Newbie here! Proxy’ed records break 1 of several sites

Noob here with noob questions about name servers / using Cloudflare for name server services.

I didn’t think much about DNS / name servers other than response time to inquiries and that the name servers will be up.

Didn’t realize / don’t understand all the things that cloudflare includes. On their home page they list loads of things under products.

But then pricing has free, pro, business, enterprise.

All the products are in at least some of those 4 levels? Or are (some of ) the products on the home page the add ons?

How many domains can you have under the free and pro levels? (is that anywhere that I didn’t see?).

Is there a simple page that explains the different features? Like even at the free level - what does global contact delivery network mean?

and DDoS attack mitigation - if loads of requests come in for your domain, it slows down the response? Does that have to be configured? Seems they’d know better than me how to set things up.

And with Pro - lossless image optimization? Mobile optimazation? Cache analytics? All those relate to DNS name server tasks?

THANKS!

Hi @feetsdr,

You can see a comparison of features by plan on this page, if you click on ‘Compare all plans and features’.

There are some products that you pay separately for or are billed based on usage, but most of the core features are included on the plans.

The pricing is per domain, so you can have as many domains on the free plan as you want, but you would pay $20/month for each domain you wanted to upgrade to the pro plan, for example. If you are looking at the Enterprise level, you may get discounts based on how many domains you add, but would need to discuss this with sales.

You can just use Cloudflare for DNS on the free plan if you don’t want any of the additional features. When your DNS records are scanned and imported, you will see an icon to the right of most of them. :orange: beans it is ‘proxied’ and therefore Cloudflare’s features are enabled. :grey: means ‘DNS Only’ so Cloudflare will provide your DNS, but not enable the other features. If you set them all to :grey: you will just be using Cloudflare as your DNS provider.

As for the other features you specifically mentioned, if you have your DNS records set to :orange::

Cloudflare have a network of datacentres on over 200 cities arount wor world. By default, when a static resource (such as an image) is requested on your site, they will keep a copy in the datacentre to speed up the respons for the next time someone requests it. If your site is low traffic, this may be dropped quickly, but it can help speed up your site a lot.
More info at: https://www.cloudflare.com/learning/cdn/what-is-a-cdn/

You can configure basic things like the security level of your site and Cloudflare will challenge/block what it thinks to be malicious traffic. If you are under attack, you can also enable settings to help mitigate it. You can also build custom firewall rules and on paid plans (Pro, Business or Enterprise), you get a Web Application Firewall with a large number of already created rules.

These are all settings that can help speed up your site by optimising images etc.

No, if you just want DNS, set your records to :grey: - these are additional features that Cloudflare offer if you set then to :orange:.

I hope that helps, please just let us know if you have any further questions!

I am new here. Looking for using Cloudflare for their inexpensive domain registration and maybe free level of DNS services. I take care of small business windows networks and m365 services like email and onedrive. Very few, if any of the domains I have / deal with have any website beyond a static home page with their contact info.

I get the impression from my ignorance that cloudflare is aimed at enterprises? I am crawling along the bottom of their offerings - domains at their cost? Free DNS? At the same time, the dashboard has loads of things I don’t understand.

Is there a cliff notes / common english explanations of what I can do at this low level / just pay for the domains? And / or add things that are really important and nominally priced? And what doesn’t apply for just domain registration and DNS hosting?

For example, going down the dashboard:

In the setup wizard -
convert from P to ps (the website isn’t letting me include links… typing htt before the p and ps is my work around?!) I am used to setting that on the website. Not DNS.
and when would someone like me ever use the other 9 config rules?
The other wizard offerings - brotli compression, etc. Are all these for when you host websites on CF?

Also on analytics (and log) page, there’s no logs. Is that a paid option?

In an FAQ page, I saw something saying I have to use cloudflare’s DNS servers. I thought I saw the custom / vanity name server option, but that’s a paid level. AND ‘The custom nameservers can only be created as subdomains of [this domain]’ So I can’t use Microsoft’s DNS servers when I register a domain with CF? And I have been using name servers on my domain for each client’s domain. Can’t do that either?

Email routing? I can use that with an MX pointing to Microsoft?

SSL / TLS - all that encryption they talk about is for websites hosted by CF?
It says there was 3 traffic that went TLS 1.2 and 30 that went via TLS 1.3, while 529 were not secure (the setting for this page is flexible. that’s a free level?). I set up a static page a few days ago. There’s that much traffic going to that static page already!?

Security - WAF - ignore this? I’m not using CF for hosting.

DNSSEC - Is there a downside to enabling it? Do some browsers / OS not know how to decrypt? The help page has a link to dnsviz.net, I ran it for my domain, but not sure how to know if the results are good or bad?

That’s just a few of the things I am wondering about. Any advice?

Cloudflare has a lot of extra products and services. You can use it as a free Authoritative Nameserver/DNS Host, but many also use it for its free pull-CDN offering.

I’ll try to answer your questions in order.

Cloudflare has enterprise offerings, but it also has a very generous free plan that you can use, even if you are a business. It is common that you may find the free plan has enough for your needs.

Cloudflare does offer a registrar service, where you can register domains without any markup, but please note you cannot change the nameservers to anything but Cloudflare. That is, you have to use Cloudflare as your DNS Host/nameserver.

A lot of what you will see in the dashboard refers to Cloudflare’s use as a pull CDN.

