Proxy status
When you proxy an A, AAAA, or CNAME DNS record for your application (also known as orange-clouding), DNS queries for these records will resolve to Cloudflare Anycast IPs instead of their original DNS target.
This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server. This behavior allows Cloudflare to optimize, cache, and protect all requests for your application.
When to proxy your DNS records
In most cases, you should proxy your A, AAAA, and CNAME records. These are the only records that can be proxied.
Beyond the performance and caching benefits , proxying your records hides your origin server’s IP address and protects your application from DDoS attacks.
Limitations
Pending domains
When your domain status is Pending Nameserver Update, that domain’s DNS records cannot yet be proxied.
This means that pending domains cannot take advantage of Cloudflare caching and other settings — even if the proxy status is enabled for their DNS records — and any requests to your DNS records will return your origin server’s IP address and not Cloudflare IP addresses.
Windows authentication
Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications, they are not compatible with proxied DNS records.
To solve this issue, we recommend using Cloudflare Zero Trust .
When to use unproxied records
In some circumstances, you should not proxy your DNS records.
A, AAAA, and CNAME records
If you need to connect to your origin using a non-HTTP protocol (SSH, FTP, SMTP) or the traffic targets an unsupported port at the origin, either leave your records unproxied (DNS-only) or use Cloudflare Spectrum .
Additionally, you cannot proxy wildcard DNS records unless your domain is on an Enterprise plan.
Other record types
Because Cloudflare only supports proxied A, AAAA, and CNAME records, you do not have the option to proxy other record types.