Cloudflare Docs
Cloudflare Fundamentals
Edit this page
Give us feedback
Set theme to dark (⇧+D)

How Cloudflare works

The Cloudflare global network can improve the security, performance, reliability, and privacy of anything connected to the Internet, such as your website, SaaS application, or corporate network.

​​ Application Services

To optimize your website or web application, Cloudflare acts as a DNS provider for your domain, and a reverse proxy for your web traffic.

​​ How Cloudflare works as a DNS provider

We support a few different setups for using Cloudflare as a DNS provider. A full DNS setup is the most common, where Cloudflare becomes the primary authoritative DNS provider for your domain, after you connect your domain to Cloudflare. This means we respond to DNS queries for your domain, and you manage its DNS records via the Cloudflare dashboard or API.

When Cloudflare receives a DNS query for your domain, our response is determined by the configuration set in your DNS table, including the value of the record, the record’s proxy eligibility, and its proxy status.

If the domain’s status is active and the queried DNS record is set to proxied, then Cloudflare responds with an anycast IP address, instead of the value defined in your DNS table. This effectively re-routes the HTTP/HTTPS requests to the Cloudflare network, instead of directly reaching the targeted the origin server.

In contrast, if the queried DNS record is set to DNS only, meaning the proxy is off, then Cloudflare responds with the value defined in your DNS table (that is, an IP address or CNAME record). This means HTTP/HTTPS requests route directly to the origin server and are not processed or protected by Cloudflare.

​​ How Cloudflare works as a reverse proxy

All DNS records in your DNS table have a proxy status, indicating whether or not HTTP/HTTPS traffic for that record will route through Cloudflare on its way between the client and the origin server. If the domain’s status is active, all HTTP/HTTPS requests for proxied DNS records route through Cloudflare.

As these requests pass through our network, they are processed according to your configuration. Subsequently, legitimate requests are forwarded to the origin server.

Refer to our Load Balancing reference architecture to learn more about advanced ways to forward traffic to your origins (or other endpoints), as well as our CDN reference architecture to learn more about how Cloudflare processes and optimizes your web traffic.

In the Cloudflare dashboard, find out which DNS records are proxied by selecting your domain and navigating to the DNS records tab.

​​ Example DNS table

TypeNameContentProxy statusTTLActions
Ablog192.0.2.1ProxiedAutoEdit
Ashop192.0.2.2DNS onlyAutoEdit

In the example DNS table above, there are two DNS records. The record with the name blog has the proxy on, while the record named shop has the proxy off (that is, DNS only).

​​ Proxied DNS record example

When the browser initiates a HTTP/HTTPS request to blog.example.com, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; and because the proxy is on, Cloudflare will answer with an anycast IP address. Subsequently, the browser initiates a HTTP/HTTPS request back to Cloudflare. When Cloudflare receives this request, it performs a lookup to find the matching domain and account configuration and processes the request accordingly. Cloudflare forwards it to the configured origin server, which is 192.0.2.1.

​​ DNS only record example

When the browser initiates a HTTP/HTTPS request to shop.example.com, a DNS resolver will convert the hostname into an IP address. Since this domain is using Cloudflare as its Authoritative DNS provider, the DNS query will be routed to Cloudflare; but since the proxy is off (that is, DNS only), Cloudflare will answer with 192.0.2.2. Finally, the browser initiates a HTTP/HTTPS request to the server hosted at 192.0.2.2.