Question – DNS CNAME’s, CNAME Flattening, and Cloudflare How does it work?

Question

This question was on Facebook, and it’s needed a blog post 🙂

This is about CNAME flattening and references this Gridpane KB. https://gridpane.com/kb/dns-management-and-cnames/

This question is not GP specific so thought to try here instead of the GP forum.

In the example given above, CNAME at the client DNS ultimately points to clientname.yourdomain.com. This makes sense and works. Now I want to set this up for a subdomain.

To get a subdomain (ie.subdomain.clientdomain.com) to point to a GP server, is this the way to set things up?

At client DNS, setup CNAME = subdomain and point it to clientname.yourdomain.com

Then at yourdomain.com, setup A record for “subdomain” and point it to IP address of a GP server.

Then spin up subdomain.clientdomain.com at a GP server?

Something seems off as the “subdomain” would be set for subdomain.yourdomain.com. How does one setup DNS (on my end) to point subdomain.clientdomain.com to the actual IP on GP?

In short, access to client DNS is not easy so trying to setup DNS 1 time and update IP on my end as needed.

Any thoughts would be appreciated.

Response

First take out CNAME flattening for the time being, let’s talk about CNAME’s first.

How do CNAME’s work?

A CNAME points a DNS record, such as subdomain.clientdomain.com, to another named-based DNS record, which can be an A or CNAME record, such as subdomain.yourdomain.com

You create a CNAME record on your DNS provider, which can be the same as your Domain Name registration provider who also provides DNS service for free. They have nameservers that hold a zone of yourdomain.com with all your records, which are set on yourdomain.com as the “nameservers”. The nameservers will simply output the value of the CNAME subdomain.clientdomain.com to subdomain.yourdomain.com, and it’s the responsibility of the resolver (Dig, nslookup, Chrome, etc.) to resolve the subdomain.yourdomain.com

So the resolver (Dig, nslookup, Chrome, etc.) looks up subdomain.yourdomain.com which can be an A record pointing to 192.168.0.1 or another CNAME which points to subdomain.secondomain.com at which point the resolver (Dig, nslookup, Chrome, etc.) has to again look up subdomain.secondomain.com of which could be an A record or CNAME record.

CNAME Chaining

When a CNAME points to a CNAME, this is CNAME changing, which can chain up to as many DNS records as you wish. However, there is a cost because each resolution takes time and sometimes software will fail to go through the chain.

APEX Records @

Why are we talking about APEX records (@)? Because you can’t create an APEX record as a CNAME, as it’s against the DNS standard. There’s a good thread on stack overflow if you want to go deeper.

Why can’t a CNAME record be used at the apex (aka root) of a domain? – Server Fault

serverfault.com

However, there is a workaround using CNAME Flattening.

CNAME Flattening

On to CNAME Flattening. What is CNAME Flattening?

CNAME flattening speeds up CNAME resolution and allows you to use a CNAME record at your root/apex domain (example.com).

With CNAME flattening, Cloudflare finds the IP address that a CNAME points to. This process could involve a single lookup or multiple (if your CNAME points to another CNAME). Cloudflare then returns the final IP address instead of a CNAME record, helping DNS queries resolve up to 30% faster.

For more details on the mechanics of CNAME flattening, review the CNAME flattening diagram and refer to the Cloudflare blog postOpen external link.

https://developers.cloudflare.com/dns/cname-flattening/

As you can see CNAME flattening is important, and Cloudflare supports CNAME Flattening as do other providers in different ways. Why is it important to bring this up? Specifically, it’s important when you’re creating a CNAME and both domain names are set up on Cloudflare.

Cloudflare will flatten CNAME records, which interferes with how CNAME’s typically operate and you need to be aware of this.

Solution #1 (Traditional CNAME)

Let’s map this out in simpler terms.

• Client domain = clientdomain.com – Not on Cloudflare
• Your domain as the provider = yourdomain.com – On Cloudflare

Here’s the setup.

1. Setup subdomain.yourdomain.com first as an A/CNAME record and make sure it’s not proxied in Cloudflare
2. Then set subdomain.clientdomain.com as a CNAME to subdomain.yourdomain.com

So subdomain.clientdomain.com will point to whatever subdomain.yourdomain.com points to, and the client will resolve it. The request from the web browser still comes in as subdomain.clientdomain.com to the destination web server. So you will need to make sure that subdomain.clientdomain.com is setup on your webs server correctly.

