Enforce DNS-only

The enforce DNS-only setting is an account-level break-glass mechanism that allows you to bypass Cloudflare's reverse proxy for all zones in your account in a single action. When enabled, Cloudflare responds to DNS queries with the underlying record content — origin IP addresses for proxied A and AAAA records, and CNAME targets for proxied CNAME records — instead of Cloudflare's anycast IP addresses, effectively setting all proxied DNS records to DNS-only without modifying the records themselves.

This setting is intended for emergency situations only, such as during an outage when you need to quickly route traffic directly to your origins.

Warning

Enabling this setting exposes your origin IP addresses and removes all Cloudflare protections — including DDoS mitigation, WAF, caching, and all other proxy-based features — for every zone in your account. Use with extreme caution and only after proper preparation.

Key characteristics

• Account-level: Affects all zones in the account simultaneously.
• Non-destructive: Does not modify your DNS records. Disabling the setting restores normal proxy behavior.
• API-only: Available through the API only, not in the Cloudflare dashboard.

Auto TTL for proxied records

Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-only and back may not be instantaneous. Since all proxied records have a TTL of Auto, this value (five minutes by default) determines how long resolvers may continue to serve Cloudflare's anycast IPs or your origin IP addresses.

Preparation

Before relying on enforce DNS-only as part of your incident response plan, you should:

• Verify origin server capacity: Without Cloudflare proxying, your origin servers handle all traffic directly, including traffic that Cloudflare would normally cache or filter. Ensure your infrastructure can sustain this load.
• Review exposed record content: When enforce DNS-only is active, all origin IPs configured in proxied A and AAAA records, as well as the targets of proxied CNAME records, become publicly visible through DNS queries. If your origins rely on IP obscurity for security, plan accordingly.
• Test in advance: Use the API in a staging or test account to confirm that you understand the behavior before you need it in an emergency.

Verify SSL certificates

If your origins serve HTTPS traffic, ensure they have publicly trusted SSL certificates installed for the relevant hostnames. Cloudflare Origin CA certificates are only trusted by Cloudflare and will cause certificate errors for direct client connections.

Enable enforce DNS-only

Use the Update DNS Settings endpoint to enable enforce DNS-only for your account:

Required API token permissions

At least one of the following token permissions is required:

• Account DNS Settings Write

Update DNS Settings

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "enforce_dns_only": true
  }'

Once enabled, Cloudflare responds to DNS queries for all proxied records with the underlying record content — your configured origin IP addresses for A and AAAA records, and the configured CNAME target for CNAME records — instead of Cloudflare's anycast IPs.

Disable enforce DNS-only

To restore normal proxy behavior, set enforce_dns_only to false:

Required API token permissions

At least one of the following token permissions is required:

• Account DNS Settings Write

Update DNS Settings

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "enforce_dns_only": false
  }'

After you disable the setting, Cloudflare resumes responding to DNS queries with anycast IP addresses for proxied records and all proxy-based features are restored.

Other Cloudflare products

Refer to the sections below in case you use other Cloudflare products that rely on DNS records.

Included

Enforce DNS-only affects the following records:

• Load Balancing: proxied LB records visible on the DNS records table but managed through the Load Balancing configurations.
• Proxied DNS records that match a Worker route.
• Cloudflare for SaaS fallback origin: The proxied DNS record you designate as the fallback origin for custom hostnames.

Excluded

Enforce DNS-only does not affect the following records:

• R2 custom domains: Read-only proxied records added to the DNS records table when you set up R2 custom domains.
• Spectrum applications: DNS records managed by the Spectrum application.
• Tunnel: CNAME records pointing to a tunnel subdomain. Refer to Tunnel routing or Cloudflare One for details.
• Web3 gateways: Read-only proxied records managed by the Web3 gateway configuration.
• Workers custom domains: Read-only proxied records added to the DNS records table when you set up Workers custom domains.

  Custom domain or route match

  Proxied records that match a Worker route are regular DNS records and will be affected by the enforce DNS-only setting.

Check current status

Use the Show DNS Settings endpoint to verify the current value:

Required API token permissions

At least one of the following token permissions is required:

• Account DNS Settings Write
• Account DNS Settings Read

Show DNS Settings

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings" \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Related resources

• Proxy status - Understand how proxied and DNS-only records behave.
• Batch record changes - Change proxy status for multiple records in bulk within a single zone.