SOA TTL keeps resetting for cylax-sys.com – DNS stuck, CNAME never propagates

My domain cylax-sys.com is stuck in a state where the SOA TTL keeps resetting to 1800 seconds without any user, API, or service action. I have stopped all tunnel, DNS, and cloudflared services for over an hour, confirmed with ps aux that nothing is running, and watched the TTL remain high or reset. My DNS records are set to DNS Only, and my audit log shows no recent changes.

This is blocking CNAME propagation for my domain

Troubleshooting steps already performed:

Stopped all local and server services (cloudflared, bots, etc.)

Waited over 1 hour with NO changes

Confirmed with process listing that nothing is running

SOA TTL remains at 1800s or resets periodically

Thank you.

DVSOP•6/20/25, 12:33 AM

i can send an output of dig in the terminal to show you.

SuperHelpflare•6/20/25, 1:06 AM

This Discord is not an official support form. The Community Champions, community members and employees are here because they want to be not because they need to be.
Please do not ping Community Champions or employees for support reasons.

You can open a ticket on the Support Portal if you want official support.

DVSOP•6/20/25, 1:09 AM

still no help.

DDVS My domain cylax-sys.com is stuck in a state where the SOA TTL keeps resetting to...

Chaika•6/20/25, 3:14 AM

TTLs work by the auth. nameservers responding with a ttl, resolvers take that tl and then cache it, and serve the ttl decrementing, until they re-request from the auth. nameservers

Chaika•6/20/25, 3:14 AM

Which cname are you saying isn't propagating because of it?

CChaika TTLs work by the auth. nameservers responding with a ttl, resolvers take that tl...

DVSOP•6/20/25, 4:27 AM

The CNAME that isn’t propagating is for the root domain, cylax-sys.com.
In the Cloudflare dashboard, I have a CNAME for cylax-sys.com (DNS Only, not proxied) pointing to my Cloudflare Tunnel endpoint (xxxx.cfargotunnel.com).
No matter how long I wait, this CNAME never appears on any public resolver (dig CNAME cylax-sys.com @1.1.1.1 always returns just the SOA, TTL stuck at 1800).

I have no conflicting A/AAAA records, my nameservers are set to Cloudflare, and audit logs show no changes. I’ve confirmed all tunnel/cloudflared processes are stopped.

My goal: Have cylax-sys.com resolve to the tunnel via CNAME flattening, as Cloudflare docs describe.

I can paste my full dig output if that helps.

DVSOP•6/20/25, 4:27 AM

here is the output i get from dig:

$ dig CNAME cylax-sys.com @1.1.1.1

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> CNAME cylax-sys.com @1.1.1.1
;; QUESTION SECTION:
;cylax-sys.com. IN CNAME

;; AUTHORITY SECTION:
cylax-sys.com. 1800 IN SOA brian.ns.cloudflare.com. dns.cloudflare.com. 2375853644 10000 2400 604800 1800

DDVS The CNAME that isn’t propagating is for the root domain, cylax-sys.com. In the C...

Chaika•6/20/25, 4:47 AM

Tunnels cannot/will not work unproxied

Chaika•6/20/25, 4:47 AM

Has to go through Cloudflare's cdn to resolve

Chaika•6/20/25, 4:47 AM

Also CNAMEs aren't allowed on your root domain in general (although Cloudflare would flatten to A/AAAA records automagically, won't work in this case regardless since tunnels need proxy)

DVSOP•6/20/25, 4:49 AM

Cloudflare’s docs now say you can CNAME the root to a tunnel’s cfargotunnel.com (using flattening), and this works for both proxied and DNS-only records.

DVSOP•6/20/25, 4:50 AM

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns/#routing-traffic-to-your-tunnel

Cloudflare Docs

DNS records

When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat <UUID>.cfargotunnel.com as if it were an origin target in the Cloudflare dashboard.

