Using Cloudflare DNS without CDN or WAF

This tutorial will discuss the use of Cloudflare DNS without the use of their CDN or WAF services. We will explore the benefits of using Cloudflare’s DNS service alone, including improved security, faster DNS resolution, and cost savings. This tutorial will be useful for those looking to enhance their website’s security without the added complexity and cost of a CDN or WAF.

Cloudflare Managed DNS is an enterprise-grade authoritative DNS service that offers the fastest response time, unparalleled redundancy, and advanced security with built-in DDoS mitigation and DNSSEC.

Cloudflare

Is it true what Cloudflare claims?

According to DNSPerf data, the authoritative nameservers provided by Cloudflare is the fastest services in the world. 👏

cf dns benchmark report
As seen on 10:01 am Friday, 12 March 2021 UTC

When you buy a domain name the registrar typically assign a default nameservers which is usually being slow and unreliable. In another case, some hosting provider also offers their nameservers to quickly align all DNS entries but that has the same story.

Why use Cloudflare for DNS only?

Although I do not recommend Cloudflare Free Plan for CDN purpose. But it’s good enough for DNS service.

Especially with free plan and traditional Cloudflare proxy setup, it can make the website slow instead fast. The underlying reason it can be not having direct peering with ISPs, poor routing, poor plan choice and so on.

I recommend using Cloudflare only for the DNS purpose because it is much faster and secure. The account comes with a two-step verification system as well.

Step 1. Login to Cloudflare Account

  • If you have never used Cloudflare before, you can sign up. It’s free.
  • Already using? Login to dashboard
cloudflare login

Step 2. Pass Two Factor authentication

  • If you are using Two Factor Authentication, complete this step by entering OTP.
cloudflare auth

Step 3. Add a new website

  • Once you are successfully logged in to the Cloudflare Dashboard, click on Add a site button
add a site
  • Enter domain name and click Add site button
cf

Step 4. Choose the Free Plan. It is sufficient.

select free plan

Step 5. Understand Proxy and DNS Sign

  • For all DNS Entries, keep Gray Cloud to have DNS resolution only mode
proxy dns sign

Step 6. Confirm Scanned Entries

  • Cloudflare does its best to scan all previous DNS records, it lists all of them correctly. In rare case, some record might get missed or repeated too many times. We suggest manually verify all of them with previous authoritative nameservers DNS manager. This is important to prevent downtime.
  • Go to each record Proxy Status, change from proxied to DNS resolution only mode.
  • This is the best part of Cloudflare it offers granular control for each records.
dns only mode

Step 7. Update new authoritative nameservers

  • Login to your Domain Registrar, in other words from where you had purchased your domain.
  • Hint: Under DNS section, you can find the option to Update the Nameservers suggested by Cloudflare. If you are unable to find where to update nameservers check this relevant documentation for GoDaddyNamecheap, Bluehost, similarly you can search on Google or contact the support team.
update nameservers
update cf nameservers
  • Once done, click on Done, check nameservers
done check nameservers
  • You can keep track of nameservers propagation via dnschecker site.
  • Skip CloudFlare onbording suggestions by clicking Done or setup later.
skip suggestions
  • Cloudflare periodically checks whether you have pointed your nameservers to Cloudflare. Clicking multiple times Re-check now won’t speed up the process.
  • Once Nameservers propagation finishes, You will get an e-mail from Cloudflare and you will see a message “Great news! Cloudflare is now protecting your site”.
cloudflare status

You can get DNS Analytics report as well.

basic report
Cloudflare DNS Queries
DNS Queries by Datacenter
DNS Dataceneters Report

Should you use Cloudflare CNAME Flattening for pointing other CDN over root domain?

You should not use its services for CNAME Flattening purpose because it doesn’t support EDNS mechanism that leads to off-routing.

I discovered with many Public DNS servers of ISP, the domain was not resolving to a geo-regional IP address as expected.

Testing method

  1. Pointed gulshankumar.net to gushankumar.b-cdn.net using CNAME
  2. It was expected by all DNS server to answer only the regional IP but that didn’t happen.
  3. While any subdomain like www was routing properly but not a naked domain.

Good Case

Test 1
Test 2
Test 3
Test4
Test 5
Test 6

Bad Case

Test 7
Test 8
Test 9
Test 10
Test 11
Test 12

If you want to use BunnyCDN for reverse-proxy/full site acceleration/full site delivery, you should consider using BunnyDNS. It supports pointing root domain over PZ (Pull Zone) record in a proper way.

Always use DNS services same as CDN provider if available. For example, if you use Sucuri then stick to its own DNS nameservers. If you use Cloudfront, use its own AWS Route53 for the better performance. This enhance chances of proper routing.

Is Cloudflare DNS Free to use?

Cloudflare’s authoritative DNS services are free of charge and it does not limit DNS queries for a domain on its network.

How to get vanity nameservers with Cloudflare?

Vanity nameservers such ns1.gulshankumar.net, ns2.gulshankumar.net are premium features available at Cloudflare Business and Enterprise plan.

Shall I use Cloudflare DNS?

The Cloudflare DNS service is reliable for general purpose except for the CNAME Flattening use case.

Leave a Comment

23 thoughts on “Using Cloudflare DNS without CDN or WAF”

  1. Hi Gulshan,

    What when I use CF SSL/TLS cert for my site? If I make it a grey cloud [i.e., only using CF DNS] can’t use SSL cert as it becomes invalid.
    Get browser warnings, cannot access site.

    thx

    Reply
    • You cannot use CF TLS while having DNS only mode [Gray Cloud]. If you want to use Cloudflare for DNS only, your origin server must have a valid cert such as Let’s Encrypt/Comodo.

      Reply
  2. In my CloudFlare account I have my example.com and www.example.com created with a CNAME that point to example.b-cd.net URL. All “A” records are deleted.

    I get a warning next to one of them in CloudFlare. There is an “i” that when I hover over it in CloudFlare it says “Another record shares the same name, so we’ve applied CNAME flattening.”

    What am I doing wrong?

    Reply
    • Trying to enable SSL in Bunny.net for my naked domain (example.com) doesn’t work. I keep getting an error that says it’s not pointing to Bunny, but it is. It’s just that CloudFlare is flattening the naked domain. I don’t understand what I’m doing wrong. I’ve been at it for hours. Thank you!

      Reply
      • You need to point DNS records as below.

        CNAME – example.com —– b-cdn.net – DNS only mode

        CNAME – www —– b-cdn.net – DNS only mode

        Then only you can install SSL cert at bunny.net panel for your Pull Zone.

        Reply
      • Perfect! I got it working… but my Google page speed score took a 20 point dive. However, my GTmetrix score is great!

        Google is warning me “Eliminate render-blocking resources” and there are a bunch of css and js scripts on the Bunny CDN that it’s referring to. Did I do something wrong?

        https://imgur.com/zUVifjo

        Reply
        • Well, the reported issue ‘Eliminate render-blocking resources’ is a different topic. You can safely ignore it. In the age of HTTP/2, Pages load really quick.

          Reply
  3. What should be the cloudflare cache level? Should I set it to standard or I need to bypass cache?

    Can bunnycdn do cache like cloudflare?

    Reply
    • Do you want to use Cloudflare for DNS or Proxy purpose? Using for DNS is fine for anyone. In case of a proxy, you can use Cache Everything for a better experience.

      Reply