When you proxy an
CNAME DNS record for your application (also known as orange-clouding), DNS queries for these records will resolve to Cloudflare Anycast IPs instead of their original DNS target.
This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server. This behavior allows Cloudflare to all requests for your application.
When to proxy your DNS records
In most cases, you should proxy your
CNAME records. These are the only records that can be proxied.
Every zone onboarded onto Cloudflare will initially be in until we can verify ownership. This means that DNS records until your zone has been activated and any requests to your DNS records will return your origin server’s IP address.
For enhanced security, we recommend rolling your origin IP addresses at your hosting provider after your zone has been activated. This action prevents your origin IPs from being leaked during onboarding.
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records.
When to use unproxied records
In some circumstances, you should not proxy your DNS records.
A, AAAA, and CNAME records
Other record types
Because Cloudflare only supports proxied
CNAME records, you do not have the option to proxy other record types.