--- title: Set up a primary zone (Full setup) description: If you want to use Cloudflare as your primary DNS provider and manage your DNS records, your domain should be using a full setup. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/dns/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Set up a primary zone (Full setup) Cloudflare DNS offers a few different [setup options](https://developers.cloudflare.com/dns/zone-setups/). A primary setup (also known as full) is the most common and the only one available for Free or Pro plans. For details, refer to [About](https://developers.cloudflare.com/dns/zone-setups/full-setup/). For more introductory context, refer to [Concepts](https://developers.cloudflare.com/dns/concepts/). ## Before you begin Make sure that you: * Create a Cloudflare account — If you have not already, [sign up for a Cloudflare account](https://developers.cloudflare.com/fundamentals/account/create-account/). * Own a domain name — You need a registered domain (for example, `example.com`). If you do not have one, you can [register a domain at-cost through Cloudflare Registrar ↗](https://dash.cloudflare.com/?to=/:account/domains/register). Domains purchased through Cloudflare Registrar automatically use Cloudflare for authoritative DNS, so you can skip the rest of this tutorial. ## 1\. Add your domain to Cloudflare * [ Dashboard ](#tab-panel-5872) * [ API ](#tab-panel-5873) 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com). [ Go to **Domains** ](https://dash.cloudflare.com/?to=/:account/domains/overview) 2. Select **Onboard a domain**. 3. Enter your apex domain (for example, `example.com`) and choose how you would like to add your DNS records. 4. Select **Continue** and choose a [plan ↗](https://www.cloudflare.com/plans/#compare-features). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Zone Edit` * `Zone DNS Edit` Create Zone ``` curl "https://api.cloudflare.com/client/v4/zones" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "", "account": { "id": "" } }' ``` Note If Cloudflare is unable to identify your domain as a registered domain, make sure you are using an existing [top-level domain ↗](https://www.cloudflare.com/learning/dns/top-level-domain/) (`.com`, `.net`, `.biz`, or others). Cloudflare requires your apex domain to be one level below a valid TLD defined in the [Public Suffix List (PSL) ↗](https://github.com/publicsuffix/list/blob/master/public%5Fsuffix%5Flist.dat). Enterprise customers can onboard lower-level subdomains using [Subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). DNS records quick scan Cloudflare can [automatically scan for your records](https://developers.cloudflare.com/dns/zone-setups/reference/dns-quick-scan/) and add them to the [DNS zone](https://developers.cloudflare.com/dns/concepts/#zone) for you, or you can add records manually. These records show up under your domain on the [**DNS Records** ↗](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) page of the dashboard. Note If you add a zone via the [API](https://developers.cloudflare.com/api/resources/zones/methods/create/), you can manually invoke the quick scan with the [Trigger DNS Records Scan endpoint](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/scan%5Ftrigger/). ## 2\. Review your DNS records Your DNS records must be accurate for your domain to work properly. If you don't know what DNS records are, consider the video below for a quick explanation. Note If you activate your domain on Cloudflare _without_ setting up the correct DNS records for your domain, your visitors may experience [DNS\_PROBE\_FINISHED\_NXDOMAIN](https://developers.cloudflare.com/dns/troubleshooting/dns-probe-finished-nxdomain/) errors. ### Common records Since the quick scan is not guaranteed to find all existing DNS records, you need to review your records, paying special attention to the following: * [Zone apex records (example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-zone-apex/) More about zone apex records Zone apex refers to the domain or subdomain that you are [adding to Cloudflare](https://developers.cloudflare.com/dns/concepts/#zone). Usually, the zone apex record makes your domain accessible by visitors. In this case, the necessary record type ([A, AAAA, or CNAME](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution)) and its content will depend on the provider that [hosts](https://developers.cloudflare.com/fundamentals/manage-domains/#host-your-domain) your website or application. If you are using Cloudflare