How do I move DNS to Cloudflare with minimal downtime and fast propagation?
Edge Security & CDN

How do I move DNS to Cloudflare with minimal downtime and fast propagation?

10 min read

Migrating DNS to Cloudflare can be done with near-zero downtime if you prepare correctly and control how quickly the change propagates. The key is to mirror your existing DNS records inside Cloudflare, cut over your nameservers only after verification, and use TTLs strategically so clients update quickly without breaking anything.

Quick Answer: Moving DNS to Cloudflare with minimal downtime means recreating your existing DNS records in Cloudflare first, lowering TTLs ahead of time, and only then switching your domain’s nameservers at the registrar. Cloudflare’s global Anycast DNS helps your new settings propagate quickly across the Internet.

The Quick Overview

  • What It Is: Moving DNS to Cloudflare means letting Cloudflare’s global Anycast DNS act as the authoritative nameserver for your domain, while its connectivity cloud protects and accelerates your websites, apps, and APIs.
  • Who It Is For: Teams that want faster, more resilient DNS, built-in DDoS protection, and a single place to manage DNS, security, and performance for websites, APIs, and AI-enabled apps.
  • Core Problem Solved: It eliminates slow, fragile DNS setups and risky, manual migrations that can cause outages when you change providers or modernize your stack.

How It Works

At a high level, you keep your current DNS live while you set up Cloudflare in parallel. Cloudflare scans and imports your existing DNS records, you validate and fix anything missing, then you update nameservers at your domain registrar. Because Cloudflare runs a global Anycast DNS network, your domain starts resolving from Cloudflare’s edge locations worldwide as soon as registries and resolvers pick up the change.

From there, every DNS query for your domain hits Cloudflare first. If you proxy traffic through Cloudflare, HTTP/HTTPS requests are routed through Cloudflare’s edge, where security and performance services—WAF, DDoS mitigation, CDN, bot management—are applied before traffic reaches your origin.

A minimal-downtime, fast-propagation migration typically follows three phases:

  1. Preparation & TTL Tuning
  2. DNS Record Import & Validation
  3. Nameserver Cutover & Post-Cutover Checks

1. Preparation & TTL Tuning

Before you touch Cloudflare:

  • Inventory current DNS records

    • Export or document all records from your existing DNS provider:
      • A/AAAA (for websites, apps, APIs)
      • CNAME (subdomains, services like app.example.com)
      • MX (email)
      • TXT (SPF, DKIM, verification records)
      • SRV and any special-purpose records
    • Note which records must not be proxied (e.g., MX, some third-party integrations).

  • Lower TTLs ahead of time

    • TTL (time-to-live) controls how long resolvers cache DNS answers.
    • To get fast propagation, change high TTLs (e.g., 1–24 hours) at your current DNS provider to something short (300s or 600s is typical).
    • Do this at least one full prior TTL before migration.
      Example:
      • If TTL is 3600 seconds (1 hour), lower it at least 1–2 hours before cutover.
      • If TTL is 86400 seconds (24 hours), lower it the day before.

  • Plan a low-risk cutover window

    • Choose a period of lower traffic if your app has clear peaks.
    • Align stakeholders: app owners, email admins, security teams.

This prep phase is what actually minimizes downtime: you’re making sure caches will expire quickly when you switch to Cloudflare.

2. DNS Record Import & Validation

Now you set up Cloudflare in parallel while your existing DNS still serves production traffic.

  1. Create a Cloudflare account and add your domain

    • Sign up on cloudflare.com (takes less than 5 minutes).
    • Add your domain (e.g., example.com), and Cloudflare will scan your current DNS to import records automatically.

  2. Review and correct imported DNS records

    • In the Cloudflare Dashboard, go to DNSRecords and compare against your inventory.
    • Ensure every critical record is present:
      • Root and www A/AAAA/CNAME records.
      • API and app subdomains.
      • MX records for email.
      • TXT records (SPF, DKIM, DMARC, domain verifications).
      • SRV records for services like VoIP, chat, or other protocols.
    • Add any missing records manually to match the current provider exactly.

