Cloudflare acts as both a DNS provider and a proxy. When traffic is 'proxied' through Cloudflare (orange cloud), your origin server's real IP is hidden and traffic passes through Cloudflare's network for CDN caching and DDoS mitigation.
DNS Records Required
| Type | Host | Value | TTL | Notes |
|---|---|---|---|---|
| NS | @ | aria.ns.cloudflare.com | 86400 | Assigned when you add your site — check Cloudflare dashboard |
| NS | @ | carl.ns.cloudflare.com | 86400 | Your specific NS names will be different |
| A | @ | YOUR_SERVER_IP | Auto | Root domain — Cloudflare proxies traffic |
| A | www | YOUR_SERVER_IP | Auto | www subdomain — proxied |
| CNAME | mail | yourdomain.com | 3600 | Mail subdomain — DNS only (not proxied) |
Step-by-Step Setup
Add your site to Cloudflare
Go to dash.cloudflare.com → Add a Site → enter your domain → Select Free plan.
Cloudflare scans existing records
Cloudflare automatically imports your existing DNS records. Review them — add any missing ones and remove any you don't want.
Note your assigned nameservers
Cloudflare assigns two nameservers specific to your account (e.g., aria.ns.cloudflare.com). Copy both exactly.
Update nameservers at your registrar
Log into your domain registrar (GoDaddy, Namecheap, etc.) → Domain settings → Nameservers → Change to custom → enter both Cloudflare NS values.
Wait for activation
Nameserver propagation takes 5 minutes to 24 hours. Cloudflare emails you when the site is active.
Configure proxying
Orange cloud (proxied) = traffic goes through Cloudflare CDN/DDoS protection. Gray cloud (DNS only) = bypasses Cloudflare. Mail, FTP, and SSH records should be DNS only.
Copy-ready records: Use the DNS Record Builder — select this service from the dropdown and enter your domain to get all records formatted and ready to copy.
After Adding Records
DNS changes can take anywhere from a few minutes to 24 hours to propagate. Use the DNS Propagation Checker to verify your records are live globally, then return to the service's admin console to verify domain ownership.
Proxy A and CNAME records for web traffic (www, @, app). Don't proxy mail records (MX and associated A/CNAME), FTP, or SSH — Cloudflare only proxies HTTP/HTTPS traffic.
Nameserver propagation takes anywhere from 5 minutes to 24 hours. Most accounts activate within an hour. Cloudflare sends an email when the site is active.
The free plan includes CDN, DDoS protection, a firewall, and SSL. For most small to medium sites, free is sufficient. Paid plans add advanced WAF rules, image optimization, and higher cache limits.