impact DNS records that are proxied, thus all the traffic is going though cloudflare and DNS-only records, as the name says for itself, should be only normal DNS records. Right? Or is there something I am missing? I think this might be a new thing, I don’t think DNS-only records have behaved like this in the past.

If I am wrong, please correct me.

Is domain2 proxied? In that case, the record for domain1 would automatically be proxied as well, even if it shows DNS-only.

1 Like

yes, domain 2 is proxied, but using full-ssl. However, according to your message, if the proxy were to be inherited from the parent, it should be automatically also full-ssl, instead of the default flexible-ssl. Right?

There is no “inheritance”.

If a hostname is proxied, dns lookups for it will return a {CF-IP} instead of your origin’s address. Domain2 is proxied, so it returns {CF-IP}.

Now, if domain1 was proxied, it would return {CF-IP}. But if it is DNS-only, it will instead have the same IP as domain2, which is also {CF-IP} in this case.

As you can see, the proxy mode of domain1 does not matter if it points to a proxied domain, the result is always the same. Requests for domain1 are now sent to {CF-IP}, and CF will use the settings of domain1 to handle these requests.


It is best to not use that mode. It unsafe and tends to cause unpredictable problems.


And just as a quick addition before I forget it again:

If you want to use the settings of domain2, you could add a subdomain as a Cloudflare for SaaS domain. You would keep whatever settings you want for domain1, except for the specific subdomain that you point to domain2.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.