cloudflare · RebeccaTamachiro · Oct 14, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025
@@ -17,6 +17,10 @@ import {
 
 Advanced nameservers included with [Foundation DNS](/dns/foundation-dns/) are an opt-in configuration.
 
+:::note
+After enabling advanced nameservers, standard nameservers still respond to DNS queries.
+:::
+
 ## Before you begin
 
 Before opting in for advanced nameservers, consider the following:

@@ -14,28 +14,11 @@ import { Render, TabItem, Tabs, APIRequest, DashButton } from "~/components";
 
 With [outgoing zone transfers](/dns/zone-setups/zone-transfers/cloudflare-as-primary/), you can keep Cloudflare as your primary DNS provider and use one or more secondary providers for increased availability and fault tolerance.
 
-## Aspects to consider
-
-### DNS-only CNAME records
-
-As explained in [DNS record types](/dns/manage-dns-records/reference/dns-record-types/#cname), Cloudflare uses a process called [CNAME flattening](/dns/cname-flattening/) to return the final IP address instead of the CNAME target. CNAME flattening improves performance and is also what allows you to set a CNAME record on the zone apex.
-
-Depending on the [settings](/dns/cname-flattening/set-up-cname-flattening/) you have, when you use DNS-only CNAME records with outgoing zone transfers, you can expect the following:
-
-- For DNS-only CNAME records on the zone apex, Cloudflare will always transfer out the flattened IP addresses.
-- For DNS-only CNAME records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting [**Flatten all CNAMEs**](/dns/cname-flattening/set-up-cname-flattening/#for-all-cname-records) is enabled.
-
-### Proxied records
-
-For each [proxied DNS record](/dns/proxy-status/) in your zone, Cloudflare will transfer out two `A` and two `AAAA` records.
-
-These records correspond to the [Cloudflare IP addresses](https://www.cloudflare.com/ips) used for proxying traffic.
-
 ## Before you begin
 
 Make sure your account team has enabled your zone for outgoing zone transfers.
 
-Review your [existing DNS records](/dns/manage-dns-records/how-to/create-dns-records/) to make sure all of them have the desired **Proxy status**.
+Consider the [expected behaviors](/dns/zone-setups/zone-transfers/cloudflare-as-primary/transfer-criteria/) for different record types, and review your [existing DNS records](/dns/manage-dns-records/how-to/create-dns-records/) to make sure all of them have the desired **Proxy status**.
 
 If using the API, you may also want to [locate your Zone and Account IDs](/fundamentals/account/find-account-and-zone-ids/).
 

@@ -0,0 +1,42 @@
+---
+pcx_content_type: reference
+title: Records transfer
+sidebar:
+  order: 9
+---
+
+Consider the sections below to understand the expected behaviors, depending on DNS record type and proxied status.
+
+
+## Proxied records
+
+For each [proxied DNS record](/dns/proxy-status/) in your zone, Cloudflare will transfer out two `A` and two `AAAA` records.
+
+These records correspond to the [Cloudflare IP addresses](https://www.cloudflare.com/ips) used for proxying traffic.
+
+## DNS-only CNAME records
+
+As explained in [DNS record types](/dns/manage-dns-records/reference/dns-record-types/#cname), Cloudflare uses a process called [CNAME flattening](/dns/cname-flattening/) to return the final IP address instead of the CNAME target. CNAME flattening improves performance and is also what allows you to set a CNAME record on the zone apex.
+
+Depending on the [settings](/dns/cname-flattening/set-up-cname-flattening/) you have, when you use DNS-only CNAME records with outgoing zone transfers, you can expect the following:
+
+- For DNS-only CNAME records on the zone apex, Cloudflare will always transfer out the flattened IP addresses.
+- For DNS-only CNAME records on subdomains, Cloudflare will only transfer out flattened IP addresses if the setting [**Flatten all CNAMEs**](/dns/cname-flattening/set-up-cname-flattening/#for-all-cname-records) is enabled.
+
+:::note[Per-record CNAME flattening]
+
+For records using [per-record CNAME flattening](/dns/cname-flattening/set-up-cname-flattening/#per-record) (meaning **Flatten all CNAMEs** is disabled), Cloudflare will transfer out the CNAME, not the flattened IP address.
+
+:::
+
+## Records that are not transferred
+
+The following records are not transferred out when you use Cloudflare as primary:
+
+- [CAA records](/ssl/edge-certificates/caa-records/).
+- TXT records used for TLS certificate validation.
+- DNS-only [Load Balancing](/load-balancing/load-balancers/dns-records/) records.
+
+:::note
+Proxied Load Balancing records are transferred as [explained above](#proxied-records).
+:::
@@ -10,18 +10,16 @@ Cloudflare offers a range of SSL/TLS options. By default, Cloudflare offers Univ
 
