Cloudflare Docs
DNS
DNS
Edit this page on GitHub
Set theme to dark (⇧+D)

Proxy status

The Proxy status of a DNS record affects how Cloudflare treats incoming traffic to that record. Cloudflare recommends enabling our proxy for all A, AAAA, and CNAME records.

Proxy status affects how Cloudflare treats traffic intended for specific DNS records

​​ Proxied records

When you proxy specific DNS records through Cloudflare - specifically A, AAAA, or CNAME records — DNS queries for these will resolve to Cloudflare Anycast IPs instead of their original DNS target. This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.


This behavior allows Cloudflare to optimize, cache, and protect all requests to your application, as well as protect your origin server from DDoS attacks.

Because requests to proxied hostnames go through Cloudflare before reaching your origin server, all requests will appear to be coming from Cloudflare’s IP addresses (and could potentially be blocked or rate limited). If you use proxied records, you may need to adjust your server configuration to allow Cloudflare IPs.

Cloudflare Anycast IPs used to proxy traffic on your domain are assigned automatically. These IPs might change at any time for operational reasons. If you need to allowlist Cloudflare IPs on your infrastructure or hosting provider, include the full list of Cloudflare Anycast IPs.

As an Enterprise customer, you have the option to get static IPs or bring your own IPs (BYOIP).

​​ Limitations

​​ Proxy eligibility

By default, A, AAAA, and CNAME DNS records that serve HTTP/HTTPS traffic can be proxied.

If you encounter a CNAME record that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.

The following types of DNS records may be in your DNS configuration, but cannot be proxied:

  • CAA
  • DKIM
  • DMARC
  • DNSKEY
  • DS
  • HTTPS
  • MX
  • NS
  • PTR
  • SOA
  • SPF
  • SRV
  • SVCB
  • TXT

​​ Ports and protocols

To proxy HTTP/HTTPS traffic on non-standard ports or to proxy a TCP- or UDP- based application, use Cloudflare Spectrum.

​​ Pending domains

When you add a domain to Cloudflare, Cloudflare protection will be in a pending state until we can verify ownership. This could take up to 24 hours to complete.

This means that DNS records - even those set to proxy traffic through Cloudflare – will be DNS-only until your zone has been activated and any requests to your DNS records will return your origin server’s IP address.

If this warning is still present after 24 hours, refer to Troubleshooting.

For enhanced security, we recommend rolling your origin IP addresses at your hosting provider after your zone has been activated. This action prevents your origin IPs from being leaked during onboarding.


​​ DNS-only records

When an A, AAAA, or CNAME record is DNS-only — also known as being gray-clouded — DNS queries for these will resolve to the record’s normal IP address.

In addition to potentially exposing your origin IP addresses to bad actors and DDoS attacks, leaving your records as DNS-only means that Cloudflare cannot optimize, cache, and protect requests to your application or provide analytics on those requests.