Fix Cloudflare DNS Error - Proxy and Record Issues

Introduction

Cloudflare operates both as a DNS provider and a CDN/proxy service, creating unique configuration challenges. The "orange cloud" proxy mode changes how DNS works - the IP Cloudflare returns isn't your server's IP, it's Cloudflare's edge IP. This creates special considerations for CNAME records at apex, SSL certificates, and subdomain handling. Cloudflare DNS errors often result from misunderstanding these proxy behaviors.

Symptoms

Website shows Cloudflare error pages (522, 521, 520)
DNS resolves but site returns Cloudflare error
Orange-clouded subdomains work differently than gray
CNAME at apex behaves unexpectedly
SSL/TLS certificate errors through Cloudflare
DNS changes not reflecting immediately
Email routing issues with proxied records

Common Causes

Origin server unreachable through Cloudflare proxy
SSL mode mismatch between Cloudflare and origin
CNAME flattening conflicts
Gray vs orange cloud configuration confusion
Cloudflare DNS proxy blocking certain traffic
Missing AAAA record causing IPv6 issues
Cloudflare cache or proxy configuration errors

Step-by-Step Fix

1.Distinguish between DNS resolution and Cloudflare proxy issues.

```bash # Check DNS resolution (where Cloudflare DNS points) dig example.com A +short

# For orange-clouded (proxied) records, this returns Cloudflare IPs # Example output: 104.16.132.229 (Cloudflare edge IP)

# Check if it's actually Cloudflare IP dig example.com A +short | head -1 # Compare with known Cloudflare IP ranges

# Check DNS directly at Cloudflare's authoritative servers dig @lara.ns.cloudflare.com example.com A +short

# Test gray-clouded (DNS-only) records dig www.example.com A +short # Returns your actual server IP if gray-clouded

# Test connectivity to your origin server directly origin_ip="192.0.2.10" # Your actual server curl -I -H "Host: example.com" http://$origin_ip ```

1.Understand Cloudflare's orange cloud vs gray cloud modes.

```bash # Orange cloud (proxied): # - DNS returns Cloudflare IP # - Traffic goes through Cloudflare CDN # - SSL handled by Cloudflare # - DDoS protection enabled # - Cannot have direct access to origin

# Gray cloud (DNS only): # - DNS returns your origin IP # - Traffic goes directly to your server # - No CDN/proxy features # - Standard DNS behavior

# Check Cloudflare dashboard: # DNS tab -> record row -> cloud icon # Orange = proxied, Gray = DNS only

# Query both modes: echo "Proxied record (orange):" dig example.com A +short # Cloudflare IP

echo "DNS-only record (gray):" dig direct.example.com A +short # Your server IP

# Verify Cloudflare is proxying: curl -v https://example.com 2>&1 | grep -E "Server|cf-ray" # Server: cloudflare # cf-ray: ABC123-XYZ # Cloudflare Ray ID ```

1.Fix Cloudflare 5xx errors (origin server unreachable).

```bash # Error 521: Web server is down # Error 522: Connection timed out # Error 520: Web server returned unknown error

# Check your origin server is running ping YOUR_ORIGIN_IP curl -I http://YOUR_ORIGIN_IP

# Check firewall allows Cloudflare IPs # Cloudflare publishes their IP ranges: curl https://www.cloudflare.com/ips-v4 curl https://www.cloudflare.com/ips-v6

# Add Cloudflare IPs to firewall whitelist # iptables example: for ip in $(curl -s https://www.cloudflare.com/ips-v4); do iptables -I INPUT -s $ip -j ACCEPT done

# Check origin server listens on correct port netstat -tlnp | grep -E ":80|:443"

# Verify origin server responds to requests curl -I -H "Host: example.com" http://YOUR_ORIGIN_IP

# Check SSL at origin (for Full SSL mode) openssl s_client -connect YOUR_ORIGIN_IP:443 -servername example.com ```

1.Resolve SSL/TLS mode configuration issues.

