Today I noticed creating a cnamedns only record it behaves kind of like if it was proxied.
Example:
You have a newly connected domain1 to cloudflare, the default SSL settings is flexible. You create a CNAME record pointing to a domain2 where your web runs, generate a Lets encrypt certificate for domain1, but then, instead of working normally, visiting domain1 in browser results in http->https->http->https loop. Going back to cloudflare dashboard, changing the SSL to full/none, the web starts working suddenly.
As of my knowledge, the SSL settings should only impact DNS records that are proxied, thus all the traffic is going though cloudflare and DNS-only records, as the name says for itself, should be only normal DNS records. Right? Or is there something I am missing? I think this might be a new thing, I don’t think DNS-only records have behaved like this in the past.
yes, domain 2 is proxied, but using full-ssl. However, according to your message, if the proxy were to be inherited from the parent, it should be automatically also full-ssl, instead of the default flexible-ssl. Right?
If a hostname is proxied, dns lookups for it will return a {CF-IP} instead of your origin’s address. Domain2 is proxied, so it returns {CF-IP}.
Now, if domain1 was proxied, it would return {CF-IP}. But if it is DNS-only, it will instead have the same IP as domain2, which is also {CF-IP} in this case.
As you can see, the proxy mode of domain1 does not matter if it points to a proxied domain, the result is always the same. Requests for domain1 are now sent to {CF-IP}, and CF will use the settings of domain1 to handle these requests.
And just as a quick addition before I forget it again:
If you want to use the settings of domain2, you could add a subdomain as a Cloudflare for SaaS domain. You would keep whatever settings you want for domain1, except for the specific subdomain that you point to domain2.