Set up a primary zone (Full setup)

Cloudflare DNS offers a few different setup options. A primary setup (also known as full) is the most common and the only one available for Free or Pro plans. For details, refer to About. For more introductory context, refer to Concepts.

Before you begin

Make sure that you:

Create a Cloudflare account — If you have not already, sign up for a Cloudflare account.
Own a domain name — You need a registered domain (for example, example.com). If you do not have one, you can register a domain at-cost through Cloudflare Registrar ↗. Domains purchased through Cloudflare Registrar automatically use Cloudflare for authoritative DNS, so you can skip the rest of this tutorial.

Log in to the Cloudflare dashboard ↗.
Go to Domains
Select Onboard a domain.
Enter your apex domain (for example, example.com) and choose how you would like to add your DNS records.
Select Continue and choose a plan ↗.

Required API token permissions

At least one of the following token permissions is required:

Zone Zone Edit
Zone DNS Edit

curl "https://api.cloudflare.com/client/v4/zones" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "<YOUR_DOMAIN>",
    "account": {
        "id": "<YOUR_ACCOUNT_ID>"
    }
  }'

DNS records quick scan

Cloudflare can automatically scan for your records and add them to the DNS zone for you, or you can add records manually. These records show up under your domain on the DNS Records ↗ page of the dashboard.

2. Review your DNS records

Your DNS records must be accurate for your domain to work properly. If you don't know what DNS records are, consider the video below for a quick explanation.

Common records

Since the quick scan is not guaranteed to find all existing DNS records, you need to review your records, paying special attention to the following:

Zone apex records (example.com)

More about zone apex records

Zone apex refers to the domain or subdomain that you are adding to Cloudflare.
Usually, the zone apex record makes your domain accessible by visitors. In this case, the necessary record type (A, AAAA, or CNAME) and its content will depend on the provider that hosts your website or application.
If you are using Cloudflare Workers, refer to Custom domains.
If you are using other providers, look for their guidance on how to connect domains managed on external DNS services. Then, make sure you have the records required by your hosting provider on your DNS records table at Cloudflare.
Subdomain records (www.example.com or blog.example.com)

More about subdomain records

Most subdomains serve a specific purpose within the overall context of your website. For example, blog.example.com might be your blog, support.example.com could be your customer help portal, and store.example.com would be your e-commerce site.
Even if you do not require specific subdomains, you might want to set up at least a subdomain record on www. It will usually point to the same content as what you have on the apex domain (example.com) or use a redirect. Having a subdomain DNS record on www helps guarantee that a visitor who types www. in front of your domain address can still find your website or application.

Email records

More about email records

Depending on your business needs, you can configure DNS records so that you can use your domain to receive emails, receive and send emails from your domain, or prevent others from sending emails on your behalf (spoofing).

Below are some examples of what those DNS records might look like. The exact values for your DNS mail records depend on your email provider. If you have issues, review the Troubleshooting and contact your email service provider to confirm your DNS records are correct.

Type	Name	Content	Proxy status	TTL
A	`mail`	`192.0.2.1`	DNS Only	Auto
MX	`example.com`	`5 john.mx.example-server.test`	DNS Only	Auto
TXT	`_dmarc`	`"v=DMARC1; p=reject; sp=...`	DNS Only	Auto
TXT	`*._domainkey`	`"v=DKIM1; k=rsa; p=..."`	DNS Only	Auto
TXT	`example.com`	`"v=spf1 ip4:..."`	DNS Only	Auto

Proxy status

Each A, AAAA, and CNAME record has a proxy status toggle:

Proxied (orange cloud): web traffic goes through the Cloudflare network, which provides caching, DDoS protection, and other security features.
DNS only (gray cloud): Cloudflare returns the DNS record value but does not proxy traffic. Use this for CNAME records that verify your domain for third-party services.

3. Change your nameservers

Your domain will be assigned two authoritative Cloudflare nameservers. Nameservers are specialized servers that store your domain's DNS records and "answer" requests from browsers by providing the specific IP address needed to connect to your website.

3.1. Get nameserver names

Dashboard
API

Your assigned nameservers are displayed as part of the onboarding flow. If you need to find them once again, go the zone Overview page.

Go to Overview

Required API token permissions

At least one of the following token permissions is required:

Trust and Safety Write
Trust and Safety Read
Zero Trust: PII Read
Zaraz Edit
Zaraz Read
Zaraz Admin
Access: Apps and Policies Revoke
Access: Apps and Policies Write
Access: Apps and Policies Read
Access: Apps and Policies Revoke
Access: Mutual TLS Certificates Write
Access: Organizations, Identity Providers, and Groups Write
Zone Settings Write
Zone Settings Read
Zone Read
DNS Read
Workers Scripts Write
Workers Scripts Read
Zone Write
Workers Routes Write
Workers Routes Read
Stream Write
Stream Read
SSL and Certificates Write
SSL and Certificates Read
Logs Write
Logs Read
Cache Purge
Page Rules Write
Page Rules Read
Load Balancers Write
Load Balancers Read
Firewall Services Write
Firewall Services Read
DNS Write
Apps Write
Analytics Read
Access: Apps and Policies Write
Access: Apps and Policies Read

curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

3.2. Log in to your registrar

3.3. Turn off DNSSEC

If your domain has DNSSEC¹ active, you must turn it off at your registrar before replacing nameservers. Changing nameservers while DNSSEC is active can cause your domain to become unreachable. You can re-enable DNSSEC through Cloudflare after your domain is active.

Provider-specific DNSSEC instructions

This is not an exhaustive list, but the following links may be helpful:

3.4. Update your registrar

Remove your existing authoritative nameservers.
Add the nameservers provided by Cloudflare. If their names are not copied exactly, your DNS will not resolve correctly.

Provider-specific instructions

This is not an exhaustive list of provider-specific instructions, but the following links may be helpful:

To avoid common issues, refer to our Nameserver replacement checklist.

3.5. Verify changes

Wait up to 24 hours while your registrar updates your nameservers.

When your domain is Active:

You will receive an email from Cloudflare.
Your domain will have a status of Active on the Domains page of your account.
Online tools such as https://www.whatsmydns.net/ ↗ will show your Cloudflare-assigned nameservers (most of these tools use cached query results, so it may take longer for them to show the updated nameservers).
CLI commands will show your Cloudflare-assigned nameservers

*macOS/Linux*

whois <DOMAIN_NAME>
dig ns <DOMAIN_NAME> @1.1.1.1
dig ns <DOMAIN_NAME> @8.8.8.8
dig <DOMAIN_NAME> +trace

*Windows*

nslookup -type=ns <DOMAIN_NAME> 1.1.1.1
nslookup -type=ns <DOMAIN_NAME> 8.8.8.8

4. Re-enable DNSSEC

If you turned off DNSSEC before updating your nameservers, you can now re-enable DNSSEC through Cloudflare to protect your domain from spoofing.

A security feature that protects DNS records from spoofing ↩