I have a unique situation where our website is setup normally via cloudflare and uses the cloudflare origin certificates. It works great for everyone except those in the organization. They have an internal bind9 DNS with the same record names pointing directly to the origin server IP. When they do this it flags untrusted SSL errors in the browser because it’s using the cloudflare certs directly and not via cloudflare proxy.
Could you please advise me how I can modify their bind9 zones file so that two A records we use for the website point correctly back to cloudflare while everything else stays however they have it. This way the internal organization will be correctly going through cloudflare and not accessing the website directly by the IP.