Traffic hits workers with proxying turned off

When I turn off Proxying on the CNAME record the traffic still hits my workers. Shouldn’t it just go straight to the destination of the CNAME record? Is there any way to quickly turn off traffic to my workers and direct it straight to the origin?

When traffic hits the Cloudflare network, regardless if the :orange: proxy is on/off, it will go through all* the Traffic Sequence steps in your zone, including Worker Routes.

When the :orange: Proxy is turned off, that record is just a regular CNAME served by the Cloudflare DNS.

Although you’ve turned off the :orange: Proxy for your CNAME record, the traffic won’t immediately be redirected straight to your CNAME because the devices which have previously connected to, and any upstream DNS resolvers will still remember the IP associated with that CNAME as being Cloudflares.

After turning off the :orange: Proxy, it will take time for the propagation on DNS outside Cloudflare’s network, most of the time it takes less than an hour for all traffic to be going to the right place.

There is 1 big caveat here, that is if the CNAME your record points to is also on Cloudflare.

For example if you create a CNAME that points to any website on Cloudflare, for example itself, even if your CNAME record has the :orange: off, it will still trigger the Worker Routes because the traffic is still hitting the Cloudflare network which finds your zone and goes through all* the Traffic Sequence steps in your zone.

Go to this website DNS Checker - DNS Check Propagation Tool and search the A record for what IP’s are associated with the CNAME your trying. Are those IP’s on Cloudflare’s network?

Depends if its the 1st or 2nd scenario I detailed above. If it’s the 1st, then no quick option, you have to wait for TTL to expire. If its the 2nd then yes, just update your Worker Routes.


Excellent answer, thank you for clarifying. This is what my understanding was too but when doing a dig on the CNAME it was showing the records updating correctly but the old address must’ve been cached somewhere on my machine because both the browser and a curl command were still hitting the worker. This morning when I try it looks like the TTL expired and now I am bypassing the worker as expected.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.