[DNS] Review proxied-dns-records

public/_redirects

@@ -352,6 +352,7 @@
 /dns/foundation-dns/graphql-analytics/ /dns/additional-options/analytics/ 301
 /dns/manage-dns-records/how-to/dns-load-balancing/ /dns/manage-dns-records/how-to/round-robin-dns/ 301
 /dns/manage-dns-records/how-to/create-root-domain/ /dns/manage-dns-records/how-to/create-zone-apex/ 301
+/dns/manage-dns-records/reference/proxied-dns-records/ /dns/manage-dns-records/proxy-status/ 301
 /dns/reference/troubleshooting/ /dns/reference/recommended-third-party-tools/ 301
 /dns/zone-setups/partial-setup/convert-partial-to-full/ /dns/zone-setups/conversions/convert-partial-to-full/ 301
 /dns/zone-setups/partial-setup/convert-partial-to-secondary/ /dns/zone-setups/conversions/convert-partial-to-secondary/ 301

src/content/docs/dns/manage-dns-records/proxy-status/about-proxying.mdx

@@ -0,0 +1,46 @@
+---
+pcx_content_type: concept
+title: How proxying works (TBD)
+sidebar:
+  order: 2
+  label: About
+---
+
+import { Render } from "~/components";
+
+The **Proxy status** of a DNS record affects how Cloudflare treats incoming traffic to that record. Cloudflare recommends enabling our proxy for all [A, AAAA, and CNAME](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) records that are used for serving web traffic.
+
+![Proxy status affects how Cloudflare treats traffic intended for specific DNS records](~/assets/images/dns/proxy-status-screenshot.png)
+
+When you proxy specific DNS records through Cloudflare - specifically A, AAAA, or CNAME records  — DNS queries for these will resolve to Cloudflare anycast IPs instead of their original DNS target. This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.
+
+```mermaid
+flowchart LR
+accTitle: Connections with Cloudflare
+A[Visitor] <-- Connection --> B[Cloudflare global network] <-- Connection --> C[Origin server]
+```
+
+This behavior allows Cloudflare to [optimize, cache, and protect](/fundamentals/concepts/how-cloudflare-works/) all requests to your application, as well as protect your origin server from [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/).
+
+## DNS-only records
+
+When an A, AAAA, or CNAME record is **DNS-only** — also known as being gray-clouded — DNS queries for these will resolve to the record's normal IP address.
+
+In addition to potentially exposing your origin IP addresses to bad actors and [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/), leaving your records as **DNS-only** means that Cloudflare cannot [optimize, cache, and protect](/fundamentals/concepts/how-cloudflare-works/) requests to your application or provide analytics on those requests.
+
+## Example DNS table
+
+| Type |  Name  |   Content   | Proxy status |   TTL  | Actions |
+| :--: | :----: | :---------: | :----------: | :----: | ------: |
+|  `A` | `blog` | `192.0.2.1` |   `Proxied`  | `Auto` |  `Edit` |
+|  `A` | `shop` | `192.0.2.2` |  `DNS only`  | `Auto` |  `Edit` |
+
+In the example DNS table above, there are two DNS records. The record with the name `blog` has the proxy on, while the record named `shop` has the proxy off (that is, **DNS only**).
+
+### Proxied DNS record example
+
+When the browser initiates a HTTP/HTTPS request to `blog.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates a HTTP/HTTPS request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. Cloudflare forwards it to the configured origin server, which is `192.0.2.1`.
+
+### DNS only record example
+
+When the browser initiates a HTTP/HTTPS request to `shop.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, **DNS only**), Cloudflare will answer with `192.0.2.2`. Finally, the browser initiates a HTTP/HTTPS request to the server hosted at `192.0.2.2`.

src/content/docs/dns/manage-dns-records/proxy-status/cloudflare-configuration.mdx

@@ -0,0 +1,9 @@
+---
+pcx_content_type: reference
+title: Products that require proxied records
+sidebar:
+  order: 4
+  label: Cloudflare configuration
+---
+
+List of other Cloudflare products that depend on records being proxied.

src/content/docs/dns/manage-dns-records/reference/proxied-dns-records.mdx → src/content/docs/dns/manage-dns-records/proxy-status/index copy.mdx

@@ -1,17 +1,20 @@
 ---
 pcx_content_type: concept
-title: Proxy status
+title: Previous page (delete after)
 sidebar:
-  order: 1
-
+  order: 15
+  label: Ref - delete after
+  hidden: true
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
-The **Proxy status** of a DNS record affects how Cloudflare treats incoming traffic to that record. Cloudflare recommends enabling our proxy for all `A`, `AAAA`, and `CNAME` records that are used for serving web traffic.
+The **Proxy status** of a DNS record affects how Cloudflare treats incoming traffic to that record. Cloudflare recommends enabling our proxy for all [A, AAAA, and CNAME](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) records that are used for serving web traffic.
 
