Possible to have DNS on free account, WAF on paid?

jeff121 · December 2, 2020, 10:17pm

We have a few domains already hosted on Cloudflare DNS under the free account and some that were not yet moved onto Cloudflare. One of these domains has a subdomain hosted by a SAAS providerwho includes the Cloudflare WAF as part of their solution under their account. We migrated the domain using the service provider’s cloudflare waf and now their config can’t verify the TXT code. Is this a limitation by design or a bug that support might be able to fix?

michael · December 3, 2020, 12:46am

Just so I have this correct, you use a SAAS application with a vanity domain like saas.example.com which is a CNAME for example.customers.saasprovider.com. At some point, your SaaS provider asked you to create a TXT record in your DNS for saas.example.com with a random string like ca3-1234567890abcdef. Everything has worked fine so far, and your SaaS provider has a certificate on their Cloudflare account for saas.example.com, and is using the SSL for SaaS product from Cloudflare.

You now want to add the entire domain example.com to Cloudflare.

I don’t understand what you mean by:

Can you explain?

There should be no issue with you having a free account for your domain, while having a CNAME to a SSL for SaaS provider for one or more of your subdomains.

jeff121 · December 3, 2020, 4:35pm

Sorry, my sentences didn’t come out right on that one.

I’m not sure yet what product the SAAS provider is using, but maybe it’s easier to describe with a comparison of before/after:

Before:

example.com DNS hosted on 3rd party
verify txt record in example.com DNS on 3rd party
saas.example.com running through Cloudflare WAF - not configured by us so we have no visibility

Now:

example.com DNS hosted in Cloudflare on our account, separate from any config SAAS provider has done
verify record in DNS on Cloudflare
saas provider says their config says our site is moved, wants us to verify the txt record exists.
dnschecker.org query shows that the txt record is resolving globally with the correct value

cloonan · December 4, 2020, 12:03am

Thank you, @jeff121 for closing the loop with Support.

jeff121 · December 4, 2020, 12:08am

For anyone who comes across this, working with the saas vendor we found the solution.

This vendor ended up standing up a separate account using the standard plan offerings, instead of the SAAS offerings. This caused a conflict when we moved our DNS into cloudflare that we couldn’t have the same TLD in two different accounts.

We merged the configuration into a single account to solve the issue.

system · December 5, 2020, 12:08am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.