Setting up DNS zone with Cloudflare

Cloudflare provides 3 ways of setting up DNS Zones

  1. Full Setup
  2. Partial CNAME
  3. Zone Transfers

In this article we are going to address only one from the above, which is the Partial CNAME setup. We use Partial CNAME setup in cases where we already have authoritative DNS provider (i.e AWS Route53) and we don’t want the Cloudflare to be our authoritative DNS provider. With Partial CNAME setup we can allow our traffic to proxy through the Cloudflare’s global edge network.

Steps for creating the Partial CNAME zone

  1. Add the domain example.com to Cloudflare
  • Select “add site” to create the zone
  • Select plant type. e.g free, enterprise
  1. Once the zone is created, goto overview page and convert to partial (CNAME) zone.
  2. Add the Cloudflare generated TXT record to the example.com hosted zone in Route53 for authoritative domain ownership verifications.
  3. Add CNAME record in newly created example.com zone in Cloudflare. website.example.com CNAME xxxxxx-12345.us-east-1.elb.amazon.com
  4. Create the CNAME record at the Route53 hosted zone (authoritative DNS provider) website.example.com CNAME website.example.com.cdn.cloudflare.net

Configuring the certificates

  1. Make sure the CAA records are available under the authoritative DNS (Route53 Hosted Zone)
  • Refer this doc for the list of CAA records to be added.
  1. Configuring the Edge Certificates.
  • Universal Certificate - Cloudflare will automatically generate the Universal Certificate and this can be validated by creating a TXT record in the authoritative DNS provider. It is required make a API call to Cloudflare to change the validation method of the certificate.
  • Advanced Certificate - Universal SSL certificates only support SSL for the root or first level subdomains such as website.example.com. Hence, if you need to enable SSL support for 2nd, 3rd.. 4th level subdomains like portal.website.example.com, you need to purchase an Advance Certificate, which can cover more than one sub-domain.

Finally, testing your partial CNAME setup

To test your DNS is proxying through Cloudflare, simply run a nslookup command and you should see one of the Cloudflare IP addresses in the command output.

nslookup website.example.com