```bash # Cloudflare SSL modes: # - Off: No SSL (HTTP only) # - Flexible: HTTPS at Cloudflare, HTTP to origin # - Full: HTTPS both ends (origin cert not validated) # - Full (Strict): HTTPS both ends (valid origin cert required)

# Check current SSL mode: # Cloudflare Dashboard -> SSL/TLS -> Overview

# Test SSL at origin: echo "Origin SSL test:" openssl s_client -connect YOUR_ORIGIN_IP:443 -servername example.com 2>&1 | head -20

# For Full (Strict) mode, need valid certificate at origin: # - Certificate from CA (Let's Encrypt, etc.) # - Matches hostname (example.com) # - Not expired

# Check certificate details: echo | openssl s_client -connect YOUR_ORIGIN_IP:443 -servername example.com 2>&1 | openssl x509 -noout -dates -subject

# If using Flexible mode but origin has SSL: # - Switch to Full mode # - Or configure origin to accept HTTP

# Common SSL errors: # - Full (Strict) with self-signed origin cert -> fails # - Flexible with HTTPS-only origin -> fails # - Origin cert expired -> 525 error ```

1.Handle CNAME flattening at domain apex.

```bash # CNAME at apex normally violates DNS RFC # Cloudflare flattens CNAME to A record resolution

# Check CNAME at apex in Cloudflare dashboard # DNS -> example.com -> Type: CNAME, Proxied: Yes

# When proxied, Cloudflare flattens: # Your CNAME: example.com -> cdn.example.net # Cloudflare returns: example.com -> 104.16.x.x (Cloudflare IP)

# Test flattened resolution: dig example.com A +short # Returns Cloudflare IPs, not CNAME target

# For gray-clouded CNAME at apex: dig @lara.ns.cloudflare.com example.com A +short # May return empty (CNAME not flattened when DNS-only)

# Verify CNAME target resolves: dig cdn.example.net A +short

# Issue: Some services need to see actual CNAME # Solution: Use orange cloud for flattening # Or use specific subdomain instead of apex ```

1.Fix DNS propagation issues in Cloudflare.

```bash # Cloudflare DNS propagates quickly (seconds to minutes) # But some delays can occur

# Check Cloudflare's authoritative servers: dig @lara.ns.cloudflare.com example.com A +short dig @bob.ns.cloudflare.com example.com A +short

# Compare records across Cloudflare nameservers: for ns in lara.ns.cloudflare.com bob.ns.cloudflare.com; do echo "$ns:" dig @$ns example.com A +short done

# Check Cloudflare dashboard for pending changes: # DNS -> Pending Updates

# Force immediate propagation: # Dashboard -> DNS -> Purge Cache (if available)

# Test from Cloudflare's own resolver: dig @1.1.1.1 example.com A +short

# Cloudflare's 1.1.1.1 should reflect changes immediately ```

1.Debug Cloudflare DNS proxy specific behaviors.

```bash # Proxied records behave differently:

# Cannot see origin IP in DNS dig example.com A +short # Shows Cloudflare IP, not origin

# Cannot connect directly to origin via hostname curl http://example.com # Goes through Cloudflare

# Test origin directly using IP: curl -H "Host: example.com" http://YOUR_ORIGIN_IP

# Check Cloudflare DNS response details: dig example.com A

# Look for Cloudflare-specific metadata: # Cloudflare returns their edge IPs # These IPs rotate and change

# Check which Cloudflare data center serves you: curl -s https://example.com/cdn-cgi/trace | grep -E "ip|colo" # Shows your IP and Cloudflare colo (data center) ```

1.Fix AAAA (IPv6) record issues with Cloudflare.

```bash # Cloudflare has IPv6 support but requires proper AAAA

# Check AAAA record exists: dig example.com AAAA +short

# For proxied records, returns Cloudflare IPv6 # 2606:4700::...

# Check origin has IPv6: ping6 YOUR_ORIGIN_IPV6

# Test IPv6 connectivity through Cloudflare: curl -6 -I https://example.com

# Common IPv6 issues: # - Origin has IPv6 but Cloudflare AAAA missing # - AAAA exists but origin IPv6 not working # - Cloudflare proxy IPv6 enabled but origin doesn't support

# Toggle IPv6 in Cloudflare: # Dashboard -> Network -> IPv6 Compatibility

# Check if IPv6 causing errors: curl -4 https://example.com # Force IPv4 curl -6 https://example.com # Force IPv6 # Compare results ```

1.Resolve Cloudflare Page Rules affecting DNS.

```bash # Page Rules can override DNS behavior

# Check Page Rules in Dashboard: # Rules -> Page Rules

# Common Page Rule DNS interactions: # - "Disable Performance" bypasses proxy features # - "Cache Level: Bypass" disables caching # - SSL settings can override zone-level

# Test with Page Rule URL: curl -I "https://example.com/page-rule-path/"

# Check if Page Rule is causing unexpected behavior: # - Compare response headers # - Check for "cf-cache-status" header variations

# Verify DNS still resolves correctly: dig example.com/page-rule-path/ A # DNS still same, Page Rules affect proxy behavior ```

1.Monitor and troubleshoot Cloudflare DNS continuously.

