From legacy edge to Cloudflare, safely.
Tap a node on either side to focus the flow.
Migration flow
From Akamai, through Discovery → Mapping → Cutover → Operate, into the Cloudflare destinations on the right. Tap any node to focus the flow.
On this page
Nanosek provides Cloudflare DNS migration services for organizations moving authoritative DNS zones, DNS records, nameservers, certificates, email records, SaaS verification records, DNSSEC, CDN proxy status, and DNS operations to Cloudflare. The service includes discovery, record inventory, risk review, TTL planning, Cloudflare zone setup, proxy decision mapping, email and third-party validation, nameserver cutover, rollback design, and managed DNS operations after migration.
Who this is for
Why DNS migration needs careful planning
Website and application availability
A missed record or wrong hostname mode can break public websites, APIs, mobile applications, admin portals, or origin routing.
Email delivery continuity
MX, SPF, DKIM, DMARC, provider TXT records, and routing dependencies must be preserved exactly to avoid mail disruption.
SaaS and third-party service validation
Many platforms depend on TXT or CNAME verification records that can fail if records are omitted or proxied incorrectly.
Certificate validation readiness
CAA records, validation CNAMEs, Universal SSL, Advanced Certificate Manager, and custom certificates need review before hostnames are proxied.
Correct proxy status decisions
Not every hostname belongs behind Cloudflare proxy. Nanosek classifies public web, API, SaaS, email, origin, and delegated records separately.
DNSSEC and registrar coordination
DNSSEC changes require careful DS record handling between Cloudflare and the registrar to avoid validation failures.
Rollback planning
Nameserver rollback needs previous values, TTL expectations, validation criteria, decision owners, and a clear change window.
Post-migration governance
DNS needs ownership, audit trails, change review, documentation, and managed operations after the initial cutover.
Common DNS migration risks
DNS migrations fail when inventory, ownership, and cutover sequencing are weak. Production zones often contain years of accumulated dependencies: web hostnames, email records, SaaS verification records, delegated subdomains, TXT records, CNAMEs, API endpoints, certificate validation records, CDN records, and security records.
Our Cloudflare DNS migration methodology
DNS discovery and inventory
- Export current DNS zones and collect authoritative nameservers, registrar details, TTLs, record types, delegated subdomains, email records, SaaS verification records, certificate records, and application-critical hostnames.
- Identify ownership for each critical service.
Risk review and migration plan
- Classify records by business function: websites, APIs, email, SaaS, identity, certificates, internal systems, monitoring, and delegated subdomains.
- Identify high-risk records and records that should remain DNS-only instead of proxied.
Cloudflare zone preparation
- Create or prepare Cloudflare zones and import DNS records.
- Review proxy status for each hostname and configure SSL/TLS mode, certificate settings, DNSSEC plan, and account-level ownership.
Validation before nameserver cutover
- Compare current DNS against Cloudflare DNS.
- Validate web hostnames, email records, TXT records, CAA records, delegated NS records, certificate records, third-party SaaS records, TTL strategy, and rollback steps.
Nameserver cutover
- Coordinate registrar changes and monitor propagation.
- Validate critical records from multiple resolvers and watch website, email, API, and SaaS service health.
Post-cutover verification
- Confirm DNS resolution, SSL/TLS certificates, email delivery, CDN proxy behavior, SaaS validations, delegated subdomains, and DNSSEC status.
- Remove obsolete records only after validation.
Managed DNS operations
- Establish change workflow, ownership model, monitoring, audit process, documentation, and managed Cloudflare support.
What we migrate to Cloudflare DNS
Cloudflare DNS controls we use
Cloudflare authoritative DNS
Used to host production zones, serve records globally, and centralize DNS changes in Cloudflare.
Full zone onboarding
Used when Cloudflare becomes authoritative for the entire domain through nameserver delegation.
Partial CNAME setup
Used when selected hostnames should use Cloudflare while DNS authority remains elsewhere.
Proxied DNS records
Used for web and API hostnames that should receive Cloudflare CDN, WAF, DDoS, TLS, cache, and logging controls.
DNS-only records
Used for MX, TXT, many SaaS records, delegated NS records, and hostnames that should not pass through the Cloudflare proxy.
DNSSEC
Used to protect DNS integrity when DS records and registrar coordination can be handled safely.