Workers, refer to [Custom domains](https://developers.cloudflare.com/workers/configuration/routing/custom-domains/). If you are using other providers, look for their guidance on how to connect domains managed on external DNS services. Then, make sure you have the records required by your hosting provider on your [DNS records table](https://developers.cloudflare.com/dns/manage-dns-records/#dns-records-table) at Cloudflare. * [Subdomain records (www.example.com or blog.example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-subdomain/) More about subdomain records Most subdomains serve a specific purpose within the overall context of your website. For example, `blog.example.com` might be your blog, `support.example.com` could be your customer help portal, and `store.example.com` would be your e-commerce site. Even if you do not require specific subdomains, you might want to set up at least a subdomain record on `www`. It will usually point to the same content as what you have on the apex domain (`example.com`) or use a [redirect](https://developers.cloudflare.com/fundamentals/manage-domains/manage-subdomains/#redirect-a-subdomain-to-the-apex-domain). Having a subdomain DNS record on `www` helps guarantee that a visitor who types `www.` in front of your domain address can still find your website or application. * [Email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) More about email records Depending on your business needs, you can configure DNS records so that you can use your domain to receive emails, receive and send emails from your domain, or prevent others from sending emails on your behalf (spoofing). Below are some examples of what those DNS records might look like. The exact values for your DNS mail records depend on your email provider. If you have issues, review the [Troubleshooting](https://developers.cloudflare.com/dns/troubleshooting/email-issues/) and contact your email service provider to confirm your DNS records are correct. | Type | Name | Content | Proxy status | TTL | | ---- | -------------- | ----------------------------- | ------------ | ---- | | A | mail | 192.0.2.1 | DNS Only | Auto | | MX | example.com | 5 john.mx.example-server.test | DNS Only | Auto | | TXT | \_dmarc | "v=DMARC1; p=reject; sp=... | DNS Only | Auto | | TXT | \*.\_domainkey | "v=DKIM1; k=rsa; p=..." | DNS Only | Auto | | TXT | example.com | "v=spf1 ip4:..." | DNS Only | Auto | ### Proxy status Each A, AAAA, and CNAME record has a [proxy status](https://developers.cloudflare.com/dns/proxy-status/) toggle: * **Proxied** (orange cloud): web traffic goes through the Cloudflare network, which provides caching, DDoS protection, and other security features. * **DNS only** (gray cloud): Cloudflare returns the DNS record value but does not proxy traffic. Use this for CNAME records that verify your domain for third-party services. ## 3\. Change your nameservers Your domain will be assigned two authoritative Cloudflare nameservers. Nameservers are specialized servers that store your domain's DNS records and "answer" requests from browsers by providing the specific IP address needed to connect to your website. Warning If your domain is particularly sensitive to downtime, review our suggestions to [minimize downtime](https://developers.cloudflare.com/fundamentals/performance/minimize-downtime/). ### 3.1\. Get nameserver names * [ Dashboard ](#tab-panel-5870) * [ API ](#tab-panel-5871) Your assigned nameservers are displayed as part of the onboarding flow. If you need to find them once again, go the zone **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/) Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Trust and Safety Write` * `Trust and Safety Read` * `Zero Trust: PII Read` * `Zaraz Edit` * `Zaraz Read` * `Zaraz Admin` * `Access: Apps and Policies Revoke` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` * `Access: Apps and Policies Revoke` * `Access: Mutual TLS Certificates Write` * `Access: Organizations, Identity Providers, and Groups Write` * `Zone Settings Write` * `Zone Settings Read` * `Zone Read` * `DNS Read` * `Workers Scripts Write` * `Workers Scripts Read` * `Zone Write` * `Workers Routes Write` * `Workers Routes Read` * `Stream Write` * `Stream Read` * `SSL and Certificates Write` * `SSL and Certificates Read` * `Logs Write` * `Logs Read` * `Cache Purge` * `Page Rules Write` * `Page Rules Read` * `Load Balancers Write` * `Load Balancers Read` * `Firewall Services Write` * `Firewall Services Read` * `DNS Write` * `Apps Write` * `Analytics Read` * `Access: