cloudflare · RebeccaTamachiro · Jan 15, 2025 · Jan 17, 2025 · Jan 20, 2025 · Jan 20, 2025
@@ -352,6 +352,7 @@
 /dns/foundation-dns/graphql-analytics/ /dns/additional-options/analytics/ 301
 /dns/manage-dns-records/how-to/dns-load-balancing/ /dns/manage-dns-records/how-to/round-robin-dns/ 301
 /dns/manage-dns-records/how-to/create-root-domain/ /dns/manage-dns-records/how-to/create-zone-apex/ 301
+/dns/manage-dns-records/reference/proxied-dns-records/ /dns/manage-dns-records/proxy-status/ 301
 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301
 /dns/zone-setups/partial-setup/convert-partial-to-full/ /dns/zone-setups/conversions/convert-partial-to-full/ 301
 /dns/zone-setups/partial-setup/convert-partial-to-secondary/ /dns/zone-setups/conversions/convert-partial-to-secondary/ 301

@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: Additional options
 sidebar:
-  order: 8
+  order: 12
   group:
     hideIndex: true
 ---

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: CNAME flattening
 sidebar:
-  order: 7
+  order: 9
   label: About
 ---
 

@@ -2,7 +2,7 @@
 pcx_content_type: overview
 title: DNS Firewall
 sidebar:
-  order: 10
+  order: 15
 
 ---
 

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: DNSSEC
 sidebar:
-  order: 6
+  order: 8
 
 ---
 

@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: DNS records
 sidebar:
-  order: 5
+  order: 6
 
 ---
 

@@ -0,0 +1,72 @@
+---
+pcx_content_type: concept
+title: About proxying
+sidebar:
+  order: 2
+  label: About
+---
+
+import { Render, Example } from "~/components";
+
+While your [DNS records](/dns/manage-dns-records/) are used to make your website or application available to visitors and other web services, the **Proxy status** of a DNS record is used to define how Cloudflare treats incoming traffic to that record.
+
+The records you can proxy through Cloudflare are [IP address resolution records](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) — meaning A, AAAA, or CNAME records.
+
+Proxying is on by default (for the applicable records) when you onboard a domain via the dashboard. Cloudflare recommends setting to proxied all A, AAAA, and CNAME records that are used for serving web traffic.
+
+### Proxied records
+
+When you set a DNS record to **Proxied**, Cloudflare can:
+
+- Protect your origin server from [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/).
+- [Optimize, cache, and protect](/fundamentals/setup/manage-domains/connect-your-domain/#domain-configurations) all requests to your application.
+- Apply your configurations for a variety of [Cloudflare products](/dns/proxy-status/cloudflare-configuration/).
+
+Apart from that, proxied DNS records have specific predefined fields and expected behavior — refer to [Proxied records](/dns/manage-dns-records/proxy-status/proxied-records/) for details.
+
+To understand how Cloudflare responds to requests for proxied records, consider [How proxying works](/dns/proxy-status/about-proxying/#how-proxying-works) below.
+
+### DNS-only records
+
+When an A, AAAA, or CNAME record is **DNS-only** (also known as being gray-clouded), DNS queries for this record will resolve to the record's normal IP address.
+
+In addition to potentially exposing your origin IP addresses to bad actors and [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/), leaving your records as **DNS-only** means that:
+
+- Cloudflare cannot [optimize, cache, and protect](/fundamentals/setup/manage-domains/connect-your-domain/#domain-configurations) requests to your domain.
+- Cloudflare cannot provide analytics on those requests.
+- Your configuration for a variety of [Cloudflare products](/dns/proxy-status/cloudflare-configuration/) will not be applied.
+
+---
+
+## How proxying works
+
+When you set a DNS record to **Proxied**, Cloudflare responds with an [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/) **instead of** the value defined on your [DNS table](/dns/manage-dns-records/#dns-records-table). This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.
+
+<Render file="proxy-status-dns-table" />
+
+### Proxied record example
+
+<Render file="proxy-on-example" />
+
+### DNS-only record example
+
+<Render file="proxy-off-example" />
+
+---
+
+## IP addresses
+
+Because requests to proxied records go through Cloudflare before reaching your origin server, traditionally all requests will appear to be coming from Cloudflare's IP addresses and could be blocked or rate limited. Refer to [allow Cloudflare IPs](/fundamentals/concepts/cloudflare-ip-addresses/) to learn how to adjust your server configuration.
+
+```mermaid
+flowchart LR
+accTitle: Connections with Cloudflare
+A[Client] <-- Connection --> B[Cloudflare global network] <-- Connection --> C[Origin server]
+```
+
+Cloudflare anycast IPs used to proxy traffic on your domain are assigned automatically and can change at any time for operational reasons. By default, if you need to allowlist Cloudflare IPs on your infrastructure or hosting provider, you should include the full list of [Cloudflare anycast IPs](https://www.cloudflare.com/ips/).
+
+Alternatively, if you are an Enterprise customer, you have the following options:
+
+- [Cloudflare Aegis](/aegis/) allows you to get dedicated IPs for the connection between Cloudflare and your origin server, meaning you only have to allowlist a small number of IPs.
+- [Static IPs](/byoip/concepts/static-ips/) or [bring your own IPs (BYOIP)](/byoip/) allow you to specify what IPs should be used in the connection between clients and Cloudflare.
@@ -0,0 +1,9 @@
+---
+pcx_content_type: reference
+title: Products that require proxying
+sidebar:
+  order: 4
+  label: Cloudflare configuration
+---
+
+List of other Cloudflare products that depend on records being proxied.
@@ -0,0 +1,13 @@
+---
+pcx_content_type: concept
+title: Proxy status
+sidebar:
+  order: 7
+  group:
+    hideIndex: true
+    label: Proxying
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
@@ -0,0 +1,10 @@
+---
+pcx_content_type: reference
+title: Limitations
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components";
+
+<Render file="limitations" product="dns" />
@@ -0,0 +1,56 @@
+---
+pcx_content_type: reference
+title: Proxied DNS records
+sidebar:
+  order: 2
+  label: Proxied records
+---
+
+import { Render, Details, Example, GlossaryTooltip } from "~/components";
+
+:::caution[TEMP WIP NOTE]
+Not too sure about the name. The idea would be to document any "expected behavior" for proxied records here
+
+More details of how the DNS record proxy status interacts with other Cloudflare configurations. Besides content below (pulled from previously existing page), things like O2O, BYOIP address maps, etc, could go here.
+:::
+
+The sections below describe specific behaviors and expected outcomes when you have DNS records set to <GlossaryTooltip term="proxy status">proxied</GlossaryTooltip>. For further context, refer to [About proxying](/dns/proxy-status/about-proxying/).
+
+## Predefined time to live
+
+
+By default, all [proxied records](/dns/proxy-status/about-proxying/#proxied-records) have a time to live (TTL) of **Auto**, which is set to 300 seconds.
+
+Since only [IP resolution records](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) can be proxied, this setting ensures that queries to your domain name resolve fairly quickly. This setting also means that any changes to proxied A, AAAA, or CNAME records will take place within five minutes or less.
+
+:::note
+It may take longer than five minutes for you to actually experience record changes, as your local DNS cache may take longer to update.
+:::
+
+## Mix proxied and unproxied
+
+If you have multiple A or AAAA records on the same name and at least one of them is proxied, Cloudflare will treat all A or AAAA records on this name as being proxied.
+
+<Details header="Example">
+
+<Example>
+DNS management for **example.com**:
+
+| Type | Name    | Content      | Proxy status | TTL    |
+| ---- | ------- | ------------ | ------------ | ------ |
+| A    | `blog`  | `192.0.2.1`  | Proxied      | Auto   |
+| A    | `blog`  | `192.0.2.5`  | DNS only     | Auto   |
+
+In this example, all traffic intended for `blog.example.com` will be treated as if both records were [proxied](/dns/proxy-status/about-proxying/#proxied-records).
+
+</Example>
+
+</Details>
+
+## Protocol optimization
+
+For proxied records, if your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), Cloudflare automatically generates corresponding [HTTPS Service (HTTPS) records](/dns/manage-dns-records/reference/dns-record-types/#svcb-and-https) on the fly. HTTPS records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection.
+
+:::note
+Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling [Universal SSL](/ssl/edge-certificates/universal-ssl/), for example, could impact this behavior.
+:::
@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: Reference
 sidebar:
-  order: 11
+  order: 16
   group:
     hideIndex: true
 ---

