Authoritative DNS

Learning Focus

By the end of this lesson you will understand how to configure Cloudflare as your authoritative DNS provider, the difference between proxied and DNS-only records, and how to design a resilient DNS setup.

What Is Authoritative DNS?

An authoritative DNS server is the server that holds the official, definitive DNS records for your domain. When someone types example.com into their browser, the DNS system eventually reaches the authoritative server to get the correct IP address.

Cloudflare provides free authoritative DNS for any domain added to its platform. This means Cloudflare becomes the source of truth for your domain's DNS records, and every query for your domain is answered by Cloudflare's global network.

sequenceDiagram
    participant Browser
    participant Recursive as Recursive Resolver
    participant Root as Root Server
    participant TLD as .com TLD Server
    participant CF as Cloudflare Authoritative

    Browser->>Recursive: What is the IP of example.com?
    Recursive->>Root: Where is .com?
    Root-->>Recursive: Ask the .com TLD server
    Recursive->>TLD: Where is example.com?
    TLD-->>Recursive: Ask Cloudflare (ns1/ns2.cloudflare.com)
    Recursive->>CF: What is the IP of example.com?
    CF-->>Recursive: 104.21.x.x (Cloudflare Edge IP)
    Recursive-->>Browser: 104.21.x.x

Why Cloudflare DNS?

Feature	Cloudflare Free DNS	Typical DNS Providers
Speed	~11ms global average (fastest authoritative DNS)	20–60ms average
Anycast	330+ cities worldwide	Limited PoPs
DDoS Protection	Included, unlimited	Often an add-on or absent
DNSSEC	One-click setup	Manual configuration
Cost	Free	$0–$50/year per domain
API	Full REST API	Varies

Adding Your Domain to Cloudflare

Step 1: Create an Account and Add a Site

Go to dash.cloudflare.com/sign-up
Click "Add a site" and enter your domain name
Select the Free plan

Step 2: Cloudflare Scans Existing Records

Cloudflare automatically scans your domain's current DNS records and imports them. Always verify that all records were imported correctly:

┌─────────────────────────────────────────────────────────────┐
│  Type    Name         Content           Proxy    TTL        │
├─────────────────────────────────────────────────────────────┤
│  A       example.com  203.0.113.50      ☁️ Proxied  Auto   │
│  A       api          203.0.113.51      ☁️ Proxied  Auto   │
│  CNAME   www          example.com       ☁️ Proxied  Auto   │
│  MX      example.com  mail.example.com  DNS only   3600    │
│  TXT     example.com  v=spf1 ...        DNS only   3600    │
└─────────────────────────────────────────────────────────────┘

Critical Check

Verify that MX records (email), TXT records (SPF, DKIM, DMARC), and SRV records were all imported. Missing email records will break your email delivery.

Step 3: Update Your Nameservers

Cloudflare will assign you two nameservers (e.g., ada.ns.cloudflare.com and bob.ns.cloudflare.com). You must update these at your domain registrar:

Current Nameservers          →    New Nameservers
ns1.old-provider.com              ada.ns.cloudflare.com
ns2.old-provider.com              bob.ns.cloudflare.com

Step 4: Wait for Propagation

Nameserver changes typically propagate in 5 minutes to 24 hours. You can check the status:

# Check nameserver propagation
dig NS example.com +short

# Expected output after propagation:
# ada.ns.cloudflare.com.
# bob.ns.cloudflare.com.

DNS Record Types

Record Type	Purpose	Example	Can Be Proxied?
A	Maps a domain to an IPv4 address	`example.com → 203.0.113.50`	✅ Yes
AAAA	Maps a domain to an IPv6 address	`example.com → 2606:4700::1`	✅ Yes
CNAME	Creates an alias to another domain	`www → example.com`	✅ Yes
MX	Specifies mail servers	`example.com → mail.example.com`	❌ No
TXT	Stores text data (SPF, DKIM, verification)	`v=spf1 include:_spf.google.com ~all`	❌ No
SRV	Specifies service location and port	`_sip._tcp.example.com`	❌ No
CAA	Specifies which CAs can issue certificates	`0 issue "letsencrypt.org"`	❌ No
NS	Delegates a subdomain to other nameservers	`sub.example.com → ns1.other.com`	❌ No

Proxy Mode vs DNS-Only

This is the most important concept when using Cloudflare DNS. Every record that supports proxying has a toggle:

☁️ Proxied (Orange Cloud)

Traffic flows through Cloudflare's network. This enables:

CDN and caching
DDoS protection
WAF and security rules
SSL/TLS termination
Analytics and visibility

Your origin server's real IP address is hidden from the public.