Universal SSL
Used to provide baseline certificate coverage for proxied hostnames.
Advanced Certificate Manager
Used for custom coverage, wildcard needs, validation control, and enterprise certificate requirements.
CAA records
Used to control which certificate authorities can issue certificates for the domain.
Load Balancing
Used when DNS migration is tied to origin pools, failover, or traffic steering.
Health Checks
Used to validate origin availability for load balancing or operational monitoring.
Origin Rules
Used after proxying when backend Host header, SNI, port, or origin routing behavior needs explicit control.
Redirect Rules
Used when DNS migration also exposes redirect cleanup or hostname consolidation work.
Email security records
Used to preserve and validate MX, SPF, DKIM, DMARC, and provider-specific policy records.
Cloudflare API
Used for repeatable imports, validation, reporting, and controlled operational workflows.
Terraform automation
Used when DNS records and zone configuration should be reviewable and managed as code.
Audit logs
Used to track DNS and zone changes after migration.
Zone settings and account governance
Used to define ownership, access, standards, and change control across Cloudflare accounts and zones.
| Control | When Nanosek uses it |
|---|---|
| Cloudflare authoritative DNS | Used to host production zones, serve records globally, and centralize DNS changes in Cloudflare. |
| Full zone onboarding | Used when Cloudflare becomes authoritative for the entire domain through nameserver delegation. |
| Partial CNAME setup | Used when selected hostnames should use Cloudflare while DNS authority remains elsewhere. |
| Proxied DNS records | Used for web and API hostnames that should receive Cloudflare CDN, WAF, DDoS, TLS, cache, and logging controls. |
| DNS-only records | Used for MX, TXT, many SaaS records, delegated NS records, and hostnames that should not pass through the Cloudflare proxy. |
| DNSSEC | Used to protect DNS integrity when DS records and registrar coordination can be handled safely. |
| Universal SSL | Used to provide baseline certificate coverage for proxied hostnames. |
| Advanced Certificate Manager | Used for custom coverage, wildcard needs, validation control, and enterprise certificate requirements. |
| CAA records | Used to control which certificate authorities can issue certificates for the domain. |
| Load Balancing | Used when DNS migration is tied to origin pools, failover, or traffic steering. |
| Health Checks | Used to validate origin availability for load balancing or operational monitoring. |
| Origin Rules | Used after proxying when backend Host header, SNI, port, or origin routing behavior needs explicit control. |
| Redirect Rules | Used when DNS migration also exposes redirect cleanup or hostname consolidation work. |
| Email security records | Used to preserve and validate MX, SPF, DKIM, DMARC, and provider-specific policy records. |
| Cloudflare API | Used for repeatable imports, validation, reporting, and controlled operational workflows. |
| Terraform automation | Used when DNS records and zone configuration should be reviewable and managed as code. |
| Audit logs | Used to track DNS and zone changes after migration. |
| Zone settings and account governance | Used to define ownership, access, standards, and change control across Cloudflare accounts and zones. |
Proxy or DNS-only decision framework
Public websites
Usually proxied
Enables CDN, WAF, DDoS, TLS, cache, and performance controls.
APIs
Usually proxied, with API-specific controls
Enables WAF, rate limiting, API Shield, mTLS, logging, and DDoS protection.
Email MX records
DNS-only
Mail traffic is not proxied through Cloudflare CDN.
SaaS verification records
DNS-only
TXT and CNAME verification must remain reachable as expected.
Third-party SaaS application CNAMEs
Usually DNS-only unless Cloudflare proxying is supported
Avoid breaking SaaS hostname validation or TLS behavior.
Origin-only hostnames
Usually DNS-only or restricted
Avoid exposing sensitive origins unintentionally.
Internal/private records
Review carefully
Internal names should not be moved blindly into public DNS.
Delegated subdomains
DNS-only NS delegation
Preserve authoritative control for child zones.
