Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

Cloudflare’s Enforce DNS-Only Switch: Test Your Origin Before an Incident

By Greg Nowak. Last updated 2026-07-14.

Cloudflare’s enforce_dns_only setting gives operations teams a fast way to bypass its reverse proxy across an entire account. That can be valuable during a Cloudflare-side incident, but it also sends visitors directly to your origins and removes the WAF, DDoS mitigation, caching, rate limiting, redirects, and other proxy-based services those origins normally sit behind.

This is therefore less a DNS convenience than a business-continuity decision. Before anyone uses the switch, the organisation needs to know which services will change, whether the origins can safely accept public traffic, and exactly how the team will roll back.

What the switch changes

Introduced on April 28, 2026, enforce_dns_only is an account-level, API-only break-glass control. It does not edit individual DNS records. Instead, Cloudflare’s edge answers queries for affected proxied records with their underlying IP addresses or CNAME targets. Setting it back to false restores normal proxy behaviour.

The scope is broad but not universal. It includes standard proxied A, AAAA, and CNAME records, Cloudflare Load Balancing records, records matched by Worker routes, and Cloudflare for SaaS fallback origins. Spectrum applications, Tunnel CNAMEs, R2 custom domains, Web3 gateways, and Workers custom domains are excluded. Mixed Cloudflare estates will therefore behave differently during the same incident.

The change takes effect immediately at Cloudflare’s edge, but users may not see it simultaneously. Proxied records normally have a 300-second Auto TTL, and recursive or local caches can retain an earlier answer for longer. During both cutover and rollback, expect a period when some visitors reach Cloudflare while others connect directly.

Readiness gate Evidence that you are ready Reason to stop
TLS Every direct-access hostname presents a publicly trusted certificate and complete chain. The origin only has a Cloudflare Origin CA certificate.
Ingress A reviewed emergency firewall and authentication path is ready. The origin accepts only Cloudflare IPs or requires Authenticated Origin Pulls.
Capacity Direct traffic has been tested without Cloudflare caching or filtering. Origin headroom and database impact are unknown.
DNS Hostnames, targets, shared servers, and product exclusions are mapped. The team cannot predict which addresses will become public.
Control An approver, operator, token owner, monitoring plan, and rollback trigger are named. The change would be improvised by whoever is online.
A go/no-go check for an account-wide direct-to-origin cutover.

Where an emergency bypass commonly fails

The certificate works through Cloudflare, but not in a browser

A Cloudflare Origin CA certificate is designed for the encrypted Cloudflare-to-origin connection. Browsers do not trust it directly. Any hostname that must remain publicly reachable during bypass needs a certificate issued by a publicly trusted certificate authority, with the correct names and chain installed at the origin.

Normal origin protection blocks the fallback route

Well-protected origins often allowlist Cloudflare IP ranges, require Authenticated Origin Pulls, validate a secret header, or have no public address because they use Cloudflare Tunnel. Those are sensible normal-mode controls, but ordinary visitors cannot satisfy them when connecting directly. Do not solve that during an incident by opening the server indiscriminately. Prepare a narrow, reviewed emergency ingress configuration and a reliable way to restore the hardened rules.

The origin has never carried the real workload

Once Cloudflare is out of path, cache misses become every request, unwanted traffic is no longer filtered, and application-level rate limits may change. Test the web tier, database, third-party dependencies, logging pipeline, and hosting-cost exposure. A bypass that overloads the origin merely replaces one outage with another.

The DNS inventory describes records, not services

Map each public hostname to its origin, certificate, application owner, and Cloudflare product. Also identify DNS-only records that reveal an address shared with a proxied service. Cloudflare treats multiple A or AAAA records on the same hostname as proxied when at least one is proxied, so reviewing records individually can give a misleading picture.

Rehearse the whole decision, not just the API call

  1. Define the incident severity, affected services, approver, and evidence required before account-wide bypass is authorised.
  2. Run the first rehearsal in a staging or test account, as Cloudflare recommends. Do not discover account scope in production.
  3. Test each intended origin from an approved external network. The following command preserves the hostname for TLS and HTTP while connecting to a chosen IP:
curl --resolve 'www.example.com:443:203.0.113.10' \
  'https://www.example.com/'
  1. Exercise the emergency firewall configuration, certificate renewal path, application health checks, and rollback.
  2. Perform a controlled capacity test without depending on Cloudflare’s cache, WAF, or rate limiting.
  3. Observe DNS from multiple networks during a rehearsal and record the real cutover and recovery times.
  4. Give the API token only the required account DNS settings permission, protect it as an incident credential, and log every use.