Solution #2 (CNAME Flattening)

Taking the same data from Solution #1, you can do CNAME flattening at Cloudflare and save some time for your DNS record to resolve.

• Client domain = clientdomain.com – On Cloudflare
• Your domain as the provider = yourdomain.com – On Cloudflare or another DNS provider.

Here’s the setup.

1. Setup subdomain.yourdomain.com first as an A/CNAME record and make sure it’s proxied in Cloudflare
2. Then set subdomain.clientdomain.com as a CNAME to subdomain.yourdomain.com and make sure it’s not proxied at Cloudflare.

The above diagram will also work with APEX records, hence why I have the Resolve/Flatten. Depending on what is put in the web browser, if it’s an apex record or sub-domain, it will be resolved and flattened.

Question #2

Yes, will do that! btw, just so I know for future ref, once the cnames are setup to point to a final A record, the server with the actual subdomain.clientdomain.com account will sort out the final route to the destination site correct?

Answer #2

Correct, this is what happens.

Question #3

Also, will subdomain have to match at both DNSs?

And will subdomain.clientdomain.com gain the benefits of CloudFlare if yourdomain.com is proxied with the orange cloud? Hoping CF can still block xmlrpc and watch wp-login.php for subdomain.clientdomain.com. Fun stuff right?

Answer #3

Do CNAME records need to match to resolve properly?

I’m using CNAME records here instead of subdomains or domains because these are all DNS records at the end of the day. No, you don’t need to match a CNAME’s name to its value, such as

bob.domain1.com (CNAME) -> bob.domain2.com (A) 192.168.0.1
charlie.domain3.com (CNAME) -> srv01.domainabc.com (A) 192.168.2.1
john.domain4.com CNAME -> 3bn45bgv23456yc46252b456b7y5366uf5.domain5.com (A) 192.168.88.1

As you can see, all that matters is that your CNAME’s value is an A record that is already resolved. Although you can chain CNAME’s, it’s a bad idea for multiple reasons which are outside this article. Check out this article

The CNAME record

DNS CNAME records are used to alias or redirect names in DNS. Learn how canonical names work in DNS, and what their restrictions are.

www.nslookup.io

Does a non-proxied DNS record absorb the Cloudflare protection of the DNS record it’s CNAME’d to?

Yes and No.

What happens to A non-proxied DNS record that has a CNAME to a Cloudflare proxied DNS record

The following happens when a non-proxied DNS record has a CNAME to a Cloudflare proxied DNS record.

1. The web browser resolves the DNS record subdomain.clientdomain.com
   • The record subdomain.clientdomain.com is not proxied and is a CNAME with the value of subdomain.yourdomain.com which is proxied.
   • The web browser resolves subdomain.yourdomain.com to a Cloudflare IP.
2. The HTTP request from the web browser will be sent to the IP address returned (Cloudflare IP), and the HTTP request will contain a Host header of subdomain.clientdomain.com, which is the name typed into a browser’s address bar.
3. Cloudflare reads the host header, and a lookup will be done to see if the domain name, not the DNS name, is set up on Cloudflare.

This is where one of two things will happen.

If the domain is set up on Cloudflare, then it will process the request. However, if both domains aren’t in the same account you will get Error 1014 CNAME Cross-User Banned. Which

If the domain is not setup on Cloudflare then you will receive an Error 1001 DNS resolution error because Cloudflare doesn’t know what to do with subdomain.clientdomain.com

How do I protect a non-proxied DNS record with Cloudflare?

There are a couple of solutions.

1. Move the domain name to Cloudflare and use Solution #2 (CNAME Flattening) above.
2. Use Cloudflare SaaS, which is mentioned below.
3. Become a Cloudflare Partner and use a Partial DNS Zone, however, be aware that the domain names DNS provider has to support CNAME flattening on the Apex record due to Cloudflare only providing named records for Partial DNS Zone setup and not IPs.

Using Cloudflare Without Changing your Name Servers – Partial CNAME Zones – Managing WP – All about Managing WordPress

Can I use Cloudflare without changing name servers? If you’ve ever been in a situation where you wanted to use Cloudflare services for a domain name, but you

managingwp.io

Addressing “Error 1014 CNAME Cross-User Banned” and Cloudflare SaaS

You could use Cloudflare SaaS to control 100’s of domains with a single Cloudflare configuration.

Cloudflare for SaaS · Cloudflare for Platforms docs

Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers via their own custom or …

developers.cloudflare.com