SOA TTL keeps resetting for cylax-sys.com – DNS stuck, CNAME never propagates
My domain cylax-sys.com is stuck in a state where the SOA TTL keeps resetting to 1800 seconds without any user, API, or service action. I have stopped all tunnel, DNS, and cloudflared services for over an hour, confirmed with ps aux that nothing is running, and watched the TTL remain high or reset. My DNS records are set to DNS Only, and my audit log shows no recent changes.
This is blocking CNAME propagation for my domain
Troubleshooting steps already performed:
Stopped all local and server services (cloudflared, bots, etc.)
Waited over 1 hour with NO changes
Confirmed with process listing that nothing is running
SOA TTL remains at 1800s or resets periodically
Thank you.
34 Replies
i can send an output of dig in the terminal to show you.
This Discord is not an official support form. The Community Champions, community members and employees are here because they want to be not because they need to be.
Please do not ping Community Champions or employees for support reasons.
You can open a ticket on the Support Portal if you want official support.
still no help.
TTLs work by the auth. nameservers responding with a ttl, resolvers take that tl and then cache it, and serve the ttl decrementing, until they re-request from the auth. nameservers
Which cname are you saying isn't propagating because of it?
The CNAME that isn’t propagating is for the root domain, cylax-sys.com.
In the Cloudflare dashboard, I have a CNAME for cylax-sys.com (DNS Only, not proxied) pointing to my Cloudflare Tunnel endpoint (xxxx.cfargotunnel.com).
No matter how long I wait, this CNAME never appears on any public resolver (dig CNAME cylax-sys.com @1.1.1.1 always returns just the SOA, TTL stuck at 1800).
I have no conflicting A/AAAA records, my nameservers are set to Cloudflare, and audit logs show no changes. I’ve confirmed all tunnel/cloudflared processes are stopped.
My goal: Have cylax-sys.com resolve to the tunnel via CNAME flattening, as Cloudflare docs describe.
I can paste my full dig output if that helps.
here is the output i get from dig:
$ dig CNAME cylax-sys.com @1.1.1.1
; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> CNAME cylax-sys.com @1.1.1.1
;; QUESTION SECTION:
;cylax-sys.com. IN CNAME
;; AUTHORITY SECTION:
cylax-sys.com. 1800 IN SOA brian.ns.cloudflare.com. dns.cloudflare.com. 2375853644 10000 2400 604800 1800
Tunnels cannot/will not work unproxied
Has to go through Cloudflare's cdn to resolve
Also CNAMEs aren't allowed on your root domain in general (although Cloudflare would flatten to A/AAAA records automagically, won't work in this case regardless since tunnels need proxy)
Cloudflare’s docs now say you can CNAME the root to a tunnel’s cfargotunnel.com (using flattening), and this works for both proxied and DNS-only records.
Cloudflare Docs
DNS records
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were an origin target in the Cloudflare dashboard.
unless im not understanding correctly
I just want DNS resolution for my root domain to the tunnel endpoint, so I set it to DNS-only. Reason being im using an IPS that i cant access.
Only proxied
Think about it this way:
The tunnel/cloudflared service connects out to Cloudflare's edge. How would you not proxy it, meaning the traffic isn't going through CF, and have traffic get down the tunnel?
in the doc it says gray cloud works for proxy and DNS only tho
Where?
Gray cloud = DNS-only, it's just another name for it
From the official Cloudflare document:
“If you want to use your apex/root domain (like example.com) with Cloudflare Tunnel, you can create a CNAME record to your tunnel’s UUID.cfargotunnel.com and Cloudflare will flatten the CNAME and return an A/AAAA record. This works for proxied and DNS-only records.”
DNS-only(gray cloud) should work for CNAME flattening with Tunnels.
i know gray cloud and DNS only are the same.
In this document, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns/#routing-traffic-to-your-tunnel, it says that for you?
I do not see any mention of the word "apex" or "root" even in that doc, either I'm missing something, or its hidden under a expandable section/different doc
DNS-only(gray cloud) should work for CNAME flattening with Tunnels.It's not going to work ever for a ton of various technical reasons unproxied but I'd want to get the document updated so it doesn't say the wrong thing at least
Source: https://developers.cloudflare.com/dns/additional-options/cname-flattening/
Direct quote:
“CNAME flattening is available for all CNAME records at the apex of a zone, regardless of whether the record is proxied through Cloudflare (orange cloud) or not (DNS only).”