 ![Proxy status affects how Cloudflare treats traffic intended for specific DNS records](~/assets/images/dns/proxy-status-screenshot.png)
 
+## How proxying works
+
 ***
 
 ## Proxied records

src/content/docs/dns/manage-dns-records/proxy-status/index.mdx

@@ -0,0 +1,12 @@
+---
+pcx_content_type: concept
+title: Proxy status
+sidebar:
+  order: 2
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />

src/content/docs/dns/manage-dns-records/proxy-status/limitations.mdx

@@ -0,0 +1,10 @@
+---
+pcx_content_type: reference
+title: Limitations
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components";
+
+<Render file="limitations" product="dns" />

src/content/docs/dns/manage-dns-records/proxy-status/proxied-records.mdx

@@ -0,0 +1,56 @@
+---
+pcx_content_type: reference
+title: Proxied DNS records
+sidebar:
+  order: 2
+  label: Proxied records
+---
+
+import { Render } from "~/components";
+
+:::caution[TEMP WIP NOTE]
+Not too sure about the name. The idea would be to document any "expected behavior" for proxied records here
+
+More details of how the DNS record proxy status interacts with other Cloudflare configurations. Besides content below (pulled from previously existing page), things like O2O, BYOIP address maps, etc, could go here.
+:::
+
+## Predefined time to live
+
+
+By default, all [proxied records](/dns/manage-dns-records/reference/proxied-dns-records/) have a TTL of **Auto**, which is set to 300 seconds.
+
+Since only [IP resolution records](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) can be proxied, this setting ensures that queries to your domain name resolve fairly quickly. This setting also means that any changes to proxied `A`, `AAAA`, or `CNAME` records will take place within five minutes or less.
+
+:::note
+
+
+It may take longer than 5 minutes for you to actually experience record changes, as your local DNS cache may take longer to update.
+
+
+:::
+
+## Mix proxied and unproxied
+
+If you have multiple `A/AAAA` records on the same name and at least one of them is proxied, Cloudflare will treat all `A/AAAA` records on this name as being proxied.
+
+## Protocol optimization
+
+For proxied records, if your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/), Cloudflare automatically generates corresponding [HTTPS Service (HTTPS) records](/dns/manage-dns-records/reference/dns-record-types/#svcb-and-https) on the fly. HTTPS records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection.
+
+:::note
+Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling [Universal SSL](/ssl/edge-certificates/universal-ssl/), for example, could impact this behavior.
+:::
+
+## IP addresses
+
+:::caution[Note to self]
+Consider not going into detail about ingress vs egress here. Maybe a better option would be making note of that while mentioning Address Maps in cloudflare-configuration.mdx
+:::
+
+
+Because requests to proxied hostnames go through Cloudflare before reaching your origin server, all requests will appear to be coming from Cloudflare's IP addresses (and could potentially be blocked or rate limited). If you use proxied records, you may need to adjust your server configuration to [allow Cloudflare IPs](/fundamentals/concepts/cloudflare-ip-addresses/).
+
+Cloudflare anycast IPs used to proxy traffic on your domain are assigned automatically. These IPs might change at any time for operational reasons.
+If you need to allowlist Cloudflare IPs on your infrastructure or hosting provider, include the full list of [Cloudflare anycast IPs](https://www.cloudflare.com/ips/).
+
+As an Enterprise customer, you have the option to get [static IPs](/spectrum/about/static-ip/) or [bring your own IPs (BYOIP)](/byoip/).

src/content/docs/fundamentals/concepts/how-cloudflare-works.mdx

@@ -20,42 +20,23 @@ We support a few different [setups](/dns/zone-setups/) for using Cloudflare as a
 
 When Cloudflare receives a DNS query for your domain, our response is determined by the configuration [set in your DNS table](/dns/manage-dns-records/how-to/create-dns-records/), including the value of the record, the record's [proxy eligibility](/dns/manage-dns-records/reference/proxied-dns-records/#proxy-eligibility), and its [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/).
 
