DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| A | blog | 192.0.2.1 | Proxied | Auto |
| A | shop | 192.0.2.2 | DNS only | Auto |
Proxy status
While your DNS records make your website or application available to visitors and other web services, the Proxy status of a DNS record defines how Cloudflare treats incoming DNS queries for that record.
The records you can proxy through Cloudflare are records used for IP address resolution — meaning A, AAAA, or CNAME records.
Cloudflare recommends setting to proxied all A, AAAA, and CNAME records that are used for serving web traffic. For example, CNAME records being used to verify your domain for a third-party service should not be proxied.
When you set a DNS record to Proxied (also known as orange-clouded), Cloudflare can:
- Protect your origin server from DDoS attacks ↗.
- Optimize, cache, and protect all requests to your application.
- Apply your configurations for a variety of Cloudflare products.
In the example DNS table above, there are two DNS records. The record with the name blog has proxy on, while the record named shop has the proxy off (that is, DNS only).
This means that:
- A DNS query to the proxied record
blog.example.comwill be answered with a Cloudflare anycast IP address instead of192.0.2.1. This ensures that HTTP/HTTPS requests for this name will be sent to Cloudflare's network and can be proxied, which allows the benefits listed above. - A DNS query to the DNS-only record
shop.example.comwill be answered with the actual origin IP address,192.0.2.2. In addition to exposing your origin IP address and not benefitting from several features, Cloudflare cannot provide HTTP/HTTPS analytics on those requests (only DNS analytics).
For further context, refer to How Cloudflare works.
The sections below describe specific behaviors and expected outcomes when you have DNS records set to proxied. There may also be some limitations in specific scenarios.
By default, all proxied records have a time to live (TTL) of Auto, which is set to 300 seconds. This value cannot be edited.
Since only records used for IP address resolution can be proxied, this setting ensures that potential changes to the assigned anycast IP address will take effect quickly, as recursive resolvers will not cache them for longer than 300 seconds (five minutes).
If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied.
Example
DNS management for example.com:
| Type | Name | Content | Proxy status | TTL |
|---|---|---|---|---|
| A | blog | 192.0.2.1 | Proxied | Auto |
| A | blog | 192.0.2.5 | DNS only | Auto |
In this example, all traffic intended for blog.example.com will be treated as if both records were Proxied.
For proxied records, if your domain has HTTP/2 or HTTP/3 enabled, Cloudflare automatically generates corresponding HTTPS Service (HTTPS) records on the fly. HTTPS records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection.
When an A, AAAA, or CNAME record is DNS-only — also known as being gray-clouded — DNS queries for these will resolve to the record's origin IP address, as described in the example.
In addition to potentially exposing your origin IP addresses to bad actors and DDoS attacks ↗, leaving your records as DNS-only means that Cloudflare cannot optimize, cache, and protect requests to your application or provide analytics on those requests.