Using Cloudflare DNS without CDN or WAF

This tutorial will discuss the use of Cloudflare DNS without the use of their CDN or WAF services. We will explore the benefits of using Cloudflare’s DNS service alone, including improved security, faster DNS resolution, and cost savings. This tutorial will be useful for those looking to enhance their website’s security without the added complexity and cost of a CDN or WAF.

Cloudflare Managed DNS is an enterprise-grade authoritative DNS service that offers the fastest response time, unparalleled redundancy, and advanced security with built-in DDoS mitigation and DNSSEC.


Is it true what Cloudflare claims?

According to DNSPerf data, the authoritative nameservers provided by Cloudflare is the fastest services in the world. 👏

cf dns benchmark report
As seen on 10:01 am Friday, 12 March 2021 UTC

When you buy a domain name the registrar typically assign a default nameservers which is usually being slow and unreliable. In another case, some hosting provider also offers their nameservers to quickly align all DNS entries but that has the same story.

Why use Cloudflare for DNS only?

Although I do not recommend Cloudflare Free Plan for CDN purpose. But it’s good enough for DNS service.

Especially with free plan and traditional Cloudflare proxy setup, it can make the website slow instead fast. The underlying reason it can be not having direct peering with ISPs, poor routing, poor plan choice and so on.

I recommend using Cloudflare only for the DNS purpose because it is much faster and secure. The account comes with a two-step verification system as well.

Step 1. Login to Cloudflare Account

  • If you have never used Cloudflare before, you can sign up. It’s free.
  • Already using? Login to dashboard
cloudflare login

Step 2. Pass Two Factor authentication

  • If you are using Two Factor Authentication, complete this step by entering OTP.
cloudflare auth

Step 3. Add a new website

  • Once you are successfully logged in to the Cloudflare Dashboard, click on Add a site button
add a site
  • Enter domain name and click Add site button

Step 4. Choose the Free Plan. It is sufficient.

select free plan

Step 5. Understand Proxy and DNS Sign

  • For all DNS Entries, keep Gray Cloud to have DNS resolution only mode
proxy dns sign

Step 6. Confirm Scanned Entries

  • Cloudflare does its best to scan all previous DNS records, it lists all of them correctly. In rare case, some record might get missed or repeated too many times. We suggest manually verify all of them with previous authoritative nameservers DNS manager. This is important to prevent downtime.
  • Go to each record Proxy Status, change from proxied to DNS resolution only mode.
  • This is the best part of Cloudflare it offers granular control for each records.
dns only mode

Step 7. Update new authoritative nameservers

  • Login to your Domain Registrar, in other words from where you had purchased your domain.
  • Hint: Under DNS section, you can find the option to Update the Nameservers suggested by Cloudflare. If you are unable to find where to update nameservers check this relevant documentation for GoDaddyNamecheap, Bluehost, similarly you can search on Google or contact the support team.
update nameservers
update cf nameservers
  • Once done, click on Done, check nameservers
done check nameservers
  • You can keep track of nameservers propagation via dnschecker site.
  • Skip CloudFlare onbording suggestions by clicking Done or setup later.
skip suggestions
  • Cloudflare periodically checks whether you have pointed your nameservers to Cloudflare. Clicking multiple times Re-check now won’t speed up the process.
  • Once Nameservers propagation finishes, You will get an e-mail from Cloudflare and you will see a message “Great news! Cloudflare is now protecting your site”.
cloudflare status

You can get DNS Analytics report as well.

basic report
Cloudflare DNS Queries
DNS Queries by Datacenter
DNS Dataceneters Report

Should you use Cloudflare CNAME Flattening for pointing other CDN over root domain?

You should not use its services for CNAME Flattening purpose because it doesn’t support EDNS mechanism that leads to off-routing.

I discovered with many Public DNS servers of ISP, the domain was not resolving to a geo-regional IP address as expected.

Testing method

  1. Pointed to using CNAME
  2. It was expected by all DNS server to answer only the regional IP but that didn’t happen.
  3. While any subdomain like www was routing properly but not a naked domain.

Good Case

Test 1
Test 2
Test 3
Test 5
Test 6

Bad Case

Test 7
Test 8
Test 9
Test 10
Test 11
Test 12

If you want to use BunnyCDN for reverse-proxy/full site acceleration/full site delivery, you should consider using BunnyDNS. It supports pointing root domain over PZ (Pull Zone) record in a proper way.

Always use DNS services same as CDN provider if available. For example, if you use Sucuri then stick to its own DNS nameservers. If you use Cloudfront, use its own AWS Route53 for the better performance. This enhance chances of proper routing.

Is Cloudflare DNS Free to use?