DVSOP•6/20/25, 4:50 AM

unless im not understanding correctly

DVSOP•6/20/25, 4:52 AM

I just want DNS resolution for my root domain to the tunnel endpoint, so I set it to DNS-only. Reason being im using an IPS that i cant access.

DDVS Cloudflare’s docs now say you can CNAME the root to a tunnel’s cfargotunnel.com ...

Chaika•6/20/25, 4:55 AM

Only proxied

Chaika•6/20/25, 4:56 AM

Think about it this way:
The tunnel/cloudflared service connects out to Cloudflare's edge. How would you not proxy it, meaning the traffic isn't going through CF, and have traffic get down the tunnel?

CChaika Think about it this way: The tunnel/cloudflared service connects out to Cloudfla...

DVSOP•6/20/25, 4:58 AM

in the doc it says gray cloud works for proxy and DNS only tho

DDVS in the doc it says gray cloud works for proxy and DNS only tho

Chaika•6/20/25, 4:58 AM

Where?

Chaika•6/20/25, 4:58 AM

Gray cloud = DNS-only, it's just another name for it

DVSOP•6/20/25, 5:00 AM

From the official Cloudflare document:

“If you want to use your apex/root domain (like example.com) with Cloudflare Tunnel, you can create a CNAME record to your tunnel’s UUID.cfargotunnel.com and Cloudflare will flatten the CNAME and return an A/AAAA record. This works for proxied and DNS-only records.”

DNS-only(gray cloud) should work for CNAME flattening with Tunnels.

DVSOP•6/20/25, 5:01 AM

i know gray cloud and DNS only are the same.

DDVS From the official Cloudflare document: “If you want to use your apex/root domai...

Chaika•6/20/25, 5:03 AM

In this document, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns/#routing-traffic-to-your-tunnel, it says that for you?
I do not see any mention of the word "apex" or "root" even in that doc, either I'm missing something, or its hidden under a expandable section/different doc

Chaika•6/20/25, 5:04 AM

DNS-only(gray cloud) should work for CNAME flattening with Tunnels.

It's not going to work ever for a ton of various technical reasons unproxied but I'd want to get the document updated so it doesn't say the wrong thing at least

DVSOP•6/20/25, 5:04 AM

Source: https://developers.cloudflare.com/dns/additional-options/cname-flattening/

Direct quote:
“CNAME flattening is available for all CNAME records at the apex of a zone, regardless of whether the record is proxied through Cloudflare (orange cloud) or not (DNS only).”

Cloudflare Docs

CNAME flattening

CNAME flattening speeds up CNAME resolution and allows you to use a CNAME record at your zone apex (example.com).

Chaika•6/20/25, 5:05 AM

ahh ok you're pulling stuff from different docs

Chaika•6/20/25, 5:05 AM

True, CNAME flattening does work on the apex, but it works by resolving the record in the dns system down to an A/AAAA record

DVSOP•6/20/25, 5:05 AM

yes i know

Chaika•6/20/25, 5:06 AM

If you dig your tunnel subdomain, ex 9a31b917-bf88-40e1-b311-5db3d0c21235.cfargotunnel.com9a31b917-bf88-40e1-b311-5db3d0c21235.cfargotunnel.com, you can see there's zero records behind it, nothing to flatten to

Chaika•6/20/25, 5:06 AM

because tunnel subdomains are special records that only work with proxy

DVSOP•6/20/25, 5:08 AM

right, the tunnel subdomain itself doesn’t have public A/AAAA records—Cloudflare keeps that private on purpose for security.

The flattening feature means Cloudflare’s authoritative DNS will respond to apex CNAME queries by returning the Cloudflare edge IPs, not the tunnel’s raw address.
Docs say this works for both proxied and DNS-only records

DVSOP•6/20/25, 5:08 AM

my phone is gonna die but according to everything ive read either the doc is wrong or its a back end issue

DVSOP•6/20/25, 5:09 AM

there is no reason this should not work according to documents released from Cloudflare

Chaika•6/20/25, 5:09 AM

The flattening feature means Cloudflare’s authoritative DNS will respond to apex CNAME queries by returning the Cloudflare edge IPs, not the tunnel’s raw address.

