New guy: 1 server, 1 tunnel, 4 domains, for some reason they must use CNAME @ -> all to the first domain root

Again, new guy, please be gentle.

I am loving this tunnel. I do not need to port forward from my gateway IP to my webserver, local IP doesn’t even matter! I still isolate the web server from the rest of the network through separate VLAN tagging, but it feels like it is pretty safe with Cloudflare as essentially the from end proxy.

But, I ran into an issue getting all sites up and running that is making me scratch my head.

Scenario:
I am running several test websites on 4 domains on a box.

Sites:
domain1.tld
www.domain1.tld // yeah, // rewrite to the same site

domain2.tld
www.domain2.tld // rewrite to the same site
sub2.domain2.tld // these are different sites
sub3.domain2.tld // these are different sites

domain3.tld
www.domain3.tld // rewrite to the same site
sub2.domain3.tld //these are actually redirectors to 3rd party sites, like LinkedIn
sub3.domain3.tld
sub4.domain3.tld
sub5.domain3.tld

domain4.tld
www.domain4.tld // rewrite to the same site

I created a tunnel from the machine, first tunnel login, then tunnel create, I do recall that the zero trust page required me to select a zone, “zone” translating to pick one of the domains I had previously provisioned for DNS. So I picked the first, domain1.tld

Boom, tunnel created.

In that first domain’s DNS I created a CNAME: @:The_Tunnel_ID.cfargotunnel.com. Easy enough. Works fine.

From the other domains I tried doing the exact same thing, but no joy, DNS queries result in no record returned.

BUT… for the other domains I can create a CNAME @:domain1.tld (to the first domain’s root entry). And then all of the sub. entries are CNAMES to their own domain’s root entry as expected.

So yeah, they all work as DNS queries simply resolve to some 172 Cloudflare address, and I locally manage the tunnel, so my local cloudflare instance decides what to do with the request.

My question is 3 fold:

I have looked every where and I cannot find where this tunnel is some how locked to only the first domain for DNS CNAME flattening, where is that specified?

The second part is can a single tunnel be used in multiple domain CNAMES?

And I guess a third, is there any risk in solving it the way that I did?