  3. Decide which records will be proxied

    • Cloudflare uses an “orange cloud / gray cloud” model:
      • Orange cloud (proxied): HTTP/HTTPS and some TCP traffic flows through Cloudflare’s edge. This enables WAF, DDoS protection, CDN caching, and performance optimizations.
      • Gray cloud (DNS-only): Cloudflare answers DNS, but traffic goes directly to your origin, without HTTP-level security/performance services.
    • Typically:
      • Websites, APIs, and web apps → proxied.
      • Email (MX, mail A records), some VoIP and non-HTTP services → DNS-only.

  4. Verify IPs and hostnames

    • Make sure all A/AAAA record IPs match your current production IPs.
    • Ensure CNAME chains resolve correctly.
    • Confirm no “test” or old IPs were accidentally imported.

At the end of this phase, Cloudflare holds a full, accurate copy of your DNS configuration—but your registrar still points at the old nameservers, so production traffic is unchanged.

3. Nameserver Cutover & Post-Cutover Checks

This is where you actually move authority for your domain to Cloudflare.

  1. Get Cloudflare’s nameservers

    • In the Cloudflare Dashboard under your domain’s Overview, you’ll see two assigned Cloudflare nameservers (e.g., amy.ns.cloudflare.com and phil.ns.cloudflare.com).

  2. Update nameservers at your registrar

    • Log in to your domain registrar (where you registered the domain).
    • Replace the current authoritative nameservers with the two Cloudflare nameservers.
    • Save and confirm changes (some registrars email you for confirmation).

  3. Wait for registry and DNS propagation

    • Top-level domain registries update nameserver delegation; recursive resolvers then pick up the change over time.
    • Because you lowered TTLs earlier and Cloudflare uses Anycast DNS across a large global network, effective propagation is often very fast (minutes to a couple of hours for most traffic).
    • During this time, some clients will still hit the old DNS; others will hit Cloudflare. Because both point to the same IPs and records, users should see no downtime.

  4. Verify resolution via Cloudflare

    • Use tools like dig, nslookup, or online DNS checkers:
      • dig @1.1.1.1 yourdomain.com
      • Confirm Cloudflare’s nameservers are authoritative in the response.
    • Check multiple subdomains, especially critical ones (www, api, app subdomains, email-related records).

  5. Monitor application behavior

    • Watch your app’s error rates and latency.
    • Confirm:
      • Websites and APIs are reachable.
      • Email is flowing.
      • Third-party integrations (payment gateways, SSO, etc.) still resolve correctly.

Once Cloudflare shows your domain as “Active” and you’ve verified resolution, your DNS is successfully migrated with minimal downtime.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Anycast Authoritative DNSAnswers DNS queries from Cloudflare’s global edge network.Faster, more resilient DNS with low latency worldwide.
Integrated Security & CDNRoutes proxied HTTP/HTTPS traffic through Cloudflare’s edge for WAF, DDoS, CDN.Protects and accelerates websites, APIs, and AI-enabled apps.
Centralized DNS ManagementManages DNS for all domains and subdomains in a single dashboard and API.Simplifies operations, reduces misconfigurations and downtime.

Ideal Use Cases

  • Best for production website and API cutovers: Because it lets you mirror existing DNS, shorten TTLs, and switch nameservers seamlessly, reducing the risk of outages during provider changes or cloud migrations.
  • Best for security-led modernizations: Because once DNS is on Cloudflare, you can turn on WAF, DDoS protection, Zero Trust access, and other Application Services without changing your IP space or deploying new hardware.

Limitations & Considerations

  • Old long TTLs may linger: If some resolvers or clients cached your old records before you lowered TTLs, a small number of users may continue to use the old DNS for a while. Plan your cutover outside peak hours and keep old DNS aligned until you’re confident caches have expired.
  • Non-HTTP services may require DNS-only or special configuration: Email, VoIP, and some proprietary protocols should not be proxied. Keep these records “DNS-only” and follow service-specific guidance when moving.

Pricing & Plans

Cloudflare includes free authoritative DNS with every plan, from Free through Enterprise. You can start by moving DNS alone, then selectively add security and performance services as needed.

