Cloudflare DNS migration checklist
Use this checklist to prepare a Cloudflare DNS migration before changing nameservers. It covers zone inventory, record validation, MX, SPF, DKIM, DMARC, CAA, delegated subdomains, proxy status, SSL/TLS readiness, DNSSEC, TTL planning, rollback, and post-cutover checks.
Use this checklist to prepare a Cloudflare DNS migration before changing nameservers. It covers zone inventory, record validation, MX, SPF, DKIM, DMARC, CAA, delegated subdomains, proxy status, SSL/TLS readiness, DNSSEC, TTL planning, rollback, and post-cutover checks.
Step by step
Migration checklist
- 1
Assess the existing environment and define success criteria.
- 2
Create a Cloudflare target architecture and migration backlog.
- 3
Build and test controls in monitoring or non-production mode.
- 4
Run stakeholder validation and prepare rollback procedures.
- 5
Execute phased cutover with live monitoring.
- 6
Tune enforcement and transition to managed operations.
Risk register
Risks to control
False positives during WAF or bot enforcement.
Start in logging or simulate mode, review traffic, and promote controls gradually.
DNS or certificate disruption during cutover.
Lower TTLs, validate records, preload certificates, and keep rollback instructions ready.
Missing visibility after migration.
Configure Logpush, dashboards, alerts, and operational ownership before launch.
Behavior differences between legacy vendor and Cloudflare.
Use mapping workshops, test cases, and canary validation before full traffic shift.
Output
Useful deliverables
- Current-state assessment and risk register.
- Cloudflare target architecture.
- Migration or implementation plan.
- Cutover and rollback runbook.
- Configured Cloudflare services and validation notes.
- Post-launch tuning backlog and operating model.
Keep reading
Related resources
Nanosek
Plan a DNS migration
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.