Not if it's not proxied
Proxy enabled means Cloudflare Edge IPs will be returned so traffic will go through proxy, and at that step it will resolve your cname/origin to send the request to.
If you don't have proxy enabled, CNAME Flattening just resolves the CNAME to A/AAAA and returns the raw IPs it gets back, as A/AAAA records

Chaika•6/20/25, 5:10 AM

It sounds kinda like you're just confusing the Proxied status with cname flattening itself, when they're separate features

Chaika•6/20/25, 5:11 AM

tldr is you need to enable proxy for the tunnel to work, so the traffic goes through Cloudflare.

Unproxied, it's trying to resolve the cfargotunnel.com subdomain for A/AAAA records, getting nothing back, and returning nothing

DVSOP•6/20/25, 5:11 AM

I understand the distinction—CNAME flattening and proxied (orange cloud) status are different features, but they do interact here.

DVSOP•6/20/25, 5:11 AM

My whole point is that, according to Cloudflare’s own docs, CNAME flattening at the apex is supposed to work for both proxied (orange cloud) and DNS-only (gray cloud) records—even when the CNAME target is a tunnel endpoint that isn’t publicly resolvable.

Chaika•6/20/25, 5:12 AM

There's a diagram on https://developers.cloudflare.com/dns/cname-flattening/cname-flattening-diagram/ which may help

DDVS My whole point is that, according to Cloudflare’s own docs, CNAME flattening at ...

Chaika•6/20/25, 5:12 AM

That last bit

—even when the CNAME target is a tunnel endpoint that isn’t publicly resolvable

just isn't true and shouldn't be documented anywhere

DVSOP•6/20/25, 5:13 AM

okay my phone is gonna die

DVSOP•6/20/25, 5:13 AM

i will most likely use another service i appreciate your help tho

DVSOP•6/20/25, 5:14 AM

I get it man. I think we both agree on how DNS and flattening work in general.

My only point is that Cloudflare’s official documentation—at least as written—implies this is a supported config, even with a tunnel endpoint. If that’s not actually how their backend is built, then it’s a documentation bug (and they need to update it), not a user misconfiguration.

Chaika•6/20/25, 5:14 AM

If you have a setup like this:
CNAME rootdomain.com cname.target.com

then you have, somewhere else
A cname.target.com 192.0.2.1

Then on edge you will see:
CNAME flattening + Proxied:
A rootdomain.com <cloudflare-ip>
A rootdomain.com <cloudflare-ip

CNAME flattening + unproxied
A rootdomain.com 192.0.2.1

DDVS I get it man. I think we both agree on how DNS and flattening work in general. ...

DVSOP•6/20/25, 5:14 AM

DDVS I get it man. I think we both agree on how DNS and flattening work in general. ...

Chaika•6/20/25, 5:15 AM

yea there's def some confusing docs and it's easy to request updates, if the point of confusion can be identified to be updated

DVSOP•6/20/25, 5:15 AM

thats a big issue

DVSOP•6/20/25, 5:16 AM

ive asked many people and got one other response that says the same as you that it wont work

DVSOP•6/20/25, 5:17 AM

but i rather go off of documentation released by Cloudflare you know what i mean? but if its this hard to get a forward answer on if the docs are wrong or something in the backend i have no idea dude im so lost and its not worth my time anymore.

Chaika•6/20/25, 5:18 AM

I'm just not sure which one you are confused on

DVSOP•6/20/25, 5:19 AM

im confused on the conflicting statements that the doc says i can use flattening the way i intend and youre saying i cant

SOA TTL keeps resetting for cylax-sys.com – DNS stuck, CNAME never propagates

Similar Threads

Similar Threads

Similar Threads