```bash # Check Cloudflare DNS analytics: # Dashboard -> Analytics -> DNS

# Look for: # - Query volume # - Error rates # - Response times

# Use Cloudflare API to check DNS: curl -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records" \ -H "Authorization: Bearer YOUR_API_TOKEN" \ -H "Content-Type: application/json"

# Monitor DNS resolution: #!/bin/bash while true; do echo "$(date): $(dig @1.1.1.1 example.com A +short)" sleep 60 done

# Check Cloudflare status page: # https://www.cloudflarestatus.com

# Use Cloudflare diagnostic tools: # Dashboard -> Support -> Diagnostics ```

Verification

Complete Cloudflare DNS verification:

```bash # 1. Check DNS resolution echo "=== DNS Resolution ===" echo "Public resolver:" dig @1.1.1.1 example.com A +short echo "Cloudflare authoritative:" dig @lara.ns.cloudflare.com example.com A +short

# 2. Verify proxy status echo -e "\n=== Proxy Check ===" curl -I https://example.com 2>&1 | grep -E "Server|cf-ray|cf-cache-status"

# 3. Test origin server echo -e "\n=== Origin Server ===" origin_ip="YOUR_ORIGIN_IP" curl -I -H "Host: example.com" http://$origin_ip

# 4. Check SSL echo -e "\n=== SSL Configuration ===" openssl s_client -connect example.com:443 2>&1 | head -10 echo "Origin SSL:" openssl s_client -connect $origin_ip:443 -servername example.com 2>&1 | head -10

# 5. Verify IPv6 echo -e "\n=== IPv6 ===" dig example.com AAAA +short curl -6 -I https://example.com 2>&1 | head -5

# 6. Check all DNS records echo -e "\n=== All Cloudflare Records ===" dig @lara.ns.cloudflare.com example.com ANY +short 2>/dev/null || \ for type in A AAAA CNAME MX NS TXT; do echo -n "$type: " dig @lara.ns.cloudflare.com example.com $type +short | head -1 done ```

Cloudflare DNS Quick Reference

```bash # Cloudflare Nameserver Format: # Nameservers: <name>.ns.cloudflare.com # Example: lara.ns.cloudflare.com, bob.ns.cloudflare.com

# Proxy Status Indicators: # Orange cloud: Proxied (CDN enabled) # Gray cloud: DNS only (no proxy)

# SSL Modes: # Off: HTTP only # Flexible: HTTPS->Cloudflare, HTTP->Origin # Full: HTTPS both (origin cert not validated) # Full (Strict): HTTPS both (valid origin cert required)

# Common Error Codes: # 520: Unknown error from origin # 521: Origin web server down # 522: Connection timeout to origin # 523: Origin unreachable # 524: Timeout from origin (slow response) # 525: SSL handshake failed

# IP Ranges: # https://www.cloudflare.com/ips-v4 # https://www.cloudflare.com/ips-v6 ```

Cloudflare's combination of DNS and proxy requires understanding both layers. DNS queries return Cloudflare IPs for proxied records, while the actual origin connection happens transparently. Always test both DNS resolution and origin server connectivity.

How to Fix Cloudflare DNS Error

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Verification

Cloudflare DNS Quick Reference

Share this guide

More DNS Troubleshooting Guides

Fix DNS RPZ Reaction NSDNAME Not Blocking Queries

Fix DNS DDNS GSS-TSIG Kerberos Authentication

Fix DNS SVCB HTTPS Record Service Binding

Fix DNS ZONEMD Record Integrity Validation Failing

Fix DNS CDS CDNSKEY Automatic DS Update Not Working

Fix DNS NAPTR Record ENUM Translation Failure