DNS and DNSSEC Configuration
DNS is the first thing that breaks and the last thing anyone audits. This guide covers zone migration to Cloudflare, DNSSEC activation, record hygiene, and email security configuration.
Zone Setup
Cloudflare supports two DNS modes. Full setup (authoritative) is strongly preferred:
- Full setup - Cloudflare is your authoritative DNS. Change nameservers at your registrar. This enables DNSSEC, full proxy, and all security features.
- CNAME setup - partial proxy via CNAME. Limited features, no DNSSEC. Only use if your registrar does not support NS changes.
Export existing records before migration
# Export current zone (from existing provider)
dig example.com ANY +noall +answer
dig example.com MX +noall +answer
dig example.com TXT +noall +answer
# Or use Cloudflare's zone import (auto-scans existing records)DNSSEC Activation
DNSSEC signs your DNS records cryptographically so resolvers can verify they haven't been tampered with.
- Enable DNSSEC in Cloudflare dashboard (DNS > DNSSEC)
- Cloudflare generates a DS record
- Add the DS record at your registrar
- Wait for propagation (up to 24 hours)
- Verify with
dig +dnssec
Verify DNSSEC is active
# Check for RRSIG records (signed responses)
dig +dnssec example.com A
# Check for AD flag (Authenticated Data)
dig +dnssec example.com | grep "flags:" | grep "ad"
# Online verification
# https://dnssec-analyzer.verisignlabs.com/Record Hygiene
Audit DNS records regularly. Common issues:
- Stale records - A/AAAA records pointing to decommissioned IPs. These are subdomain takeover targets.
- Wildcard records -
*.example.comresolves everything. Remove unless explicitly required. - Exposed internal names - records like
staging.example.com,dev.example.com,vpn.example.comleak infrastructure information. - Dangling CNAMEs - CNAME to a service you no longer use (old SaaS, deprovisioned CDN). Takeover risk.
Subdomain enumeration
# List all records in the zone via API
curl -s "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?per_page=100" \
-H "Authorization: Bearer ${API_TOKEN}" \
| jq '.result[] | .name, .type, .content, .proxied'Email Security Records
Even if you don't send email from your domain, configure these to prevent spoofing:
SPF
# If you send email (e.g. via Google Workspace)
TXT example.com "v=spf1 include:_spf.google.com -all"
# If you do NOT send email
TXT example.com "v=spf1 -all"DMARC
# Start with monitoring (p=none), then move to reject
TXT _dmarc.example.com "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# After verifying legitimate email passes
TXT _dmarc.example.com "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"DKIM
DKIM records are provider-specific. Your email provider (Google Workspace, Microsoft 365, etc.) generates the DKIM key. Add it as a TXT or CNAME record per their documentation.
Proxy Status
Cloudflare proxy (orange cloud) must be enabled for WAF, DDoS protection, and caching to work. Grey-cloud records bypass all Cloudflare security features.
- Proxied (orange) - traffic flows through Cloudflare. Origin IP hidden. Required for: A, AAAA, CNAME records serving web traffic.
- DNS only (grey) - Cloudflare resolves DNS but does not proxy traffic. Use for: MX records, non-HTTP services, records that must expose the real IP.
Verification
# Verify zone is on Cloudflare nameservers
dig NS example.com +short
# Should return *.ns.cloudflare.com
# Verify DNSSEC
dig +dnssec example.com +short
# Verify SPF
dig TXT example.com +short | grep spf
# Verify DMARC
dig TXT _dmarc.example.com +short
# Check for dangling records (manual review)
curl -s "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
-H "Authorization: Bearer ${API_TOKEN}" \
| jq '.result[] | select(.type=="CNAME") | .name, .content'