Trying to understand fallback origin in custom hostnames

What is the name of the domain?

example.com

What is the issue you’re encountering

Custom hostname don’t follow fallback origin rules!

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

I run a SaaS where customers use their own domains by CNAME-ing to domains.example.com. In our DNS, domains.example.com has proxy disabled. To activate their custom hostname, I set a fallback origin fallback.example.com with proxy enabled.

Now, custom hostnames are active even when CNAMEd to domains.example.com. I expected activated custom hostnames to follow fallback.example.com, but they still resolve to domains.example.com which is proxy disabled. Why is this happening?

If the CNAME target isn’t proxied, you aren’t using Cloudflare Custom Hostnames at all, and none of the settings on Cloudflare will have any effect whatsoever.

1 Like

So what’s the point of fallback.example.com ?

It’s where requests are routed if you use Custom Hostnames.

What happens if we enable the proxy on CNAME domains.example.com and then a host point to that CNAME without having active custom hostname in our zone for them? Will the CNAME routing happen for them even without custom hostname?

They will get an error message.

We initially asked our customers to point their domains to domains.example.com. Now, we want to enable Cloudflare proxy to take advantage of its features. However, some customers have CAA records that block pki.goog from issuing certificates, preventing their custom hostnames from becoming Active. As a result, some custom hostnames are Active, while others are not.

We don’t want to disrupt their service, and while we’ve asked them to update their CAA records, it may take time.

Is there a way to allow hostnames without a custom hostname in our zone to bypass Cloudflare (acting as if domains.example.com is not proxied) while ensuring that the rest function as expected under Cloudflare’s proxy?

No. Only if they use different CNAME targets.

You can always create CAA records for domains.example.com to override the CAA records your customers are using.

As your domain is the CNAME target of your customers subdomain, you are in control of all DNS records for that subdomain, including CAA records.

This would work for all subdomains your customers point to you, though not for apex domains, which would not appear as CNAME records in DNS.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.