  • Free / Pro / Business Plans: Best for individuals, startups, and smaller teams needing fast, reliable DNS plus core security and performance for websites and APIs. You can sign up and add a domain in minutes directly from the dashboard.
  • Enterprise Plan: Best for organizations needing formal SLAs, advanced security (e.g., enterprise WAF, bot management), custom network configurations, and dedicated support when moving mission-critical DNS and applications.

For complex environments—multiple domains, hybrid cloud, or strict uptime requirements—engaging Cloudflare’s Enterprise team ensures your DNS migration plan is reviewed and supported.

Frequently Asked Questions

How do I avoid downtime when switching DNS to Cloudflare?

Short Answer: Mirror your existing DNS records inside Cloudflare first, lower TTLs on your current DNS in advance, and only then update nameservers at your registrar—so both old and new DNS serve identical answers during the transition.

Details:
Downtime usually happens when you treat DNS migration as a “big bang” change. To avoid that:

  1. Prepare:

    • Export or document your current DNS configuration.
    • Lower TTLs (e.g., to 300–600 seconds) at your current DNS provider at least one full prior TTL before cutover.

  2. Build parity in Cloudflare:

    • Add your domain in Cloudflare and let it scan existing DNS.
    • Verify every record (A, AAAA, CNAME, MX, TXT, SRV).
    • Ensure key subdomains map to the same IPs they do today.

  3. Cut over via nameserver change:

    • Change nameservers at the registrar to Cloudflare’s.
    • Because the record set is identical, traffic continues flowing to the same IP addresses whether a client hits the old or new DNS.

  4. Monitor and keep old DNS aligned briefly:

    • Leave the old DNS configuration intact and unchanged for several hours to a day after cutover.
    • This protects users whose resolvers still cache the old nameservers.

This approach treats Cloudflare’s DNS as a drop-in replacement first, then later unlocks additional capabilities like proxying, WAF, and CDN.

How fast does DNS propagate when moving to Cloudflare?

Short Answer: In practice, most traffic shifts to Cloudflare within minutes to a few hours, especially if you lower TTLs first. However, some caches and registries may take longer, depending on their own policies.

Details:
Cloudflare uses a global Anycast DNS network that responds to queries from data centers close to end users. Once you update your domain’s nameservers at the registrar:

  • Registry updates:
    • Your TLD registry (e.g., .com, .org, country codes) updates the delegation from your old nameservers to Cloudflare’s.
  • Recursive resolver cache expiry:
    • ISPs and enterprise resolvers cache the delegation and individual records based on their TTL.
    • If you lowered TTLs ahead of time, those caches expire quickly, and resolvers start asking Cloudflare for answers.

Factors affecting propagation speed:

  • Previous TTL values: Old high TTLs (e.g., 86400 seconds) might still be honored by some resolvers.
  • Resolver behavior: Some resolvers ignore very low TTLs; others strictly honor them.
  • Client-local caches: Browsers and OSes sometimes cache DNS answers separately.

Cloudflare cannot force external resolvers to drop caches, but by controlling TTLs ahead of time and ensuring identical DNS content during cutover, you keep user impact close to zero while propagation completes.

Summary

Moving DNS to Cloudflare with minimal downtime and fast propagation comes down to three disciplines: prepare early, mirror your existing configuration, and cut over via nameserver change only after validation. By lowering TTLs at your current provider, importing and verifying all records in Cloudflare, and then updating nameservers at your registrar, you shift queries onto Cloudflare’s Anycast DNS smoothly.

Once DNS is on Cloudflare, you’re positioned to do more than just answer queries—you can connect, protect, and build everywhere on a single connectivity cloud: securing websites and APIs, enforcing Zero Trust access, and powering modern apps and AI workloads at the edge.

Next Step

Get Started

Back to Edge Security & CDN

Keep Reading

More from Edge Security & CDN

Cloudflare Workers pricing: how do I estimate monthly cost from requests and CPU time?

Read more

How do I contact Cloudflare sales and what should I prepare for a Cloudflare One or Magic WAN proof of concept?

Read more

How do I set up Cloudflare Tunnel (cloudflared) to publish an internal app without opening inbound ports?

Read more