Proxy traffic with Secondary DNS override
When you set up incoming zone transfers on a secondary zone, you cannot enable the proxy on any transferred DNS records by default.
With Secondary DNS override, you can use Cloudflare as your secondary DNS provider but still get the performance and security benefits of Cloudflare’s proxy. Additionally it lets you override any A
and AAAA
records on your zone apex with a CNAME
record.
Prerequisites
Before you set up Secondary DNS override, make sure that you have:
Set up a secondary DNS zone and confirmed your DNS records are transferred correctly.
Set your DNSSEC with Secondary DNS option to either Unsigned or Live Signing. If set to Pre-signed, Cloudflare will treat all your DNS records as unproxied (DNS only).
Removed all nameservers from your registrar except for those provided by Cloudflare (highly recommended).
Set up Secondary DNS override
- Log in to the Cloudflare dashboard and select your account and domain.
- Go to DNS > Settings.
- Enable Secondary DNS override.
- On DNS > Records, for specific
A
,AAAA
, orCNAME
records, change their Proxy status to Proxied.
- To enable Secondary DNS override on a zone, use the following PATCH request:
curl --request PATCH https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_settings \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "secondary_overrides": true}'
- For specific
A
,AAAA
, orCNAME
records, send a POST request with theproxied
status astrue
.- Make sure the added record has the same name as the transferred record you intend to proxy. Cloudflare only looks at the name and the proxy status, so the record content does not matter.
Proxied A
and AAAA
records
After proxying (orange clouding) a Secondary DNS record, any additional records under that hostname transferred from the primary DNS provider are automatically proxied. This applies to all A
and AAAA
records under that domain.
CNAME
record on the zone apex
You can also add a CNAME
record on the zone apex (supported through CNAME Flattening) and either proxy that record or keep it on DNS Only.
Once you create a CNAME
record at the apex, existing A
or AAAA
records on the zone apex will be deactivated. You can view those deactivated records by clicking View Inactive Records. To re-activate the A
or AAAA
records at the root, remove the CNAME
record.
Verify that your records are proxied
Query DNS at your assigned Secondary DNS nameserver to confirm the DNS response Cloudflare returns. Records proxied by Cloudflare return Cloudflare IPs.