Cross-Domain Restriction Issue with Cloudflare Nameservers
We’re experiencing some issues related to the CF cross-domain restriction between two domains with Cloudflare Nameservers. Here’s a brief outline of our setup and the problem:
We have two independent Cloudflare company accounts and “sites”. The first account and site belongs to Company A. Company A’s key domain points to both its own Website and also its customer websites to Company A’s CNAME record, as their websites are hosted by Company A on a platform that points from Company A’s Cloudflare site to external servers. Therefore, we’re hiding Company A’s IP address for security reasons by requiring and mandating only CNAME records can be used by our customers.
Company B, a customer of Company A, has a CF account for its DNS records using CF nameservers and a site domain. Company B’s domain is hosted with Godaddy (though this is irrelevant to the issue at hand).
We’re unable to point Company B’s domain root record either
A or use a
CNAME to flatten in order to redirect its root domain record to its
www subdomain, because we get the following error:
CNAME Cross-User Banned
Based on some documentation we’ve read, we think we need the cross-domain “restriction” lifted by Cloudflare. This is not something Company B can request on their Free account, nor configure in their account. However, the account Company B is pointing its
www subdomain record to successfully (but not its root domain) is to Company A’s site using a CNAME record and who does have a Business Cloudflare account.
Assuming the restriction can be lifted and will solve the problem, is it Company A or Company B that needs to request the cross-domain restriction to be lifted? And how do we do this?
What is the process for lifting this restriction for each additional customer’s root domain record for their websites?
We would ideally like the restriction lifted from the Business Primary account so that any customer can host their domain with Cloudflare and get CNAME flattening for their root domain and it will work with their
www subdomain pointing to our environment via our CF nameservers.
We believe this answer is needed from CF direct. We appreciate your assistance.
Welcome to the Cloudflare Community.
You don’t need that restriction lifted. You need Cloudflare for SaaS. It is designed specifically for the use case that you described.
We have that (Cloudflare for SaaS subscription) for Company A, but we don’t have it for Company B’s (the Customer). Which Company / account is required to have the Cloudflare for SaaS subscription? and is there some setting that needs turning on to prevent the cross-domain restriction, if so where/what is it?
It would seem odd, and wrong, if it was Company B given Company A is the SaaS provider and has the subscription.
The SaaS provider uses Cloudflare for SaaS on their Cloudflare account.
Do you have any customers working with your Cloudflare for SaaS using their custom hostnames in their own domain?
Are you following all of the steps in the guide in my second link?
So, you have a CNAME record from
customer-b.company-a.com that is working. Do I understand this correctly?
Then, you have a CNAME record for
www.company-b.com which is showing the mentioned error.
This is probably because Apex proxying is only available on Enterprise Plans. However, you stated that Company A only has a business plan.
You could probably solve this by adding a redirect rule from
After reading through the documentation again, I’m actually not sure if I was correct. I was probably wrong.
Company A probably just has to add the apex domain as it’s own custom hostname, not just the www subdomain.
We’ve managed to resolve the issue for Company A (which only has a Business Plan, not an Enterprise plan), and Company B (which doesn’t require more than a Free Plan). We accomplished this without needing an Enterprise plan, Apex domain, or extensive modifications. Here are the key steps we took:
Root Domain Configuration: For Company B, we set the root domain’s
@ record to be a CNAME record pointing to its subdomain (Example:
www.domainname.co.uk). It’s important to note that the proxy status feature was kept turned off.
Avoiding Double Proxy: To prevent a double proxy situation (since both Company A’s and Company B’s records are managed by Cloudflare), we ensured that the proxy status was also turned off for the subdomain’s CNAME record for the
SSL Certificate Setup: To make the root domain operational for Company B, we configured Company B’s root hostname in Company A’s Cloudflare account and added an SSL certificate. This step was successful, and we didn’t need an Enterprise plan or Apex domain.
Stay tuned for further updates and confirmation on this issue resolution within a couple of days.
The articles do not cover this scenario sufficiently.
I would favor redirecting the apex to the
www hostname and keeping it out of the Cloudflare for SaaS account altogether, but I’m glad you were able to identify conditions that made it work for you. Thanks for returning to share what worked.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.