@@ -6,7 +6,7 @@ sidebar:
 
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip, Render } from "~/components"
 
 The [Cloudflare global network](https://www.cloudflare.com/network/) can improve the security, performance, reliability, and privacy of anything connected to the Internet, such as your website, SaaS application, or corporate network.
 
@@ -20,42 +20,34 @@ We support a few different [setups](/dns/zone-setups/) for using Cloudflare as a
 
 When Cloudflare receives a DNS query for your domain, our response is determined by the configuration [set in your DNS table](/dns/manage-dns-records/how-to/create-dns-records/), including the value of the record, the record's [proxy eligibility](/dns/manage-dns-records/reference/proxied-dns-records/#proxy-eligibility), and its [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/).
 
-If the [domain's status](/dns/zone-setups/reference/domain-status/) is active and the queried DNS record is set to `proxied`, then Cloudflare responds with an [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/), **instead of** the value defined in your DNS table. This effectively re-routes the `HTTP/HTTPS` requests to the Cloudflare network, instead of directly reaching the targeted the [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
+If the [domain's status](/dns/zone-setups/reference/domain-status/) is active and the queried DNS record is set to `proxied`, then Cloudflare responds with an [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/), **instead of** the value defined in your DNS table. This effectively re-routes the HTTP/HTTPS requests to the Cloudflare network, instead of directly reaching the targeted the [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
 
-In contrast, if the queried DNS record is set to `DNS only`, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means `HTTP/HTTPS` requests route directly to the origin server and are not processed or protected by Cloudflare.
+In contrast, if the queried DNS record is set to `DNS only`, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means HTTP/HTTPS requests route directly to the origin server and are not processed or protected by Cloudflare.
 