Apps and Policies Write` * `Access: Apps and Policies Read` Zone Details ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Note Cloudflare automatically assigns nameservers to a domain and these assignments cannot be changed. For more details, refer to [Nameserver assignments](https://developers.cloudflare.com/dns/nameservers/nameserver-options/#assignment-method). ### 3.2\. Log in to your registrar Log in to the admin account for your domain registrar. If you do not know your provider, use [ICANN Lookup ↗](https://lookup.icann.org/). Note Depending on your use case, you may have to perform this step on the DNS records management of your domain parent zone, or at a domain reseller, instead. Refer to [Nameservers](https://developers.cloudflare.com/dns/nameservers/update-nameservers/#specific-processes) for details. ### 3.3\. Turn off DNSSEC If your domain has [DNSSEC](https://developers.cloudflare.com/dns/dnssec/)[1](#user-content-fn-1) active, you must [turn it off](https://developers.cloudflare.com/dns/dnssec/#disable-dnssec) at your registrar before replacing nameservers. Changing nameservers while DNSSEC is active can cause your domain to become unreachable. You can [re-enable DNSSEC through Cloudflare](https://developers.cloudflare.com/dns/dnssec/#enable-dnssec) after your domain is active. Provider-specific DNSSEC instructions This is not an exhaustive list, but the following links may be helpful: * [DNSimple ↗](https://support.dnsimple.com/articles/cloudflare-ds-record/) * [Domaindiscount24 ↗](https://support.domaindiscount24.com/hc/articles/4409759478161) * [DreamHost ↗](https://help.dreamhost.com/hc/en-us/articles/219539467) * [Dynadot ↗](https://www.dynadot.com/help/question/set-DNSSEC) * [Enom ↗](https://support.enom.com/support/solutions/articles/201000065386) * [Gandi ↗](https://docs.gandi.net/en/domain%5Fnames/advanced%5Fusers/dnssec.html) * [GoDaddy ↗](https://www.godaddy.com/help/add-a-ds-record-23865) * [Hostinger ↗](https://www.hostinger.com/support/3667267-how-to-use-dnssec-records-at-hostinger/) * [Hover ↗](https://support.hover.com/support/solutions/articles/201000064716) * [Infomaniak ↗](https://faq.infomaniak.com/2187) * [InMotion Hosting ↗](https://www.inmotionhosting.com/support/edu/cpanel/enable-dnssec-cloudflare/) * [INWX ↗](https://kb.inwx.com/en-us/3-nameserver/131) * [Joker.com ↗](https://joker.com/faq/books/jokercom-faq-en/page/dnssec) * [Name.com ↗](https://www.name.com/support/articles/205439058-managing-dnssec) * [Namecheap ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/9722/2232/managing-dnssec-for-domains-pointed-to-custom-dns/) * [NameISP ↗](https://support.nameisp.com/knowledgebase/dns) * [Namesilo ↗](https://www.namesilo.com/support/v2/articles/domain-manager/ds-records) * [OVH ↗](https://help.ovhcloud.com/csm/en-dns-secure-domain-dnssec?id=kb%5Farticle%5Fview&sysparm%5Farticle=KB0051637) * [Squarespace ↗](https://support.squarespace.com/hc/articles/4404183898125-Nameservers-and-DNSSEC-for-Squarespace-managed-domains#toc-dnssec) * [Registro.br ↗](https://registro.br/tecnologia/dnssec/?secao=tutoriais-dns) * [Porkbun ↗](https://kb.porkbun.com/article/93-how-to-install-dnssec) (do not fill out **keyData**) * [TransIP ↗](https://www.transip.eu/knowledgebase/150-secure-domains-custom-nameservers-dnssec/) Note If your previous provider allows you to add DNSKEY records on the zone apex and use these records in responses to DNS queries, refer to this [migration tutorial](https://developers.cloudflare.com/dns/dnssec/dnssec-active-migration/) to learn how to migrate a zone with DNSSEC enabled. ### 3.4\. Update your registrar 1. Remove your existing authoritative nameservers. 2. Add the nameservers provided by Cloudflare. If their names are not **copied exactly**, your DNS will not resolve correctly. Provider-specific instructions This is not an exhaustive list of provider-specific instructions, but the following links may be helpful: * [Ionos ↗](https://www.ionos.com/help/domains/using-your-own-name-servers/using-your-own-name-servers-for-a-domain/) * [101Domain ↗](https://help.101domain.com/kb/managing-name-server-records) * [Amazon ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html#domain-name-servers-glue-records-adding-changing) * [Blacknight ↗](https://help.blacknight.com/hc/articles/4413036322321-How-do-I-change-the-nameservers-for-my-domain) * [BlueHost ↗](https://www.bluehost.com/help/article/custom-nameservers) * [DirectNIC ↗](https://directnic.com/knowledge/article/33:how%2Bdo%2Bi%2Bmodify%2Bname%2Bservers%2Bfor%2Bmy%2Bdomain%2Bname%253F) * [DNSMadeEasy ↗](http://www.dnsmadeeasy.com/support/faq/) * [Domain.com ↗](https://www.domain.com/help/article/domain-management-how-to-update-nameservers) * [Dotster ↗](https://www.dotster.com/help/article/domain-management-how-to-update-nameservers) * [DreamHost ↗](https://help.dreamhost.com/hc/en-us/articles/360038897151) * [EasyDNS ↗](https://kb.easydns.com/knowledge/settingchanging-nameservers/) * [Enom ↗](https://help.enom.com/hc/en-us/articles/115000486451-Nameservers-NS) * [Fast Domain ↗](https://www.fastdomain.com/hosting/help/transfer%5Fclient%5Fstart) * [FlokiNET ↗](https://billing.flokinet.is/index.php?rp=/knowledgebase/57/Nameserver-and-DNS-records.html) * [Gandi ↗](https://docs.gandi.net/en/domain%5Fnames/common%5Foperations/changing%5Fnameservers.html) * [GoDaddy ↗](https://www.godaddy.com/help/change-nameservers-for-your-domain-names-664) * [HostGator ↗](https://www.hostgator.com/help/article/changing-name-servers) * [Hostico ↗](https://hostico.ro/docs/setarea-nameserverelor-din-contul-de-client-hostico/) * [HostMonster ↗](https://my.hostmonster.com/cgi/help/222) * [Hover ↗](https://support.hover.com/support/solutions/articles/201000064742-changing-your-domain-nameservers) * [Internetdbs ↗](https://faq.internetbs.net/hc/en-gb/articles/4516921367837-How-to-update-Nameservers-for-a-domain) * [iPage ↗](https://www.ipage.com/help/article/domain-management-how-to-update-nameservers) * [MelbourneIT ↗](https://support.melbourneit.au/docs/how-do-i-manage-my-dns-on-cpanel) * [Moniker ↗](https://support.moniker.com/hc/en-gb/articles/10101271418653-How-to-update-Nameservers-for-a-domain) * [Name.com ↗](https://www.name.com/support/articles/205934457-registering-custom-nameservers) * [Namecheap ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-can-i-change-the-nameservers-for-my-domain) * [Network Solutions ↗](https://www.networksolutions.com/manage-it/edit-nameservers.jsp) * [OVH ↗](https://docs.ovh.com/gb/en/domains/web%5Fhosting%5Fgeneral%5Finformation%5Fabout%5Fdns%5Fservers/#step-2-edit-your-domains-dns-servers) * [Porkbun ↗](https://kb.porkbun.com/article/22-how-to-change-your-nameservers) * [Rackspace ↗](https://support.rackspace.com/how-to/rackspace-name-servers/) * [Register ↗](https://www.register.com/knowledge) * [Squarespace ↗](https://support.squarespace.com/hc/articles/4404183898125-Nameservers-and-DNSSEC-for-Squarespace-managed-domains#toc-open-the-domain-s-advanced-settings) * [Site5 ↗](https://kb.site5.com/dns-2/custom-nameservers/) * [Softlayer ↗](https://cloud.ibm.com/docs/dns?topic=dns-add-edit-or-delete-custom-name-servers-for-a-domain) * [Yola ↗](https://helpcenter.yola.com/hc/articles/360012492660-Changing-your-name-servers) To avoid common issues, refer to our [Nameserver replacement checklist](https://developers.cloudflare.com/dns/zone-setups/full-setup/troubleshooting/). ### 3.5\. Verify changes Wait up to 24 hours while your registrar updates your nameservers. When your domain is **Active**: * You will receive an email from Cloudflare. * Your domain will have a [status](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) of **Active** on the **Domains** page of your account. * Online tools such as [https://www.whatsmydns.net/ ↗](https://www.whatsmydns.net/) will show your Cloudflare-assigned nameservers (most of these tools use cached query results, so it may take longer for them to show the updated nameservers). * CLI commands will show your Cloudflare-assigned nameservers ``` *macOS/Linux* whois dig ns @1.1.1.1 dig ns @8.8.8.8 dig +trace *Windows* nslookup -type=ns 1.1.1.1 nslookup -type=ns 8.8.8.8 ``` Note If you see unexpected results, refer to our [troubleshooting suggestions](https://developers.cloudflare.com/dns/zone-setups/full-setup/troubleshooting/) and check with your domain registrar. ## 4\. Re-enable DNSSEC If you turned off DNSSEC before updating your nameservers, you can now [re-enable DNSSEC through Cloudflare](https://developers.cloudflare.com/dns/dnssec/) to protect your domain from spoofing. ## Footnotes 1. A security feature that protects DNS records from spoofing [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/dns/","name":"DNS"}},{"@type":"ListItem","position":3,"item":{"@id":"/dns/zone-setups/","name":"DNS setups"}},{"@type":"ListItem","position":4,"item":{"@id":"/dns/zone-setups/full-setup/","name":"Primary setup (Full)"}},{"@type":"ListItem","position":5,"item":{"@id":"/dns/zone-setups/full-setup/setup/","name":"Set up a primary zone (Full setup)"}}]} ```