-If the [domain's status](/dns/zone-setups/reference/domain-status/) is active and the queried DNS record is set to `proxied`, then Cloudflare responds with an [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/), **instead of** the value defined in your DNS table. This effectively re-routes the `HTTP/HTTPS` requests to the Cloudflare network, instead of directly reaching the targeted the [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
+If the [domain's status](/dns/zone-setups/reference/domain-status/) is active and the queried DNS record is set to `proxied`, then Cloudflare responds with an [anycast IP address](/fundamentals/concepts/cloudflare-ip-addresses/), **instead of** the value defined in your DNS table. This effectively re-routes the HTTP/HTTPS requests to the Cloudflare network, instead of directly reaching the targeted the [origin server](https://www.cloudflare.com/learning/cdn/glossary/origin-server/).
 
-In contrast, if the queried DNS record is set to `DNS only`, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means `HTTP/HTTPS` requests route directly to the origin server and are not processed or protected by Cloudflare.
+In contrast, if the queried DNS record is set to `DNS only`, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means HTTP/HTTPS requests route directly to the origin server and are not processed or protected by Cloudflare.
 
 ### How Cloudflare works as a reverse proxy
 
-All DNS records in your DNS table have a [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/), indicating whether or not `HTTP/HTTPS` traffic for that record will route through Cloudflare on its way between the client and the origin server. If the [domain's status](/dns/zone-setups/reference/domain-status/) is active, all `HTTP/HTTPS` requests for [proxied DNS records](/dns/manage-dns-records/reference/proxied-dns-records/#proxied-records) route through Cloudflare.
+All DNS records in your DNS table have a [proxy status](/dns/manage-dns-records/reference/proxied-dns-records/), indicating whether or not HTTP/HTTPS traffic for that record will route through Cloudflare on its way between the client and the origin server. If the [domain's status](/dns/zone-setups/reference/domain-status/) is active, all HTTP/HTTPS requests for [proxied DNS records](/dns/manage-dns-records/reference/proxied-dns-records/#proxied-records) route through Cloudflare.
 
 As these requests pass through our network, they are processed according to your [configuration](/fundamentals/setup/manage-domains/connect-your-domain/#domain-configurations). Subsequently, legitimate requests are forwarded to the origin server.
 
 Refer to our [Load Balancing reference architecture](/reference-architecture/architectures/load-balancing/) to learn more about advanced ways to forward traffic to your origins (or other <GlossaryTooltip term="endpoint" link="/glossary/?term=endpoint">endpoints</GlossaryTooltip>), as well as our [CDN reference architecture](/reference-architecture/architectures/cdn/) to learn more about how Cloudflare processes and optimizes your web traffic.
 
-:::note
-
-Proxying is on by default for records that serve `HTTP/HTTPS` traffic (`A`, `AAAA`, and `CNAME` records). To proxy `HTTP/HTTPS` traffic on [non-standard ports](/fundamentals/reference/network-ports/) or to proxy a `TCP-` or `UDP-` based application, use [Cloudflare Spectrum](/spectrum/). 
-:::
-
 In the Cloudflare dashboard, find out which DNS records are proxied by selecting your domain and navigating to the **DNS records** tab.
 
-#### Example DNS table
-
-| Type |  Name  |   Content   | Proxy status |   TTL  | Actions |
-| :--: | :----: | :---------: | :----------: | :----: | ------: |
-|  `A` | `blog` | `192.0.2.1` |   `Proxied`  | `Auto` |  `Edit` |
-|  `A` | `shop` | `192.0.2.2` |  `DNS only`  | `Auto` |  `Edit` |
-
-In the example DNS table above, there are two DNS records. The record with the name `blog` has the proxy on, while the record named `shop` has the proxy off (that is, `DNS only`).
-
-#### Proxied DNS record example
-
-When the browser initiates a `HTTP/HTTPS` request to `blog.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates a `HTTP/HTTPS` request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. Cloudflare forwards it to the configured origin server, which is `192.0.2.1`.
-
-#### DNS only record example
+#### Protocols, ports, and methods
 
-When the browser initiates a `HTTP/HTTPS` request to `shop.example.com`, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, `DNS only`), Cloudflare will answer with `192.0.2.2`. Finally, the browser initiates a `HTTP/HTTPS` request to the server hosted at `192.0.2.2`.
 
-#### HTTP methods Cloudflare supports
+Proxying is on by default for records that serve HTTP/HTTPS traffic (A, AAAA, and CNAME records). To proxy HTTP/HTTPS traffic on [non-standard ports](/fundamentals/reference/network-ports/) or to proxy a TCP- or UDP- based application, use [Cloudflare Spectrum](/spectrum/).
 
 Cloudflare supports all standard HTTP methods, with the exception of `CONNECT`, `TRACE`, and `PURGE`, which are restricted.