I am new here. Looking for using Cloudflare for their inexpensive domain registration and maybe free level of DNS services. I take care of small business windows networks and m365 services like email and onedrive. Very few, if any of the domains I have / deal with have any website beyond a static home page with their contact info.
I get the impression from my ignorance that cloudflare is aimed at enterprises? I am crawling along the bottom of their offerings - domains at their cost? Free DNS? At the same time, the dashboard has loads of things I don't understand.
Is there a cliff notes / common english explanations of what I can do at this low level / just pay for the domains? And / or add things that are really important and nominally priced? And what doesn't apply for just domain registration and DNS hosting?
For example, going down the dashboard:
In the setup wizard -
convert from P to ps (the website isn't letting me include links... typing htt before the p and ps is my work around?!) I am used to setting that on the website. Not DNS.
and when would someone like me ever use the other 9 config rules?
The other wizard offerings - brotli compression, etc. Are all these for when you host websites on CF?
Also on analytics (and log) page, there's no logs. Is that a paid option?
In an FAQ page, I saw something saying I have to use cloudflare's DNS servers. I thought I saw the custom / vanity name server option, but that's a paid level. AND 'The custom nameservers can only be created as subdomains of [this domain]' So I can't use Microsoft's DNS servers when I register a domain with CF? And I have been using name servers on my domain for each client's domain. Can't do that either?
Email routing? I can use that with an MX pointing to Microsoft?
SSL / TLS - all that encryption they talk about is for websites hosted by CF?
It says there was 3 traffic that went TLS 1.2 and 30 that went via TLS 1.3, while 529 were not secure (the setting for this page is flexible. that's a free level?). I set up a static page a few days ago. There's that much traffic going to that static page already!?
Security - WAF - ignore this? I'm not using CF for hosting.
DNSSEC - Is there a downside to enabling it? Do some browsers / OS not know how to decrypt? The help page has a link to dnsviz.net, I ran it for my domain, but not sure how to know if the results are good or bad?
That's just a few of the things I am wondering about. Any advice?
Cloudflare has a lot of extra products and services. You can use it as a free Authoritative Nameserver/DNS Host, but many also use it for its free pull-CDN offering.
Iâll try to answer your questions in order.
Cloudflare has enterprise offerings, but it also has a very generous free plan that you can use, even if you are a business. It is common that you may find the free plan has enough for your needs.
Cloudflare does offer a registrar service, where you can register domains without any markup, but please note you cannot change the nameservers to anything but Cloudflare. That is, you have to use Cloudflare as your DNS Host/nameserver.
A lot of what you will see in the dashboard refers to Cloudflareâs use as a pull CDN.
When create a DNS Record within Cloudflare, you can proxy it (
), when you do so, all traffic flows through Cloudflare first
Browser â Cloudflare â Origin Web Server (the target of your DNS Record). Cloudflare terminates the SSL/TLS connection at their edge, allowing them to do things like redirect all requests from HTTP to HTTPS, use config rules, brolti compression, cache at Cloudflareâs edge, etc. Then if the request is not handled by Cloudflare (cache, redirect rules, etc), it will flow to your configured origin web server. You can get all of these benefits while still keeping your normal web server, by just turning the proxy on.
For more information on how CDNâs work:
https://www.cloudflare.com/learning/cdn/what-is-a-cdn/
The logs page, for log push, is paid only. Specifically, if you are using Cloudflare Workers, and you have Cloudflare Workers Paid, you can use the Workers Trace Event dataset. For everything else, you need Enterprise. If you are using a normal origin web server, you have your own nginx logs and such as well as Cloudflareâs other analytics they offer you.
If you register a domain through Cloudflareâs registrar, you have to use Cloudflare nameservers.
Vanity nameservers let you have your own nameservers name / have your nameservers be on your own domain via glue records, but it just changes how they look, not how they operate.
You can delegate a subdomain of your domain to another nameserver via DNS NS Record as normal, but not your entire domain.
Email routing is a service Cloudflare offers to forward mail to a destination address, allowing you to have âcustomâ or âvanityâ addresses. It doesnât handle sending (canât send back out), and forwarding can be a bit spotty with spam filters. Itâs not used for protecting a mail server, itâs a specific service that can be used to forward mail on itâs own. You can use your Microsoft hosted mail as normal with any other DNS Host with just the plain old MX Records.
If your dns record is proxied , then that changes the SSL/TLS Mode that Cloudflare uses to connect to your origin. Use Full (Strict), and have a properly configured certificate on your origin (as you most likely already do), and youâll be set. Donât use flexible, itâs psuedo-ssl, Flexible allows clients to connect to Cloudflare over HTTPS, but connections to your origin over HTTP
Browser â HTTPS â Cloudflare â HTTP â Origin Web Server
The only settings you should really be using are Off or Full (Strict).
That amount of traffic isnât that high, there are a lot of scrappers and crawlers these days. When you added your site to Cloudflare, Cloudflare issued you a Universal SSL Certificate (a cert covering *.yourdomain.com and yourdomian.com), so that it can operate as a reverse proxy and terminate SSL/TLS Connections. When new SSL/TLS Certs are issued, they go into whatâs called the Certificate Transparency Log (CT Logs), which a lot of bots and crawlers will watch, and then immediately go & scan the hosts specified in the certificate.
As explained above, Cloudflare sits between your visitors and your origin while proxied, so it can scan requests and block any. Within the WAF Panel, you can create Firewall rules, rate limiting rules, allow & block specific IPs & User Agents, and more. There are also Managed Rulesets, but on free you only have a limited free ruleset covering common vulnerabilities, that you cannot manage.
You have to set it up at your registrar. If your registrar is Cloudflare, itâll do it automatically for you when you turn it on.
Itâs not a browser thing to support, recursive resolvers (like 1.1.1.1, 8.8.8.8), use it to verify records and prevent MITM attacks. Itâs something that is nice to have on, but not really critical, a fair number of resolvers donât verify them either. It wonât break anything if you configure it correctly, however, if you ever switch DNS Hosts/Authoritative Nameservers (move away from Cloudflare), youâve gotta disable it, move, and then re-enable it with the new DNS Hostâs dnssec information (if they support it)
Your dnsviz result is good if none of the records are marked âBOGUSâ. If you donât have it (DNSSEC) enabled, itâll just show your domain as insecure.
I understand that is a lot of information, and really Cloudflareâs ecosystem is rather large at this point.
Cloudflare has a lot of resources you can use, if you have the time.
For general knowledge, Cloudflare has a learning center, some of the articles are quite helpful.
https://www.cloudflare.com/learning/
Cloudflare also has a learning path for getting started
Among other documentation
To include one tip of my own, if your sites are fully static, consider Cloudflare Pages.
Cloudflare Pages works great with static sites and its free plan has no requests/bandwidth limits. You can hook it up to a Github/Gitlab Repo or just Direct Upload, and they take care of the infrastructure and other stuff for you. That is one of Cloudflareâs hosting options. When you get a bit more familiar with Cloudflare and how it works, perhaps look into it.
If you have any specific questions or if I missed something, let me know. There are a lot of other friendly people in this community and also in Cloudflareâs Discord if you need help. Just to clarify again, you donât need to use Cloudflareâs CDN/Proxy service, you can just have your records as DNS Only (
), and Cloudflare will act as a normal DNS Host, for free, unlimited DNS queries.
1 Like