Cloudflare Docs
CNAME flattening
CNAME flattening speeds up CNAME resolution and allows you to use a CNAME record at your zone apex (example.com).
ahh ok you're pulling stuff from different docs
True, CNAME flattening does work on the apex, but it works by resolving the record in the dns system down to an A/AAAA record
yes i know
If you dig your tunnel subdomain, ex
9a31b917-bf88-40e1-b311-5db3d0c21235.cfargotunnel.com, you can see there's zero records behind it, nothing to flatten to
because tunnel subdomains are special records that only work with proxyright, the tunnel subdomain itself doesn’t have public A/AAAA records—Cloudflare keeps that private on purpose for security.
The flattening feature means Cloudflare’s authoritative DNS will respond to apex CNAME queries by returning the Cloudflare edge IPs, not the tunnel’s raw address.
Docs say this works for both proxied and DNS-only records
my phone is gonna die but according to everything ive read either the doc is wrong or its a back end issue
there is no reason this should not work according to documents released from Cloudflare
The flattening feature means Cloudflare’s authoritative DNS will respond to apex CNAME queries by returning the Cloudflare edge IPs, not the tunnel’s raw address.Not if it's not proxied Proxy enabled means Cloudflare Edge IPs will be returned so traffic will go through proxy, and at that step it will resolve your cname/origin to send the request to. If you don't have proxy enabled, CNAME Flattening just resolves the CNAME to A/AAAA and returns the raw IPs it gets back, as A/AAAA records It sounds kinda like you're just confusing the Proxied status with cname flattening itself, when they're separate features tldr is you need to enable proxy for the tunnel to work, so the traffic goes through Cloudflare. Unproxied, it's trying to resolve the cfargotunnel.com subdomain for A/AAAA records, getting nothing back, and returning nothing
I understand the distinction—CNAME flattening and proxied (orange cloud) status are different features, but they do interact here.
My whole point is that, according to Cloudflare’s own docs, CNAME flattening at the apex is supposed to work for both proxied (orange cloud) and DNS-only (gray cloud) records—even when the CNAME target is a tunnel endpoint that isn’t publicly resolvable.
There's a diagram on https://developers.cloudflare.com/dns/cname-flattening/cname-flattening-diagram/ which may help
That last bit
—even when the CNAME target is a tunnel endpoint that isn’t publicly resolvablejust isn't true and shouldn't be documented anywhere
okay my phone is gonna die
i will most likely use another service i appreciate your help tho
I get it man. I think we both agree on how DNS and flattening work in general.
My only point is that Cloudflare’s official documentation—at least as written—implies this is a supported config, even with a tunnel endpoint. If that’s not actually how their backend is built, then it’s a documentation bug (and they need to update it), not a user misconfiguration.
If you have a setup like this:
CNAME rootdomain.com cname.target.com
then you have, somewhere else
A cname.target.com 192.0.2.1
Then on edge you will see:
CNAME flattening + Proxied:
A rootdomain.com <cloudflare-ip>
A rootdomain.com <cloudflare-ip
CNAME flattening + unproxied
A rootdomain.com 192.0.2.1
^
yea there's def some confusing docs and it's easy to request updates, if the point of confusion can be identified to be updated
thats a big issue
ive asked many people and got one other response that says the same as you that it wont work
but i rather go off of documentation released by Cloudflare you know what i mean? but if its this hard to get a forward answer on if the docs are wrong or something in the backend i have no idea dude im so lost and its not worth my time anymore.
I'm just not sure which one you are confused on
im confused on the conflicting statements that the doc says i can use flattening the way i intend and youre saying i cant
Which doc says that, are you talking about this one? https://discord.com/channels/595317990191398933/1385417128710111272/1385485485169836185
I appreciate all the discussion. To be honest, I’m just frustrated that the docs and actual results don’t match. I’ve linked the CNAME flattening docs and Cloudflare Tunnel docs that, as written, seem to say flattening at the apex should work for DNS-only.
If it doesn’t, then the docs need an update, or the backend needs a fix. Either way, I think I’m just going to switch to a service where I don’t have to fight the docs for basic functionality. Thanks for hashing this out with me i apologize for any inconvenience this is my first time doing this but ive confirmed its not on my end.
so, it stays you can use it when it's unproxied/dns only, which is true. It also links a diagram/more details on how it works. If it's unproxied, it basically just brings the A/AAAA records to you and serves them direct. There's no a/aaaa records to bring to you from the tunnel subdomain, so it fails.
I guess, I'm just looking for something that would say "Tunnels work unproxied" or that it would resolve internally magically
to me, those docs are crystal clear and I haven't heard of anyone else being confused on them, so I'm just curious where the specific source is
Ultimately though if your end goal is just for it to serve Cloudflare IPs and have the tunnel just work, the answer is just to flip the proxy switch and nothing further
The docs say “CNAME flattening at apex works for both proxied and DNS-only,” but don’t warn that “for Tunnel endpoints, only proxied works.”
im telling you those docs need updated.
:tudouConfused: no, the docs are perfectly clear on this
you are trying to mash together two different things