Admin portals
Often proxied with Access/WAF controls
Enables identity-aware access and application security controls.
| Hostname type | Recommended mode | Reason |
|---|---|---|
| Public websites | Usually proxied | Enables CDN, WAF, DDoS, TLS, cache, and performance controls. |
| APIs | Usually proxied, with API-specific controls | Enables WAF, rate limiting, API Shield, mTLS, logging, and DDoS protection. |
| Email MX records | DNS-only | Mail traffic is not proxied through Cloudflare CDN. |
| SaaS verification records | DNS-only | TXT and CNAME verification must remain reachable as expected. |
| Third-party SaaS application CNAMEs | Usually DNS-only unless Cloudflare proxying is supported | Avoid breaking SaaS hostname validation or TLS behavior. |
| Origin-only hostnames | Usually DNS-only or restricted | Avoid exposing sensitive origins unintentionally. |
| Internal/private records | Review carefully | Internal names should not be moved blindly into public DNS. |
| Delegated subdomains | DNS-only NS delegation | Preserve authoritative control for child zones. |
| Admin portals | Often proxied with Access/WAF controls | Enables identity-aware access and application security controls. |
DNS record migration mapping
DNS record migration mapping
A / AAAA records
Proxied or DNS-only records
Decide per hostname based on whether Cloudflare should inspect and accelerate traffic.
CNAME records
Proxied or DNS-only records
Validate SaaS, CDN, and application CNAMEs carefully before proxying.
MX records
DNS-only
Never proxy MX records; validate email delivery after migration.
TXT records
DNS-only
Preserve SPF, DKIM, DMARC, SaaS verification, and certificate validation records.
CAA records
DNS-only
Confirm certificate authorities are allowed before Cloudflare or custom certificates are issued.
NS records
Delegated subdomains
Preserve subdomain delegation exactly where required.
SRV records
DNS-only
Validate service discovery dependencies.
Wildcard records
Proxied or DNS-only
Review carefully to avoid unexpected routing or certificate behavior.
Apex records
Cloudflare DNS and optional proxy
Confirm flattening behavior and application impact.
DNSSEC
Cloudflare DNSSEC plus registrar DS record
Coordinate DS record changes carefully.
Email security
SPF, DKIM, DMARC
Validate syntax and alignment before and after cutover.
Certificates
Universal SSL, ACM, custom certs, validation records
Confirm certificate coverage before proxying production hostnames.
| DNS area | Cloudflare handling | Migration notes |
|---|---|---|
| A / AAAA records | Proxied or DNS-only records | Decide per hostname based on whether Cloudflare should inspect and accelerate traffic. |
| CNAME records | Proxied or DNS-only records | Validate SaaS, CDN, and application CNAMEs carefully before proxying. |
| MX records | DNS-only | Never proxy MX records; validate email delivery after migration. |
| TXT records | DNS-only | Preserve SPF, DKIM, DMARC, SaaS verification, and certificate validation records. |
| CAA records | DNS-only | Confirm certificate authorities are allowed before Cloudflare or custom certificates are issued. |
| NS records | Delegated subdomains | Preserve subdomain delegation exactly where required. |
| SRV records | DNS-only | Validate service discovery dependencies. |
| Wildcard records | Proxied or DNS-only | Review carefully to avoid unexpected routing or certificate behavior. |
| Apex records | Cloudflare DNS and optional proxy | Confirm flattening behavior and application impact. |
| DNSSEC | Cloudflare DNSSEC plus registrar DS record | Coordinate DS record changes carefully. |
| Email security | SPF, DKIM, DMARC | Validate syntax and alignment before and after cutover. |
| Certificates | Universal SSL, ACM, custom certs, validation records | Confirm certificate coverage before proxying production hostnames. |
Cutover checkpoints
- Confirm registrar access, previous nameservers, current authoritative nameservers, and rollback nameserver values before the window.
- Lower TTLs where appropriate and compare Cloudflare DNS against the current zone before nameserver changes.
- Coordinate nameserver changes, monitor propagation, and validate critical records from multiple resolvers.
- Keep rollback owners, decision criteria, and post-cutover validation owners visible during the cutover.
Validation signals
- Web, API, email, SaaS, certificate, and delegated-subdomain records resolve as expected.
- MX, SPF, DKIM, DMARC, CAA, TXT, NS, wildcard, apex, and proxied hostnames match the approved record matrix.
- SSL/TLS certificates are active for proxied production hostnames.
- DNSSEC status is valid and no critical service health checks regress after cutover.
Deployment steps
- 01 Export current DNS zones and identify authoritative nameservers, registrar access, TTLs, record types, delegated subdomains, email records, SaaS records, certificate records, and application-critical hostnames.
