When to orange cloud a record

To provide DDoS, WAF and CDN services Cloudflare acts as a poxy for your domain. This means instead of advertising your IP address or CNAME record we instead advertise the IP address of our edge and then forward (proxy) the requests to your origin server. This works just fine for http/https and web socket traffic[1]. But doesn’t work for other services and protocols such as game server ports, FTP or SMTP[2]. You can tell if a host is being proxied by Cloudflare if it has an orange cloud (:orange:) next to it in the DNS control panel.

For those types of protocols or for services which are expecting a specific (non-obfuscated) value such as DKIM[3] records or records for a service such as Office 365 / Gmail to validate that they are set to a specific value those records should be entered into the DNS control panel with a gray cloud (:grey:).

If you are having trouble validating a record with a 3rd party service when signing up for it, make sure the record is :grey: not :orange:.

In general, a DNS change at Cloudflare should propagate across our network in 30 seconds. If, after 2 minutes you aren’t seeing the change you expect the most likely cause is that the record is orange clouded. For :orange: records the advertised external IP address doesn’t change when you change the target, instead we update our proxy so that it knows to go to the new host in the updated record.

[1] https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-
[2] https://support.cloudflare.com/hc/en-us/articles/200172756-Can-Cloudflare-proxy-or-protect-game-server-ports-
[3] https://support.cloudflare.com/hc/en-us/articles/200168696-How-do-I-add-DKIM-records-


maybe good idea to divide the DNS page listing into 2 grouped categories

  1. orange cloud enabled
  2. gray cloud / Cloudflare disabled

so visually you have a birds eye overview of which dns records are which status :slight_smile: