Proxying limitations
This page describes expected limitations when proxying DNS records. For further information about proxying, refer to How Cloudflare works.
Only A, AAAA, and CNAME DNS records that serve HTTP or HTTPS traffic can be proxied. Other record types cannot be proxied.
If you encounter a CNAME record that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.
If you use Cloudflare as your secondary DNS provider and leverage Secondary DNS Overrides to set records to proxied, note that opting for Pre-signed DNSSEC will cause Cloudflare to treat your records as DNS-only.
To proxy HTTP/HTTPS traffic on non-standard ports or to proxy a TCP or UDP based application, use Cloudflare Spectrum.
When you add a domain to Cloudflare, Cloudflare protection will be in a pending state until we can verify ownership. This could take up to 24 hours to complete.
This means that DNS records — even those set to proxy traffic through Cloudflare — will be DNS-only until your zone has been activated and any requests to your DNS records will return your origin server's IP address.
If this warning is still present after 24 hours, refer to Troubleshooting.
For enhanced security, we recommend rolling your origin IP addresses at your hosting provider after your zone has been activated. This action prevents your origin IPs from being leaked during onboarding.
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records.