The current API sequence is simple: inspect the setting, enable it when authorised, and explicitly disable it during recovery.

curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings' \
  --request GET \
  --header 'Authorization: Bearer $CLOUDFLARE_API_TOKEN'

curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings' \
  --request PATCH \
  --header 'Authorization: Bearer $CLOUDFLARE_API_TOKEN' \
  --json '{"enforce_dns_only": true}'

curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_settings' \
  --request PATCH \
  --header 'Authorization: Bearer $CLOUDFLARE_API_TOKEN' \
  --json '{"enforce_dns_only": false}'

Make the emergency switch boring

The feature is useful when direct-to-origin traffic is an intentional recovery design. It is dangerous when “we can bypass Cloudflare” is only an assumption. Some organisations will conclude that a separate standby route is safer than weakening carefully designed origin controls—and that is a valid outcome of the exercise.

If you need a practical DNS inventory, readiness review, or rehearsal plan, Greg can help turn the technical option into a runbook your team can actually use.

Related on GrN.dk

  • Cloudflare Tunnel in 2026: Better Visibility, Harder Questions
  • How to Bulk Delete Cloudflare DNS Records Without Browser Console JavaScript
  • Cloudflare BYOIP customers need a rollback plan, not just trust

Need help with this kind of work?

Plan your Cloudflare readiness review Get in touch with Greg.

Sources

  • Account-level enforce DNS-only
  • Enforce DNS-only
  • Cloudflare DNS API
  • Proxy status
  • Protect your origin server
Last modified
2026-07-14

Tags

  • Cloudflare
  • DNS
  • incident response
  • origin security
  • business continuity

Review Greg on Google

Greg Nowak Google Reviews

 

Illustrated infographic summarizing: If the Facts Need JavaScript, AI Search May Miss the Full Page
If the Facts Need JavaScript, AI Search May Miss the Full Page
2026-07-14

A practical guide to finding and fixing JavaScript rendering gaps that can hide services, prices, contact details and metadata from AI search crawlers.

Illustrated infographic summarizing: Search Console Can See Social Posts—Your Reports Need a New Map
Search Console Can See Social Posts—Your Reports Need a New Map
2026-07-13

Search Console now reports how social posts perform across Google. Here’s a practical way to manage properties, permissions, baselines and exports.

Illustrated infographic summarizing: WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
2026-07-12

WordPress 7.0 standardizes how plugins call AI providers, while leaving developers responsible for access control, cost limits, capability checks and graceful failures.

Illustrated infographic summarizing: Google’s AI Search toggle needs a test plan, not a gut decision
Google’s AI Search toggle needs a test plan, not a gut decision
2026-07-11

Google’s AI Search control creates a measurable publishing choice. Test visibility, traffic and leads before changing the setting across your site.

Illustrated infographic summarizing: OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
2026-07-10

OpenAI retires Agent Builder on November 30, 2026. Here is what teams need to preserve, how to choose a migration path, and how to cut over safely.

Illustrated infographic summarizing: AI agents need a browser policy before they start clicking around
AI agents need a browser policy before they start clicking around
2026-07-09

Browser-using AI agents can save time, but they need clear rules before they enter CRMs, CMSs, portals, or admin tools and start taking action.

Illustrated infographic summarizing: When AI writes JSON, one bad field can break the workflow
When AI writes JSON, one bad field can break the workflow
2026-07-08

Structured AI output is useful in real workflows, but teams need schemas, validation, retries, and logs before JSON reaches production systems.

Illustrated infographic summarizing: AI search is eating the click: measure the queries before rewriting pages
AI search is eating the click: measure the queries before rewriting pages
2026-07-07

AI summaries are cutting into search clicks. Start with a practical dashboard that shows query risk, bot purpose, page value, and crawler policy.

Illustrated infographic summarizing: AI shopping visibility now depends on boring product-data plumbing
AI shopping visibility now depends on boring product-data plumbing
2026-07-07

AI-assisted shopping puts more pressure on ecommerce catalog data, feeds, schema, prices, availability, and return-policy governance.

Illustrated infographic summarizing: Drupal AI Demos Need a Permissions Rehearsal Before Launch
Drupal AI Demos Need a Permissions Rehearsal Before Launch
2026-07-07

Drupal’s July 2026 AI advisories show why agencies should test permissions, uploads, approval loops, logs, and rollback before client demos go live.

More articles
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.