DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| A | blog | 192.0.2.1 | Proxied | Auto |
| A | shop | 192.0.2.2 | DNS only | Auto |
Proxy status
While your DNS records contain information about your domain, the proxy status controls whether HTTP/HTTPS traffic for that record routes through Cloudflare's network or goes directly to your origin server.
When a record is Proxied, Cloudflare sits between your visitors and your server — optimizing, caching, and protecting traffic along the way. When a record is DNS-only, Cloudflare responds with your server's actual IP address and does not route HTTP/HTTPS traffic through its network.
Only records used for IP address resolution — A, AAAA, and CNAME records — can be proxied. Other record types (such as MX or TXT) are always DNS-only.
Cloudflare recommends proxying all A, AAAA, and CNAME records that serve web traffic. Records used for other purposes, such as CNAME records that prove your domain ownership, should not be proxied.
When you set a DNS record to Proxied — shown as an orange cloud icon in the dashboard, also known as "orange-clouded" — Cloudflare can:
- Protect your origin server (the server hosting your website or application) from DDoS attacks ↗.
- Optimize, cache, and protect all requests to your application.
- Apply your Cloudflare product configurations (such as WAF rules, caching, and redirect rules) to incoming traffic.
In the example DNS table above, there are two DNS records. The record with the name blog has proxy on, while the record named shop has the proxy off (that is, DNS only).
This means that:
- A DNS query to the proxied record
blog.example.comwill be answered with Cloudflare anycast IP addresses — shared IP addresses used to route traffic through a nearby data center — instead of192.0.2.1. This ensures that HTTP/HTTPS requests for this name will be sent to Cloudflare's network and can be proxied, which allows the benefits listed above. - A DNS query to the DNS-only record
shop.example.comwill be answered with the actual origin IP address,192.0.2.2. This exposes your origin IP address to anyone who queries the record, which removes a layer of protection against targeted attacks. Cloudflare also cannot provide HTTP/HTTPS analytics on those requests (only DNS analytics).
For further context, refer to How Cloudflare works.
The sections below describe specific behaviors and expected outcomes when you have DNS records set to proxied. There may also be some limitations in specific scenarios.
By default, all proxied records have a time to live (TTL) of Auto, which is set to 300 seconds. This value cannot be edited.
This short TTL ensures that if Cloudflare changes the anycast IP address assigned to your record, the change takes effect quickly. Recursive resolvers — the DNS servers that look up records on behalf of end users — will not cache the old address for longer than 300 seconds (five minutes).
If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied.
Example
DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| A | blog | 192.0.2.1 | Proxied | Auto |
| A | blog | 192.0.2.5 | DNS only | Auto |
In this example, all traffic intended for blog.example.com will be treated as if both records were Proxied.
Cloudflare will also proxy a request if a hostname on a CNAME chain — where one CNAME record points to another — is proxied.
Example
Consider that the same Cloudflare account has two different zones, example.com and example.net.
DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| CNAME | example.com | origin.example.net | DNS only | Auto |
DNS management for example.net:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| CNAME | origin.example.net | <origin> | Proxied | Auto |
In this example, all traffic intended for example.com will be treated as Proxied.
With CNAME flattening, Cloudflare follows the CNAME chain to find the final IP address, helping DNS queries resolve faster. Proxied CNAME records are flattened by default, as they return Cloudflare anycast IPs.
In some cases, Cloudflare will show a warning message or prevent you from proxying a CNAME record. This happens to avoid misconfigurations and is generally related to other CDN providers or to specific records used for DKIM ↗ (email authentication) validation.
For proxied records, if your domain has HTTP/2 or HTTP/3 enabled and is also using Universal SSL, Cloudflare automatically generates HTTPS Service (HTTPS) records on the fly. These DNS records provide clients with information about how to connect to your server upfront, without the need for an initial plaintext HTTP connection to discover supported protocols.
When an A, AAAA, or CNAME record is DNS-only — shown as a gray cloud icon in the dashboard, also known as "gray-clouded" — DNS queries for these will resolve to the record's actual origin IP address, as described in the example.
DNS-only is only recommended for records that do not serve web traffic, such as records used for email routing or third-party domain verification. For records that serve web traffic, DNS-only means your origin IP addresses are visible to anyone who queries the record, potentially exposing your server to bad actors and DDoS attacks ↗. Cloudflare also cannot optimize, cache, and protect those requests or provide HTTP/HTTPS analytics on them.