Using Cloudflare for DNS as an MSP


We are and MSP based in the UK and we considering using CF for our DNS hosting for our customers. I’ve had a search through the KB but have not found the information I am interested in. I’m hoping someone out there can answer my questions.

Q1. Depending on the customer, we would either have them in our CF account or they would be in their own. For those customers who have their domain in our account, should they leave, how easy is it to transfer the domain to their ownership?

Q2. Some of our customers run split DNS between their public domain and their local Active Directory domain. Does CF play well in such situations?

Q3. In relation to the previous question, is it possible to setup alerting, either in the GUI or via the API so our support teams gets notified whenever customers change their DNS records?

Q4. What audit log is available and how long is it kept?

If anyone could let me know your experience in relation to the above questions that would be great.


Welcome to the Cloudflare Community. :logodrop:

I gave Q1 considerable thought some time ago for the very separation question you pose. My ultimate conclusion was that client domains need to be in their own account. You can then invite your account to manage theirs. It avoids a lot of work in the event of separation. Whether or not the client has access to their account will depend on the client and your agreement terms. I prefer that mine do not having access. It is what they pay me for after all.

Cloudflare has nothing to due with Q2. Cloudflare is strictly public authoritative DNS. How well your split DNS works is entirely dependent upon your client network environment. If it is working with your current provider, it should continue to work with Cloudflare.

I do not see any available notifications of the type that you are asking about in Q3. My own preference is that all DNS changes are routed through the MSP to ensure that they are logged as well as for the security and integrity of the zone data. This works best when the client’s account is converted into a break-glass account after your MSP has been successfully invited in.

Q4 is answered in the following documentation.



Thanks very much for your response. That all makes sense to me.

My preference would also be to prevent anyone at a client having an account that can amend their DNS records. However, we have a couple larger companies that insist on having the web developers make DNS changes. One of which has split DNS running. Of course, the web devs never inform us when they make a change.

I can see the API being of use there. Even if we just ping it once an hour to check for changes. It will at least give us a heads up when the des break things.

As a follow up to Q1. To get ticket support, that would require paying the $20 per month for each account? I know my account persons will ask.


I would work on the presentation of why the web d00d should never have DNS access. If the customer is important enough to your firm to permit such a risky policy exception and they acknowledge the risk and accept it fully, it’s ultimately up to your firm’s leadership as to whether such exposure is acceptable.

The $20 is $25 unless purchased a year at a time. Cloudflare subscriptions are per domain so every domain will require a Pro subscription. If opening tickets is your motivation, understand that plan is likely insufficient as it has a target initial response time of five days. That means it may exceed that time before a ticket is even looked at. My point is that you should only buy a Pro plan if you need feature limit upgrades and enhancements that it offers. If the idea of using it to open a ticket is the primary motivator, it’s likely to disappoint. You will want a Business plan for those cases.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.