DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| A | blog | 192.0.2.1 | Proxied | Auto |
| A | shop | 192.0.2.2 | DNS only | Auto |
About proxying
While your DNS records are used to make your website or application available to visitors and other web services, the Proxy status of a DNS record is used to define how Cloudflare treats incoming traffic to that record.
The records you can proxy through Cloudflare are IP address resolution records — meaning A, AAAA, or CNAME records. Cloudflare recommends enabling our proxy for all A, AAAA, and CNAME records that are used for serving web traffic.
When you set a DNS record to Proxied, Cloudflare can:
- Protect your origin server from DDoS attacks ↗.
- Optimize, cache, and protect all requests to your application.
- Apply your configurations for a variety of Cloudflare products.
Apart from that, proxied DNS records have specific predefined fields and expected behavior — refer to Proxied records for details.
To understand how Cloudflare responds to requests for proxied records, consider How proxying works below.
When an A, AAAA, or CNAME record is DNS-only (also known as being gray-clouded), DNS queries for this record will resolve to the record's normal IP address.
In addition to potentially exposing your origin IP addresses to bad actors and DDoS attacks ↗, leaving your records as DNS-only means that:
- Cloudflare cannot optimize, cache, and protect requests to your domain.
- Cloudflare cannot provide analytics on those requests.
- Your configuration for a variety of Cloudflare products will not be applied.
When you set a DNS record to Proxied, Cloudflare responds with an anycast IP address instead of the value defined on your DNS table. This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.
In the example DNS table above, there are two DNS records. The record with the name blog has the proxy on, while the record named shop has the proxy off (that is, DNS only).
When a browser initiates an HTTP/HTTPS request to blog.example.com, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates an HTTP/HTTPS request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. When needed, Cloudflare forwards the request to the configured origin server, which is 192.0.2.1.
When a browser initiates an HTTP/HTTPS request to shop.example.com, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, DNS only), Cloudflare will answer with 192.0.2.2. Finally, the browser initiates an HTTP/HTTPS request to the server hosted at 192.0.2.2.
Because requests to proxied records go through Cloudflare before reaching your origin server, traditionally all requests will appear to be coming from Cloudflare's IP addresses and could be blocked or rate limited. Refer to allow Cloudflare IPs to learn how to adjust your server configuration.
flowchart LR accTitle: Connections with Cloudflare A[Client] <-- Connection --> B[Cloudflare global network] <-- Connection --> C[Origin server]
Cloudflare anycast IPs used to proxy traffic on your domain are assigned automatically and can change at any time for operational reasons. By default, if you need to allowlist Cloudflare IPs on your infrastructure or hosting provider, you should include the full list of Cloudflare anycast IPs ↗.
Alternatively, if you are an Enterprise customer, you have the following options:
- Cloudflare Aegis allows you to get dedicated IPs for the connection between Cloudflare and your origin server, meaning you only have to allowlist a small number of IPs.
- Static IPs or bring your own IPs (BYOIP) allow you to specify what IPs should be used in the connection between clients and Cloudflare.