Browsed the forums - This post seems to be very relevant (but doesn’t fully allay my concerns about timelines).
Spoke with: WPEngine (new host), current Registrar “Network Solutions” (I can’t change this at this time, managed by parent non-profit), and Cloudflare briefly (they directed me to project Galileo, to which we applied, but we’d like to move fast and assume the free plan would work for us in the interim).
Main Question (but I’m open to not knowing exactly what to ask):
It seems that there are two comments by @sdayman that fill my mind with questions about timelines and the best way forward.
First,this comment seems to suggest I could just set up a free account at Cloudflare, place the records I pull from a site like this for our domain, and everything just starts working (without downtime!)? Even though there’s another account purporting to direct these records?
How much of the above is true?
I’m assuming we’d at least have to update the Nameservers at our Registrar (if they changed; e.g. XXX.NS.CLOUDFLARE.com)
What am I missing here?
Second,this post seems to suggest that I should perhaps just restore the DNS to the Registrar (something they indicated might take 24-48 hours). Am I understanding this correctly? (Or, if not, what would I need to look into to learn more)?
At any rate, appreciate your willingness to read this long post. Hopefully it’s descriptive of what I’m trying to achieve and has enough details to help me understand the best next steps.
To start with, have you tried using the forgot email tool, entering the domain and seeing if your email logs show anything coming to an address controlled by the org? That would be the easiest way to regain access to the account and get everything sorted. You could then still move to the new account but could easily export the DNS records or just stick with it where it currently is. dash.cloudflare.com/forgot-email
If that doesn’t work and you cannot regain access then you can open a new account, yes. The main issue you would run into here is making sure that every DNS record is present in the new account to avoid any unforseen issues.
In principle, yes this would work as described as long as the records are all correct. You set up the domain in your account, go to the registrar and switch the nameservers and your account then controls that domain.
This was because the Registrar in question hid the required DNS records once the nameservers were changed and is not usually necessary.
Hopefully that helps a bit, what you are trying to achieve is definitely possible and should not be too difficult, the issue you may run into is getting all the DNS records correct. Cloudflare will attempt to scan for common records but may end up missing some or importing the wrong IPs if the domain is proxied in its current account. As you’re changing hosting at the same time this should not be a big issue (as a lot of the records would probably change anyway), you just need to be aware of any other services (like the email) being used on that domain and ensure their records are added and correct to avoid downtime.
Thanks so much for your response. We did first check using the forget email tool and nothing showed up there (I think this was set up a while ago, possibly by a 3rd party, and there’s been lots of staff changes in that time).
The only things I’m aware of are the Site itself and MX records for an office365 outlook account for email. When I pull from a DNS search site like this I get basically the following:
This more or less matches my mental model of the things we’d need in there for the site and the email to remain consistent. To your point about the “records being correct” – is there any reason to believe that they wouldn’t be (given the output above – would anything be obviously missing) or that it wouldn’t be quickly amended (it seems Cloudflare provides most of that info, and I believe I can work with someone on my end to get the MX records from our office365 account (seemingly here or here).
On the 2nd post (about restoring to the registrar), am I understanding correctly that there’s likely no downtime at all in my case to “restore”? I will note that the registrar has “greyed out” our ability to see and/or edit the “advanced” dns records (e.g. A, CNAME), but we do see the XXX.CLOUDFLARE.NET DNS records and appear to be able to change them.
At any rate, thanks very much for your answers! If I’m misunderstanding something still please do let me know!
Only if there were any subdomains in use, if it is just a simple setup with a single website and email then it should just be an easy transfer. Be aware that O365 may have some CNAMEs and other records on subdomains but, as you said, those will all be listed there and should be simple to add.
Are these in the form domain.tld.cdn.cloudflare.net or do you just have the two name.ns.cloudflare.com nameservers?
I’m not aware of any subdomains (though as I randomly checked a couple just now it appears whoever managed this in the past used a *.site.com to I guess test out other clients’ sites, and it’s live – so we won’t be needing that record and probably don’t have any subdomains). Should be a basic Wordpress site with separate email at Office365.
What I can see via the NetworkSolutions registrar is basically:
And then under “Advanced DNS Records” I have a greyed out “Manage” button, beneath which it reads:
“Edits on A(4), CNAME(6), MX(1), SRV(2), TXT(2)”
Not all of that matches up with my chart below, but if Office365 has a number of CNAME changes that might be fine? I still don’t fully understand why we can’t see all the records from the Registrar itself. Anything concerning or jumping out at you with the Nameserver format or the number of edits on “advanced DNS”?
I did get access to the records regarding Office365. There are 5 CNAME records (related to outlook, lync, and other MS things); some SRV records (_sip and _sipfereationtls); along with a TXT record that has differs in the MS portal from what I pulled from the site checker (which had “include:sendgrid.net”) included in the TXT record (v=spf1 …). Is sendgrid something I need to be concerned about? It’s not something I’ve used before.
Going through the Cloudflare setup seems pretty easy. I’m assuming it’s alright to use the proxy setup (even for MX and MSOffice) to change the main DNS nameservers on the registrar to the updated Cloudflare ones, right?) Does this generally just ensure things work while propagating?
I’m not sure how familiar you are with this so I’ll explain it from scratch but apologies if I’m stating the obvious here and you already know how this works. This is SPF which defines what providers/servers are allowed to send email for the domain. If a provider tries to send email from your domain and is not on that list, it may be rejected or put into spam depending on the policy. THis means that if it’s possible that Sendgrid is used anywhere to send mail (automated emails, newsletters or something perhaps?) then they need to be included in that record. Microsoft will just show you the record they need but I would recommend sticking with the one currently showing on the lookup if you’re unsure as it could cause issues with outbound email.
Good question, you should only use the proxy for web traffic so anything like email or some other service should be / DNS only, including those MSOffice records. It’s probably safest to set anything that’s not the website itself to to begin with at least.
Once that’s all done, I would recommend checking your SSL/TLS configuration as that’s the other thing that could cause an issue, do you know what certificate you have on the server? Hopefully it’s a publicly valid cert like Let’s Encrypt or something your host provides, in which case make sure your SSL/TLS mode on Cloudflare is Full (Strict) and you should be good to go. If there is no certificate then hopefully your host lets you install one and you can use a Cloudflare Origin Certificate. https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
If you don’t want to deal with this potential issue at the moment then you could just set all the records to so they only use Cloudflare for DNS and rely on the server’s SSL setup. Then once you’ve changed the nameservers and made sure everything is working enable the proxy on the website again. This may be the safest option to avoid any possible downtime.
Sorry for all the information thrown at you here, trying to cover all the possible edge cases that could cause issues before you make the switch.