Docs
← Back to site

DNS Manager

6 min readUpdated April 10, 2026

The DNS Manager page is a full-featured DNS editor for any zone in your connected Cloudflare account. View, add, edit, delete, and toggle the orange cloud on every record without ever opening Cloudflare. It supports all 21 record types Cloudflare exposes via the API, with smart per-type form fields for the trickier ones (MX, SRV, CAA).

If you spend a lot of time in Cloudflare’s DNS tab, this page will save you a lot of context switching.

Opening the page#

In WP admin, go to WAF Manager → DNS Manager. The page is laid out as:

  • A zone selector at the top — pick which zone’s DNS you want to manage
  • A Refresh button to re-pull records from Cloudflare
  • An Add Record button (disabled until a zone is selected)
  • A search box for filtering records by name, content, or type
  • Filter dropdowns for record type and proxy state
  • A table of all records on the zone

Records load automatically when you pick a zone.

The records table#

Each row in the table shows:

  • Type — A, AAAA, CNAME, MX, TXT, etc.
  • Name — the hostname (e.g. @, www, mail)
  • Content — the record value (an IP, hostname, or text content)
  • Proxy state — for proxyable records, an orange cloud toggle. Click it to flip the record between ☁ Proxied (orange cloud, traffic flows through Cloudflare) and ⊘ DNS only (grey cloud, traffic goes straight to your origin).
  • TTL — the time-to-live. Proxied records always show “Auto” because Cloudflare manages the TTL when proxying.
  • Actions — Edit and Delete buttons

The proxy toggle is the single most useful column. You can switch a record from proxied to DNS-only with one click — no modal, no confirmation — which is perfect for quick troubleshooting (need to bypass Cloudflare to check what your origin is actually serving? Click. Done. Click again when you’re finished).

Searching and filtering#

Three controls help you narrow down a long record list:

  • Search box — matches against name, content, and type. Type “mail” to find your MX records, type an IP to find every record pointing at that IP.
  • Type filter — narrow to a single record type. Useful when you have lots of records and just want to see, say, all your TXT records.
  • Proxy filter — show only ☁ Proxied or only ⊘ DNS only records. Handy when auditing which subdomains are actually being protected by Cloudflare.

The filters combine, so you can search “api” + type “CNAME” + “DNS only” to find every unproxied CNAME containing “api.”

Adding a record#

Click Add Record to open the modal. The form adapts to the record type you select.

Common fields#

For every record type, you’ll see:

  • Type — pick from the 21 supported types (see the full list below)
  • Name — the hostname. Use @ for the root domain (e.g. example.com itself), or a subdomain like www, api, mail. Don’t include the domain itself — Cloudflare adds it automatically.
  • Content — the value. For an A record this is an IPv4 address; for a CNAME it’s a target hostname; for a TXT record it’s the text content.
  • TTL — how long DNS resolvers should cache the record. Options range from Auto (Cloudflare-managed, the default) up to 1 day. Shorter TTLs let changes propagate faster but generate more DNS queries; longer TTLs are more efficient but slower to update. For most records, Auto is fine.
  • Comment (optional) — a free-text note. Useful for marking records like “Production server” or “Verification for Google Workspace” so you remember why they exist.

Proxy toggle#

For proxyable record types, a checkbox appears: ☁ Proxy through Cloudflare (orange cloud). Tick it to send traffic for this record through Cloudflare’s network (gets you the WAF, caching, DDoS protection, and SSL); leave it unticked to make the record DNS-only (visitors hit your origin server directly).

Only six record types can be proxied: A, AAAA, CNAME, HTTPS, SRV, SVCB. For everything else (MX, TXT, NS, etc.) the toggle isn’t shown because Cloudflare can’t proxy those record types.

Type-specific fields#

A few record types need extra fields beyond the standard name/content. The form reveals them automatically when you pick the type:

MX records get a Priority field (lower numbers = higher priority). Default is 10.

SRV records get a structured form with separate fields for Service (e.g. _sip), Protocol (TCP / UDP / TLS), Priority, Weight, Port, and Target. The plugin assembles these into the correct SRV format on save — you don’t have to remember the syntax.

CAA records get fields for Flags, Tag (issue, issuewild, or iodef), and Value (the CA domain, e.g. letsencrypt.org). Use these to lock down which certificate authorities are allowed to issue certs for your domain.

For all other record types, the standard name + content fields are enough.

Editing and deleting#

Each row has Edit and (delete) buttons.

  • Edit opens the same modal pre-filled with the record’s current values. Change anything and save.
  • Delete opens a confirmation dialog before removing the record permanently — there’s no undo, so the confirmation is your last chance to back out.

Supported record types#

The plugin supports all 21 DNS record types Cloudflare exposes via the API:

Common — A, AAAA, CNAME, MX, TXT, NS

Email & verification — SPF, CAA

Service discovery — SRV, NAPTR, URI

Modern web — HTTPS, SVCB

Security — CERT, DNSKEY, DS, SMIMEA, SSHFP, TLSA

Other — LOC, PTR

The six proxyable types (where the orange cloud applies) are: A, AAAA, CNAME, HTTPS, SRV, SVCB.

If you need a record type that isn’t in this list, it’s probably one Cloudflare itself doesn’t support — they’re a strict superset of what the plugin exposes.

Common workflows#

Pointing a new subdomain at your server — Add an A record, name app, content 203.0.113.42, proxy on, TTL Auto. Save. app.yourdomain.com is now serving your origin through Cloudflare in seconds.

Setting up email with another provider — Add MX records pointing at your mail provider (e.g. aspmx.l.google.com for Google Workspace) with the priorities they specify. Add the TXT records they require for SPF and DKIM. Note that if you’re using Cloudflare’s Email Routing, you should not set up your own MX records.

Bypassing Cloudflare temporarily for debugging — Find the record in question and click the orange cloud icon to flip it to DNS only. Visitors (including you) now hit your origin directly. Click again to restore proxying.

Verifying a domain for a third-party service — Most services give you a TXT record to add. Click Add Record, type TXT, name @ (or whatever they specified), paste the verification string into Content, leave TTL on Auto, save. Verification usually completes within a minute.

Locking down certificate issuance — Add CAA records authorising only the certificate authorities you actually use (e.g. letsencrypt.org if you use Let’s Encrypt). Anyone else attempting to issue a cert for your domain will be refused.

A note on root domain proxying#

If you proxy the root @ A record (the orange cloud), you get Cloudflare’s full protection on visits to yourdomain.com. This is what most sites want. Just be aware that some services that connect to your domain root by IP — old-school SMTP delivery in particular — may behave differently when the IP they see is Cloudflare’s edge instead of your origin. It’s almost never a problem in practice, but worth knowing if you’re troubleshooting.

Share:

Was this helpful?

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only