☁️ DNS-Only (Grey Cloud)

Cloudflare only answers the DNS query with your origin IP. Traffic goes directly to your server. No Cloudflare security or performance features apply.

flowchart LR
    subgraph Proxied["☁️ Proxied (Orange Cloud)"]
        U1[User] --> CF1[Cloudflare Edge] --> O1[Origin]
    end

    subgraph DNS_Only["☁️ DNS-Only (Grey Cloud)"]
        U2[User] --> O2[Origin]
    end

    style CF1 fill:#f6821f,color:#fff,stroke:#e5711e

When to Use Each Mode

Use Case	Mode	Reason
Web server (HTTP/HTTPS)	☁️ Proxied	Get CDN, WAF, DDoS protection
Mail server (MX records)	DNS-Only	Email protocols are not HTTP — cannot be proxied
SSH / Non-HTTP services	DNS-Only	Cloudflare proxy only handles HTTP/HTTPS (use Spectrum for TCP/UDP on paid plans)
API endpoint	☁️ Proxied	Benefits from caching, rate limiting, and DDoS protection
Game server	DNS-Only	Requires raw TCP/UDP connections

Common Mistake

Do not proxy MX records. Email will break because Cloudflare's proxy only understands HTTP/HTTPS traffic. MX records must always be DNS-only.

TTL Strategy

TTL (Time to Live) controls how long downstream resolvers cache your DNS records.

TTL Value	Use Case	Trade-off
Auto (300s when proxied)	Default for proxied records	Cloudflare manages it for optimal performance
60–120 seconds	Records you change frequently	Fast propagation, higher query volume
3600 seconds (1 hour)	Stable records (MX, TXT)	Low query volume, slower changes
86400 seconds (1 day)	Records that never change	Maximum caching, very slow to update

Best Practice

For proxied records, always use Auto TTL. Cloudflare handles propagation internally and the TTL you set has no effect on proxied records.

DNSSEC

DNSSEC (DNS Security Extensions) adds cryptographic signatures to your DNS records, preventing attackers from forging DNS responses (DNS spoofing / cache poisoning).

Enabling DNSSEC

Go to DNS → Settings in the Cloudflare dashboard
Click "Enable DNSSEC"
Cloudflare gives you a DS record — add this to your domain registrar
Verification completes in minutes to hours

DS Record Example:
example.com. 3600 IN DS 2371 13 2 <hash>

info

DNSSEC on Cloudflare is free and handled automatically. Cloudflare signs all your zone records and rotates keys for you.

Managing DNS with the API

Cloudflare provides a full REST API for DNS management, useful for automation and Infrastructure as Code:

Create an A record via API
curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "app",
    "content": "203.0.113.50",
    "ttl": 1,
    "proxied": true
  }'

List all DNS records
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json"

Action	Method	Endpoint
List records	`GET`	`/zones/{zone_id}/dns_records`
Create record	`POST`	`/zones/{zone_id}/dns_records`
Update record	`PATCH`	`/zones/{zone_id}/dns_records/{record_id}`
Delete record	`DELETE`	`/zones/{zone_id}/dns_records/{record_id}`

Common Misconceptions

"Cloudflare DNS is just like any other DNS host"

Reality: Cloudflare DNS is deeply integrated with all other Cloudflare services. Proxied records automatically activate CDN, WAF, DDoS protection, and analytics. This is not just DNS hosting — it's a gateway to the entire Cloudflare platform.

"I need to transfer my domain to use Cloudflare DNS"

Reality: You only need to change your nameservers, not transfer the domain. Your domain can remain at any registrar while Cloudflare handles DNS.

"DNSSEC will slow down my DNS"

Reality: Cloudflare's DNSSEC implementation adds negligible latency because responses are served from edge caches. The security benefit far outweighs the cost.

Anti-Patterns to Avoid

Don't Do This	Do This Instead
Proxy MX records through Cloudflare	Keep MX records as DNS-only
Set very low TTLs on stable records	Use Auto TTL for proxied, 3600s for stable DNS-only
Leave DNSSEC disabled	Enable DNSSEC — it's free and one-click
Manage DNS records manually in the dashboard for many domains	Use the Cloudflare API or Terraform provider
Forget to verify imported records after adding your site	Always check MX, TXT, and SRV records after import

Key Takeaways

Cloudflare provides the fastest free authoritative DNS (330+ PoPs, ~11ms average).
Proxy mode (orange cloud) activates CDN, WAF, and DDoS protection. DNS-only (grey cloud) is a simple resolver.
Never proxy MX, TXT, or SRV records — they are not HTTP traffic.
Enable DNSSEC — it's free and prevents DNS spoofing.
Use the API for automation when managing multiple domains.

What's Next

Continue to 1.1.1.1 DNS Resolver to learn about Cloudflare's privacy-focused public resolver.

What Is Authoritative DNS?​

Why Cloudflare DNS?​

Adding Your Domain to Cloudflare​

Step 1: Create an Account and Add a Site​

Step 2: Cloudflare Scans Existing Records​

Step 3: Update Your Nameservers​

Step 4: Wait for Propagation​

DNS Record Types​

Proxy Mode vs DNS-Only​

☁️ Proxied (Orange Cloud)​

☁️ DNS-Only (Grey Cloud)​

When to Use Each Mode​

TTL Strategy​

DNSSEC​

Enabling DNSSEC​

Managing DNS with the API​

Common Misconceptions​

"Cloudflare DNS is just like any other DNS host"​

"I need to transfer my domain to use Cloudflare DNS"​

"DNSSEC will slow down my DNS"​

Anti-Patterns to Avoid​

Key Takeaways​

What's Next​