[DNS] Add enforce DNS only (#29353)

RebeccaTamachiro · hannes-cf · marciocloudflare · web-flow · commit 94746a5eed08 · 2026-04-23T10:44:52.000Z
* Recreate PR and fix CF Tunnel link

* Separate #exceptions from #included and touch-up descriptions

* Overall text and linking review

* Remove statement about SaaS customer zone

* Edit #other-CF-products based on PM comments and testing

* Fix broken links

* Remove targets from Web3 descr and link to /tunnel/ for item entry

* Adjust Tunnel descr and more consistent capitalization

* Rewrite paragraphs about Workers features

* Re-write and move TTL note higher and improve parallelism throughout

* Differentiate A/AAAA from CNAME record contents

Co-authored-by: Hannes &lt;105781579+hannes-cf@users.noreply.github.com&gt;

* Fix empty bullet and update fallback origin as included

* Apply suggestions from code review

Co-authored-by: marciocloudflare &lt;83226960+marciocloudflare@users.noreply.github.com&gt;

---------

Co-authored-by: Hannes &lt;105781579+hannes-cf@users.noreply.github.com&gt;
Co-authored-by: marciocloudflare &lt;83226960+marciocloudflare@users.noreply.github.com&gt;
diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -0,0 +1,99 @@
+---
+pcx_content_type: troubleshooting
+title: Enforce DNS-only
+sidebar:
+  order: 3
+  label: Enforce DNS-only
+---
+
+import { APIRequest } from "~/components";
+
+The enforce DNS-only setting is an account-level break-glass mechanism that allows you to bypass Cloudflare's reverse proxy for all zones in your account in a single action. When enabled, Cloudflare responds to DNS queries with the underlying record content — origin IP addresses for proxied `A` and `AAAA` records, and CNAME targets for proxied `CNAME` records — instead of Cloudflare's anycast IP addresses, effectively setting all [proxied DNS records](/dns/proxy-status/) to DNS-only without modifying the records themselves.
+
+This setting is intended for emergency situations only, such as during an outage when you need to quickly route traffic directly to your origins.
+
+:::caution
+Enabling this setting exposes your origin IP addresses and removes all Cloudflare protections — including DDoS mitigation, WAF, caching, and all other proxy-based features — for every zone in your account. Use with extreme caution and only after proper [preparation](#preparation).
+:::
+
+## Key characteristics
+
+- Account-level: Affects all zones in the account simultaneously.
+- Non-destructive: Does not modify your DNS records. Disabling the setting restores normal proxy behavior.
+- API-only: Available through the API only, not in the Cloudflare dashboard.
+
+:::note[Auto TTL for proxied records]
+Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-only and back may not be instantaneous. Since all proxied records have a TTL of **Auto**, this value (five minutes by default) determines how long resolvers may continue to serve Cloudflare's anycast IPs or your origin IP addresses.
+:::
+
+## Preparation
+
+Before relying on enforce DNS-only as part of your incident response plan, you should:
+
+- Verify origin server capacity: Without Cloudflare proxying, your origin servers handle all traffic directly, including traffic that Cloudflare would normally cache or filter. Ensure your infrastructure can sustain this load.
+- Review exposed record content: When enforce DNS-only is active, all origin IPs configured in proxied `A` and `AAAA` records, as well as the targets of proxied `CNAME` records, become publicly visible through DNS queries. If your origins rely on IP obscurity for security, plan accordingly.
+- Test in advance: Use the API in a staging or test account to confirm that you understand the behavior before you need it in an emergency.
+
+## Enable enforce DNS-only
+
+Use the [Update DNS Settings](/api/resources/dns/subresources/settings/subresources/account/methods/edit/) endpoint to enable enforce DNS-only for your account:
+
+<APIRequest
+	path="/accounts/{account_id}/dns_settings"
+	method="PATCH"
+	json={{
+		enforce_dns_only: true,
+	}}
+/>
+
+Once enabled, Cloudflare responds to DNS queries for all proxied records with the underlying record content — your configured origin IP addresses for `A` and `AAAA` records, and the configured CNAME target for `CNAME` records — instead of Cloudflare's anycast IPs.
+
+## Disable enforce DNS-only
+
+To restore normal proxy behavior, set `enforce_dns_only` to `false`:
+
+<APIRequest
+	path="/accounts/{account_id}/dns_settings"
+	method="PATCH"
+	json={{
+		enforce_dns_only: false,
+	}}
+/>
+
+After you disable the setting, Cloudflare resumes responding to DNS queries with anycast IP addresses for proxied records and all proxy-based features are restored.
+
+## Other Cloudflare products
+
+Refer to the sections below in case you use other Cloudflare products that rely on DNS records.
+
+### Included
+
+Enforce DNS-only affects the following records:
+
+- [Load Balancing](/load-balancing/): proxied LB records visible on the DNS records table but managed through the [Load Balancing configurations](/load-balancing/load-balancers/create-load-balancer/).
+- Proxied DNS records that match a [Worker route](/workers/configuration/routing/routes/).
+- [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) fallback origin: The proxied DNS record you designate as the [fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin) for custom hostnames.
+
+### Excluded
+
+Enforce DNS-only does not affect the following records:
+
+- [R2](/r2/) custom domains: Read-only proxied records added to the DNS records table when you set up [R2 custom domains](/r2/buckets/public-buckets/#connect-a-bucket-to-a-custom-domain).
+- [Spectrum](/spectrum/) applications: DNS records managed by the Spectrum application.
+- [Tunnel](/tunnel/): CNAME records pointing to a tunnel subdomain. Refer to [Tunnel routing](/tunnel/routing/#create-a-dns-record) or [Cloudflare One](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) for details.
+- [Web3 gateways](/web3/): Read-only proxied records managed by the [Web3 gateway configuration](/web3/reference/gateway-dns-records/).
+- [Workers](/workers/) custom domains: Read-only proxied records added to the DNS records table when you set up Workers [custom domains](/workers/configuration/routing/custom-domains/).
+   :::note[Custom domain or route match]
+	 Proxied records that match a Worker [route](/workers/configuration/routing/routes/) are regular DNS records and will be [affected](#included) by the enforce DNS-only setting.
+   :::
+
+## Check current status
+
+Use the [Show DNS Settings](/api/resources/dns/subresources/settings/subresources/account/methods/get/) endpoint to verify the current value:
+
+<APIRequest path="/accounts/{account_id}/dns_settings" method="GET" />
+
+## Related resources
+
+- [Proxy status](/dns/proxy-status/) - Understand how proxied and DNS-only records behave.
+- [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/#edit-proxy-status-in-bulk) - Change proxy status for multiple records in bulk within a single zone.
