The Proxy status of a DNS record affects how Cloudflare treats incoming traffic to that record. Cloudflare recommends enabling our proxy for all
When you proxy specific DNS records through Cloudflare - specifically
CNAME records — DNS queries for these will resolve to Cloudflare Anycast IPs instead of their original DNS target. This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.
Because requests to proxied hostnames go through Cloudflare before reaching your origin server, all requests will appear to be coming from Cloudflare’s IP addresses (and could potentially be blocked or rate limited). If you use proxied records, you may need to adjust your server configuration to .
Cloudflare Anycast IPs used to proxy traffic on your domain are assigned automatically. These IPs might change at any time for operational reasons. If you need to allowlist Cloudflare IPs on your infrastructure or hosting provider, include the full list of .
By default, Cloudflare only supports proxied
CNAME records. You cannot proxy other record types.
If you encounter a
CNAME record that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.
Ports and protocols
By default, Cloudflare only proxies HTTP and HTTPS traffic.
For enhanced security, we recommend rolling your origin IP addresses at your hosting provider after your zone has been activated. This action prevents your origin IPs from being leaked during onboarding.
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records.
CNAME record is DNS-only — also known as being gray-clouded — DNS queries for these will resolve to the record’s normal IP address.