 ### How Cloudflare works as a reverse proxy
 
-All DNS records in your DNS table have a [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/), indicating whether or not `HTTP/HTTPS` traffic for that record will route through Cloudflare on its way between the client and the origin server. If the [domain's status](/dns/zone-setups/reference/domain-status/) is active, all `HTTP/HTTPS` requests for [proxied DNS records](/dns/manage-dns-records/reference/proxied-dns-records/#proxied-records) route through Cloudflare.
+All DNS records in your DNS table have a [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/), indicating whether or not HTTP/HTTPS traffic for that record will route through Cloudflare on its way between the client and the origin server. If the [domain's status](/dns/zone-setups/reference/domain-status/) is active, all HTTP/HTTPS requests for [proxied DNS records](/dns/manage-dns-records/reference/proxied-dns-records/#proxied-records) route through Cloudflare.
 
 As these requests pass through our network, they are processed according to your [configuration](/fundamentals/setup/manage-domains/connect-your-domain/#domain-configurations). Subsequently, legitimate requests are forwarded to the origin server.
 
 Refer to our [Load Balancing reference architecture](/reference-architecture/architectures/load-balancing/) to learn more about advanced ways to forward traffic to your origins (or other <GlossaryTooltip term="endpoint" link="/glossary/?term=endpoint">endpoints</GlossaryTooltip>), as well as our [CDN reference architecture](/reference-architecture/architectures/cdn/) to learn more about how Cloudflare processes and optimizes your web traffic.
 
-:::note
-
-Proxying is on by default for records that serve `HTTP/HTTPS` traffic (`A`, `AAAA`, and `CNAME` records). To proxy `HTTP/HTTPS` traffic on [non-standard ports](/fundamentals/reference/network-ports/) or to proxy a `TCP-` or `UDP-` based application, use [Cloudflare Spectrum](/spectrum/). 
-:::
-
 In the Cloudflare dashboard, find out which DNS records are proxied by selecting your domain and navigating to the **DNS records** tab.
 
 #### Example DNS table
 
-| Type |  Name  |   Content   | Proxy status |   TTL  | Actions |
-| :--: | :----: | :---------: | :----------: | :----: | ------: |
-|  `A` | `blog` | `192.0.2.1` |   `Proxied`  | `Auto` |  `Edit` |
-|  `A` | `shop` | `192.0.2.2` |  `DNS only`  | `Auto` |  `Edit` |
+<Render file="proxy-status-dns-table" product="dns" />
 
-In the example DNS table above, there are two DNS records. The record with the name `blog` has the proxy on, while the record named `shop` has the proxy off (that is, `DNS only`).
+#### Proxied record example
 
-#### Proxied DNS record example
+<Render file="proxy-on-example" product="dns" />
 
-When the browser initiates a `HTTP/HTTPS` request to `blog.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates a `HTTP/HTTPS` request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. Cloudflare forwards it to the configured origin server, which is `192.0.2.1`.
+#### DNS-only record example
 
-#### DNS only record example
+<Render file="proxy-off-example" product="dns" />
 
-When the browser initiates a `HTTP/HTTPS` request to `shop.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, `DNS only`), Cloudflare will answer with `192.0.2.2`. Finally, the browser initiates a `HTTP/HTTPS` request to the server hosted at `192.0.2.2`.
+#### Protocols, ports, and methods
 
-#### HTTP methods Cloudflare supports
+Proxying is on by default for records that serve HTTP/HTTPS traffic (A, AAAA, and CNAME records). To proxy HTTP/HTTPS traffic on [non-standard ports](/fundamentals/reference/network-ports/) or to proxy a TCP- or UDP- based application, use [Cloudflare Spectrum](/spectrum/).
 
 Cloudflare supports all standard HTTP methods, with the exception of `CONNECT`, `TRACE`, and `PURGE`, which are restricted.
@@ -0,0 +1,6 @@
+---
+{}
+
+---
+
+When a browser initiates an HTTP/HTTPS request to `shop.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, **DNS only**), Cloudflare will answer with `192.0.2.2`. Finally, the browser initiates an HTTP/HTTPS request to the server hosted at `192.0.2.2`.
@@ -0,0 +1,6 @@
+---
+{}
+
+---
+
+When a browser initiates an HTTP/HTTPS request to `blog.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates an HTTP/HTTPS request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. When needed, Cloudflare forwards the request to the configured origin server, which is `192.0.2.1`.
@@ -0,0 +1,18 @@
+---
+{}
+
+---
+
+import { Example } from "~/components";
+
+<Example>
+
+DNS management for **example.com**:
+
+| Type |  Name  |   Content   | Proxy status |   TTL  |
+| :--: | :----: | :---------: | :----------: | :----: |
+|  A | `blog` | `192.0.2.1` |   Proxied  | Auto |
+|  A | `shop` | `192.0.2.2` |  DNS only  | Auto |
+</Example>
+
+In the example DNS table above, there are two DNS records. The record with the name `blog` has the proxy on, while the record named `shop` has the proxy off (that is, **DNS only**).