Cloudflare’s authoritative DNS services are free of charge and it does not limit DNS queries for a domain on its network.

How to get vanity nameservers with Cloudflare?

Vanity nameservers such, are premium features available at Cloudflare Business and Enterprise plan.

Shall I use Cloudflare DNS?

The Cloudflare DNS service is reliable for general purpose except for the CNAME Flattening use case.

Leave a Comment

23 thoughts on “Using Cloudflare DNS without CDN or WAF”

  1. Avatar of Gerald Tucciarone
    Gerald Tucciarone

    Great info. Thanks

  2. Avatar of Freddy


    what CDN do you recommend for an ecommerce ?

  3. Avatar of MamaMia

    Hi Gulshan,

    What when I use CF SSL/TLS cert for my site? If I make it a grey cloud [i.e., only using CF DNS] can’t use SSL cert as it becomes invalid.
    Get browser warnings, cannot access site.


    • Avatar of Gulshan Kumar
      Gulshan Kumar

      You cannot use CF TLS while having DNS only mode [Gray Cloud]. If you want to use Cloudflare for DNS only, your origin server must have a valid cert such as Let’s Encrypt/Comodo.

  4. Avatar of Richard

    In my CloudFlare account I have my and created with a CNAME that point to URL. All “A” records are deleted.

    I get a warning next to one of them in CloudFlare. There is an “i” that when I hover over it in CloudFlare it says “Another record shares the same name, so we’ve applied CNAME flattening.”

    What am I doing wrong?

    • Avatar of Richard

      Trying to enable SSL in for my naked domain ( doesn’t work. I keep getting an error that says it’s not pointing to Bunny, but it is. It’s just that CloudFlare is flattening the naked domain. I don’t understand what I’m doing wrong. I’ve been at it for hours. Thank you!

      • Avatar of Gulshan Kumar
        Gulshan Kumar

        You need to point DNS records as below.

        CNAME – —– – DNS only mode

        CNAME – www —– – DNS only mode

        Then only you can install SSL cert at panel for your Pull Zone.

    • Avatar of Gulshan Kumar
      Gulshan Kumar

      yes, CNAME flattening message is perfectly normal because we are using it.

      • Avatar of Richard

        Perfect! I got it working… but my Google page speed score took a 20 point dive. However, my GTmetrix score is great!

        Google is warning me “Eliminate render-blocking resources” and there are a bunch of css and js scripts on the Bunny CDN that it’s referring to. Did I do something wrong?

        • Avatar of Gulshan Kumar
          Gulshan Kumar

          Well, the reported issue ‘Eliminate render-blocking resources’ is a different topic. You can safely ignore it. In the age of HTTP/2, Pages load really quick.

  5. Avatar of Pro

    What should be the cloudflare cache level? Should I set it to standard or I need to bypass cache?

    Can bunnycdn do cache like cloudflare?

    • Avatar of Gulshan Kumar
      Gulshan Kumar

      Standard. For BunnyCDN caching, read this tutorial.

      • Avatar of Pro Apk
        Pro Apk

        I’ve set to standard. Now if I bypass caching of my site using cloudflare page rules will the site become slow?

        Or I should use it combining with bunnycdn?

  6. Avatar of Pro Apk
    Pro Apk

    Hi , if I use dns only will it expose my origin ip?

    • Avatar of Gulshan Kumar
      Gulshan Kumar

      Yes, it will expose the address where you will point.

  7. Avatar of Jamiu Akinyemi
    Jamiu Akinyemi

    Is it advisable for me to use cloudfire free plan?. I just want to improve my page loads. Thanks

    • Avatar of Gulshan Kumar
      Gulshan Kumar

      Do you want to use Cloudflare for DNS or Proxy purpose? Using for DNS is fine for anyone. In case of a proxy, you can use Cache Everything for a better experience.

      • Avatar of Jamiu Akinyemi
        Jamiu Akinyemi

        I’m not really sure about that but I’ve use cloudfire as the nameservers and most of DNS records are proxied through cloudfire. And how do I use the cache everything options? I’m on blogger platform

        • Avatar of Gulshan Kumar
          Gulshan Kumar

          I am afraid, I can’t suggest anything about Blogger (Google Blogspot) platform.

          • Avatar of Jamiu Akinyemi
            Jamiu Akinyemi

            Ok, thanks for your time

      • Avatar of robert haba
        robert haba

        I got very bad scores when i am using Cloudflare CDN, i setup my server with nginx, redis, pagespeed module for nginx and i have a better speed and stats.

        • Avatar of Gulshan Kumar
          Gulshan Kumar

          Enable APO and Argo, see the magic.