 1. [**Universal SSL**](/ssl/edge-certificates/universal-ssl/): This option covers basic encryption requirements and certificate management needs.
 
-2. [**Foundation DNS**](/dns/foundation-dns/): Foundation DNS is an Enterprise option that provides strategically distributed IPs to enhance resiliency, reduced exposure to incidents or software regression and more consistent nameserver assignment.
+2. [**Total TLS**](/ssl/edge-certificates/additional-options/total-tls/): Automatically issues certificates for all subdomain levels, extending the protection offered by Universal SSL.
 
-3. [**Total TLS**](/ssl/edge-certificates/additional-options/total-tls/): Automatically issues certificates for all subdomain levels, extending the protection offered by Universal SSL.
+3. [**Advanced Certificates**](/ssl/edge-certificates/advanced-certificate-manager/): Offers customizable certificate issuance and management, including options like choosing the certificate authority, certificate validity period, and removing Cloudflare branding from certificates.
 
-4. [**Advanced Certificates**](/ssl/edge-certificates/advanced-certificate-manager/): Offers customizable certificate issuance and management, including options like choosing the certificate authority, certificate validity period, and removing Cloudflare branding from certificates.
+4. [**Custom Certificates**](/ssl/edge-certificates/custom-certificates/): For eligible plans, customers can upload their own certificates, with the user managing issuance and renewal.
 
-5. [**Custom Certificates**](/ssl/edge-certificates/custom-certificates/): For eligible plans, customers can upload their own certificates, with the user managing issuance and renewal.
+5. [**mTLS Client Certificates**](/ssl/client-certificates/): Cloudflare offers a PKI system, used to create client certificates, which can enforce mutual Transport Layer Security (mTLS) encryption.
 
-6. [**mTLS Client Certificates**](/ssl/client-certificates/): Cloudflare offers a PKI system, used to create client certificates, which can enforce mutual Transport Layer Security (mTLS) encryption.
+6. [**Cloudflare for SaaS Custom Hostnames**](/cloudflare-for-platforms/cloudflare-for-saas/): This feature enables SaaS providers to offer their clients the ability to use their own domains while benefiting from Cloudflare's network.
 
-7. [**Cloudflare for SaaS Custom Hostnames**](/cloudflare-for-platforms/cloudflare-for-saas/): This feature enables SaaS providers to offer their clients the ability to use their own domains while benefiting from Cloudflare's network.
+7. [**Keyless SSL Certificates**](/ssl/keyless-ssl/): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.
 
-8. [**Keyless SSL Certificates**](/ssl/keyless-ssl/): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.
-
-9. [**Origin Certificates**](/ssl/origin-configuration/origin-ca/): Origin CA certificates from Cloudflare are used to encrypt traffic between Cloudflare and your origin web server. These certificates are created through the Cloudflare dashboard and can be configured with a choice of RSA or ECC private keys and support for various server types.
+8. [**Origin Certificates**](/ssl/origin-configuration/origin-ca/): Origin CA certificates from Cloudflare are used to encrypt traffic between Cloudflare and your origin web server. These certificates are created through the Cloudflare dashboard and can be configured with a choice of RSA or ECC private keys and support for various server types.