- 02 Classify records by business function and decide which hostnames should be proxied or DNS-only.
- 03 Prepare Cloudflare zones, import records, review SSL/TLS, plan DNSSEC, and define account ownership.
- 04 Compare current DNS against Cloudflare DNS and validate email, SaaS, CAA, TXT, NS, certificate, wildcard, and apex records.
- 05 Coordinate nameserver cutover at the registrar and monitor DNS propagation.
- 06 Validate applications, APIs, email delivery, certificates, SaaS services, delegated subdomains, and DNSSEC after cutover.
- 07 Establish managed DNS operations, documentation, audit process, and change workflow.
Risks and mitigations
Missing DNS records.
Export, compare, and validate records before nameserver cutover.
Wrong proxy status.
Review each hostname and classify as proxied or DNS-only.
Email disruption.
Preserve MX, SPF, DKIM, DMARC, and provider-specific records.
SaaS verification failure.
Preserve TXT/CNAME verification records and avoid proxying unsupported SaaS CNAMEs.
Certificate issuance blocked.
Review CAA records and prepare Cloudflare certificates before cutover.
DNSSEC outage.
Coordinate DNSSEC changes between Cloudflare and registrar carefully.
Delegated subdomains broken.
Preserve NS records and validate child-zone resolution.
Propagation confusion.
Lower TTLs, track resolver behavior, and validate from multiple networks.
Rollback not possible.
Document previous nameservers and rollback decision criteria.
Accidental origin exposure.
Review proxied hostnames, origin hostnames, and direct DNS records.
| Risk | Mitigation |
|---|---|
| Missing DNS records. | Export, compare, and validate records before nameserver cutover. |
| Wrong proxy status. | Review each hostname and classify as proxied or DNS-only. |
| Email disruption. | Preserve MX, SPF, DKIM, DMARC, and provider-specific records. |
| SaaS verification failure. | Preserve TXT/CNAME verification records and avoid proxying unsupported SaaS CNAMEs. |
| Certificate issuance blocked. | Review CAA records and prepare Cloudflare certificates before cutover. |
| DNSSEC outage. | Coordinate DNSSEC changes between Cloudflare and registrar carefully. |
| Delegated subdomains broken. | Preserve NS records and validate child-zone resolution. |
| Propagation confusion. | Lower TTLs, track resolver behavior, and validate from multiple networks. |
| Rollback not possible. | Document previous nameservers and rollback decision criteria. |
| Accidental origin exposure. | Review proxied hostnames, origin hostnames, and direct DNS records. |
DNS migration validation checklist
- Current authoritative nameservers identified
- Registrar access confirmed
- Current DNS zone exported
- All record types inventoried
- Critical hostnames classified
- Email records reviewed
- SPF, DKIM, and DMARC validated
- SaaS verification records preserved
- Certificate validation records preserved
- CAA records reviewed
- Delegated subdomains preserved
- Wildcard records reviewed
- Proxy status decided per hostname
- SSL/TLS mode reviewed
- Universal SSL or custom certificates ready
- DNSSEC plan confirmed
- TTLs lowered before cutover where appropriate
- Cloudflare DNS compared against current DNS
- Rollback nameservers documented
- Post-cutover validation owners assigned
Deliverables
- DNS current-state inventory
- DNS risk register
- Record classification workbook
- Proxy vs DNS-only decision matrix
- Cloudflare zone preparation
- DNSSEC migration plan
- Email record validation
- Certificate readiness review
- Nameserver cutover runbook
- Rollback runbook
- Post-cutover validation report
- Managed DNS operations handover
When Nanosek should help
Frequently asked questions
What is a Cloudflare DNS migration?
Is DNS migration just changing nameservers?
Will email continue working after moving DNS to Cloudflare?
Which DNS records should be proxied through Cloudflare?
Can Cloudflare DNS migration break certificates?
How do you handle DNSSEC?
Can we roll back a DNS migration?
What is the difference between full zone and partial CNAME setup?
Can Nanosek manage Cloudflare DNS after migration?
Move DNS to Cloudflare safely
Nanosek helps you migrate DNS with the right inventory, validation, cutover plan, rollback path, and operational model so applications, email, certificates, and SaaS services keep working.