When create a DNS Record within Cloudflare, you can proxy it (:orange:), when you do so, all traffic flows through Cloudflare first
Browser → Cloudflare → Origin Web Server (the target of your DNS Record). Cloudflare terminates the SSL/TLS connection at their edge, allowing them to do things like redirect all requests from HTTP to HTTPS, use config rules, brolti compression, cache at Cloudflare’s edge, etc. Then if the request is not handled by Cloudflare (cache, redirect rules, etc), it will flow to your configured origin web server. You can get all of these benefits while still keeping your normal web server, by just turning the proxy on.

For more information on how CDN’s work:
https://www.cloudflare.com/learning/cdn/what-is-a-cdn/

The logs page, for log push, is paid only. Specifically, if you are using Cloudflare Workers, and you have Cloudflare Workers Paid, you can use the Workers Trace Event dataset. For everything else, you need Enterprise. If you are using a normal origin web server, you have your own nginx logs and such as well as Cloudflare’s other analytics they offer you.

If you register a domain through Cloudflare’s registrar, you have to use Cloudflare nameservers.
Vanity nameservers let you have your own nameservers name / have your nameservers be on your own domain via glue records, but it just changes how they look, not how they operate.
You can delegate a subdomain of your domain to another nameserver via DNS NS Record as normal, but not your entire domain.

Email routing is a service Cloudflare offers to forward mail to a destination address, allowing you to have “custom” or “vanity” addresses. It doesn’t handle sending (can’t send back out), and forwarding can be a bit spotty with spam filters. It’s not used for protecting a mail server, it’s a specific service that can be used to forward mail on it’s own. You can use your Microsoft hosted mail as normal with any other DNS Host with just the plain old MX Records.

If your dns record is proxied :orange: , then that changes the SSL/TLS Mode that Cloudflare uses to connect to your origin. Use Full (Strict), and have a properly configured certificate on your origin (as you most likely already do), and you’ll be set. Don’t use flexible, it’s psuedo-ssl, Flexible allows clients to connect to Cloudflare over HTTPS, but connections to your origin over HTTP
Browser ← HTTPS → Cloudflare ← HTTP → Origin Web Server
The only settings you should really be using are Off or Full (Strict).

That amount of traffic isn’t that high, there are a lot of scrappers and crawlers these days. When you added your site to Cloudflare, Cloudflare issued you a Universal SSL Certificate (a cert covering *.yourdomain.com and yourdomian.com), so that it can operate as a reverse proxy and terminate SSL/TLS Connections. When new SSL/TLS Certs are issued, they go into what’s called the Certificate Transparency Log (CT Logs), which a lot of bots and crawlers will watch, and then immediately go & scan the hosts specified in the certificate.

As explained above, Cloudflare sits between your visitors and your origin while proxied, so it can scan requests and block any. Within the WAF Panel, you can create Firewall rules, rate limiting rules, allow & block specific IPs & User Agents, and more. There are also Managed Rulesets, but on free you only have a limited free ruleset covering common vulnerabilities, that you cannot manage.

You have to set it up at your registrar. If your registrar is Cloudflare, it’ll do it automatically for you when you turn it on.
It’s not a browser thing to support, recursive resolvers (like 1.1.1.1, 8.8.8.8), use it to verify records and prevent MITM attacks. It’s something that is nice to have on, but not really critical, a fair number of resolvers don’t verify them either. It won’t break anything if you configure it correctly, however, if you ever switch DNS Hosts/Authoritative Nameservers (move away from Cloudflare), you’ve gotta disable it, move, and then re-enable it with the new DNS Host’s dnssec information (if they support it)

Your dnsviz result is good if none of the records are marked “BOGUS”. If you don’t have it (DNSSEC) enabled, it’ll just show your domain as insecure.

I understand that is a lot of information, and really Cloudflare’s ecosystem is rather large at this point.
Cloudflare has a lot of resources you can use, if you have the time.

For general knowledge, Cloudflare has a learning center, some of the articles are quite helpful.
https://www.cloudflare.com/learning/
Cloudflare also has a learning path for getting started

Among other documentation

To include one tip of my own, if your sites are fully static, consider Cloudflare Pages.

Cloudflare Pages works great with static sites and its free plan has no requests/bandwidth limits. You can hook it up to a Github/Gitlab Repo or just Direct Upload, and they take care of the infrastructure and other stuff for you. That is one of Cloudflare’s hosting options. When you get a bit more familiar with Cloudflare and how it works, perhaps look into it.

If you have any specific questions or if I missed something, let me know. There are a lot of other friendly people in this community and also in Cloudflare’s Discord if you need help. Just to clarify again, you don’t need to use Cloudflare’s CDN/Proxy service, you can just have your records as DNS Only (:grey:), and Cloudflare will act as a normal DNS Host, for free, unlimited DNS queries.

1 Like

Newbie here.

Moving several domains from different nameservers and have registrar transfers in the works if that matters.

With 1 domain, several days after changing nameservers to CF, I noticed that the autodiscover cname record isn’t working (it points to m365 - he uses m365 for email)

I found out that CF won’t proxy a non CF administered domain like outlook com. Turned off proxy on that record

(A bit disappointed that CF doesn’t warn you or just skip proxying but instead just doesn’t resolve it?! Am I mistaken?

Now I see the website is down. Checking dns, the (cached) a record for domain com resolves to Cloudflare servers. Same for www cname.

I turn off proxy on those records, dns resolves to the web server.

Any idea why proxy isn’t working?

Is there any CF system to check / alert you of dns / caching not working as intended?

Either ‘cause I didn’t know proxy doesn’t work for domains like outlook com or even the same domain?

Thanks

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.