Skip to content
Cloudflare Docs

How Cloudflare CDN works

To optimize your website or web application, Cloudflare provides DNS and CDN services, so we can reverse proxy the web traffic to and from your domain.

DNS explained

The Domain Name System (DNS) acts as the Internet's phonebook, translating domain names (for example, cloudflare.com) into numerical Internet Protocol (IP) addresses (for example, 103.21.244.0).

The IP address is like a home address of where a website lives, and the domain name is the human-readable name.

A DNS query is like asking for directions to a place, and the DNS records are the source-of-truth for what exists where. DNS records live in authoritative DNS servers and provide information about a domain, such as the IP addresses of the servers that host the web content and services on that domain. With this information, Internet browsers know where to find a website or app, so they can render it for visitors using HTTP.

Cloudflare as a DNS provider

When you onboard your website or application to Cloudflare, Cloudflare becomes the primary authoritative DNS provider for your domain. As the primary authoritative DNS provider, Cloudflare responds to DNS queries for your domain, and you manage your domain's DNS records via the Cloudflare dashboard or API.

If your domain's status is active and the queried DNS record is set to proxied, Cloudflare responds with an anycast IP address, instead of the origin IP address defined in your DNS table.

Your domain status is active when your nameservers are updated to point to Cloudflare and have been authenticated. The proxy status defines how Cloudflare treats queries for specific DNS records. The anycast IP address is used to distribute traffic amongst Cloudflare's network, which protects your website or app from DDoS and other attacks, while optimizing site speed.

Cloudflare as a reverse proxy

A reverse proxy is a network of servers that sits in front of web servers and either forwards requests to those web servers, or handles requests on behalf of the web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability of websites and web applications.

The flow of a request from a server through Cloudflare to the origin server when Cloudflare is a reverse proxy.

When Cloudflare receives a DNS query for your domain, the response is determined by the configuration set in your DNS table, including the type of the record, the record's proxy eligibility, and its proxy status.

When DNS records in your DNS table have a proxied status, the record's HTTP/HTTPS traffic will route through Cloudflare on its way between the client and the origin server. If the domain's status is active, all HTTP/HTTPS requests for proxied DNS records route through Cloudflare.

Using Cloudflare as a reverse proxy has several benefits, including:

  • Load balancing A reverse proxy can provide a load balancing solution which distributes incoming traffic evenly among different servers to prevent any single server from becoming overloaded. In the event that a server fails completely, other servers can step up to handle the traffic.
  • Protection from attacks. With a reverse proxy in place, a web site or service never needs to reveal the IP address of their origin servers, which makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack. Instead the attackers will only be able to target the reverse proxy, such as Cloudflare's CDN, which will have tighter security and more resources to fend off a cyber attack.
  • Caching. A reverse proxy can also cache content, resulting in faster performance. For example, if a user in Paris visits a reverse-proxied website with web servers in Los Angeles, the user might actually connect to a local reverse proxy server in Paris, which will then have to communicate with an origin server in L.A. The proxy server can then cache (or temporarily save) the response data. Subsequent Parisian users who browse the site will then get the locally cached version from the Parisian reverse proxy server, resulting in much faster performance.
  • SSL encryption. SSL/TLS is essential. Without an SSL/TLS certificate, your visitors will find a warning on their browser stating your website or application is not secure. However, encrypting and decrypting SSL (or TLS) communications for each client can be computationally expensive for an origin server. A reverse proxy can be configured to decrypt all incoming requests and encrypt all outgoing responses, freeing up valuable resources on the origin server.