Subdelegation of DNS A records



Question: our non-profit ( has multiple web sites on multiple subdomains running on different servers. For a new separate web site we are creating, we have an ‘A’ record that identifies the new subdomain and it points to the server where the new web site is (currently under construction).

With respect to Cloudflare, is it possible to use Cloudflare’s DNS and CDN services by pointing just the ‘A’ record for this new subdomain at the Cloudflare name server (I believe that this is referred to as subdelegation) and then in the configuration panel pointing Cloudflare at the website’s server ip address (I assume that there is such an option)?

OR must we turn over complete control of all our DNS for the domain name to Cloudflare?

Thanks in advance, Jim


Yes you can use sub-zones.

Create a new NS record:
your-sub. -> DNS name for your name server
(let’s call it nameserver.)

Create a new A record:
nameserver. -> your names server’s ip.

I may be wrong, but you’ll lose all advantages of CloudFlare, as they are simply forwarding your request to your own NS which provides the origin IP of your-sub.


Hi Mark, Thanks for the response but I’m not sure I follow.

When you say “create a new NS record” I assume that you mean create it on our existing (Not Cloudflare) DNS server. Is that correct?

You then say to creaet an ‘A’ record. Again I assume that you mean create it on our existing (Not Cloudflare) DNS server. Is that correct? If so, our DNS person has already done this and that ‘A’ record currently points to the IP address of our website server.

On the Cloudflare DNS tab, the corresponding ‘A’ record shows up, as do a number of other ‘A’ records. My questions are:

  1. Is is sufficient to have our existing nameserver point the ‘A’ record at the Cloudflare nameserver(s) that have been assigned to our account?

  2. Can we then within Cloudflare point Cloudflare to the IP address of our website’s server?

We are also getting an MX record not found error and a message that says email won’t go through - but we don’t want Cloudflare to have anything to do with our email. We really want the CDN service at this time for just one of our websites- which has nothing to do with our email system since that is managed separately by Google Apps.

I’ve opened a support ticket on this but do not yet have an answer.

I was hoping that someone here had experience with this particular sort of scenario.


No. I mean here @ CloudFlare. To delegate a sub-zone you first need add a NameServer record:

Then CF needs to know the IP of your private name server:

The sub domain (sub zone) will be delegated to your private name server and is totally under control of this server(s). Adding any other records for your sub domain here at Cloudflare is usesless since all DNS requests for it will be forwared to your “external” name server. You must add the desired records there. A, MX, CNAME and so on

As all DNS requests for will be answered by your private DNS with the origin IP Address, Cloud Flare can’t proxy it.

Short hint regarding MX records:
Don’t use CNAMEs on the “root” level. Name servers may ignore MX records if there is a CNAME set. -> CNAME
would be ok -> CNAME
might not be ok and MX records for your-sub may be ignored.

Adding NS Records Clarification Requested

Hi Mark,
So the bottom lines seems to be that Cloudflare is non-functional unless it is actually the manager of ALL DNS records pertaining to a domain name, in this case

I can understand the need to be the resolver for the domain url associated with a specific web site for which it is providing CDN services but I don’t understand the need to turn over ALL control to Cloudflare.

Is this standard? Do all CDN providers insist on controlling all aspects of DNS management?


Basically yes.

To cache static content it must be routed through their network. I can’t imagine that CF acts as a client for you sub-zone and present their own IPs to the visitor.

A way around could be to serve the static content in a different way:

For example: is handled by your own DNS.

Create new subdomain here at CloudFlare: and point it to the server where the static content is located. It could even be the same server as starlight. You just need to ensure that all static content is included with an absolute link to and not relative in your code.

I’d prefer a separated content server instead of using the same origin, as direct access to possibly would serve the whole page as well.

Maybe there’s another way to handle sub-zones. But I am not aware of. And to be honest, I am a bit too lazy to set up a DNS and try it out. :joy:

@cscharff may confirm, or correct things


Hi Mark,
I just got a formal answer from a Cloudflare person. Following is the message I received:

"In order to use Cloudflare, we need to be your authorative DNS provider for your entire domain, which means you need to migrate all your DNS records across to our dashboard and move to our nameservers."

I really needed to be certain of this because we are currently doing our DNS “in house” and there is some resistance to turning it over.

Mark: Thanks for taking the time to respond to my inquires.

Best regards, Jim


Hi Jim,

thanks for letting me know.

Makes sense since you asked to only serve one sub domain via CloudFlare. You can’t delegate a sub-zone to CloudFlare, that’s right.
But vice versa… delegate sub-zones from CF should work. It’s a bit more administrative work to do.

May I ask what’s the reason for the resistance? :thinking: it’s “just” DNS. where it isn’t possible to dig into the records with ANY. It is rejected by CloudFlare. Security :wink:



I’d like to chime in here with some clarification as it is possible to delegate a subdomain to use Cloudflare using a CNAME record under our CNAME setup, available to customers on the Business and Enterprise plans:

With CNAME setup, authoritative DNS remains elsewhere, and one or more subdomains are delegated to use Cloudflare using CNAME DNS record(s). You do not need to use this if you’ve already changed nameservers to Cloudflare and want us to be your authoritative DNS provider.


Hi Mark, Re resistance, the person currently providing DNS services has been donating those services.


Hey :slight_smile:

That’s comprehensible. I thought there was any technical reason.

Hood luck :slight_smile:

I’ll hang around on your pages from time to one. Quiet interesting.

closed #12

This topic was automatically closed after 14 days. New replies are no longer allowed.