cloudflare · RebeccaTamachiro · Mar 18, 2026 · Mar 18, 2026 · Mar 25, 2026 · Mar 25, 2026
@@ -41,4 +41,4 @@ For secondary zones:
 
 - [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/): Enable the options to use Cloudflare [proxy](/dns/proxy-status/) and add `CNAME` records at your zone apex.
 
-  Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.
+  Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.
@@ -0,0 +1,90 @@
+---
+pcx_content_type: troubleshooting
+title: Enforce DNS-only
+sidebar:
+  order: 3
+  label: Enforce DNS-only
+---
+
+import { APIRequest } from "~/components";
+
+The enforce DNS-only setting is an account-level break-glass mechanism that allows you to bypass Cloudflare's reverse proxy for all zones in your account in a single action. When enabled, Cloudflare responds to DNS queries with your origin IP addresses instead of Cloudflare anycast IP addresses, effectively setting all [proxied DNS records](/dns/proxy-status/) to DNS-only without modifying the records themselves.
+
+This setting is intended for emergency situations only, such as during an outage when you need to quickly route traffic directly to your origins.
+
+:::caution
+
+Enabling this setting immediately exposes your origin IP addresses and removes all Cloudflare protections — including DDoS mitigation, WAF, caching, and all other proxy-based features — for every zone in your account. Use with extreme caution and only after proper preparation.
+
+:::
+
+## Key characteristics
+
+- Account-level: Affects all zones in the account simultaneously.
+- Non-destructive: Does not modify your DNS records. Disabling the setting restores normal proxy behavior.
+- API-only: Available through the API only, not in the Cloudflare dashboard.
+
+## Before you begin
+
+Before relying on enforce DNS-only as part of your incident response plan, you should:
+
+- Verify origin server capacity: Without Cloudflare proxying, your origin servers handle all traffic directly, including traffic that Cloudflare would normally cache or filter. Ensure your infrastructure can sustain this load.
+- Review exposed IP addresses: When enforce DNS-only is active, all origin IPs configured in proxied records become publicly visible through DNS queries. If your origins rely on IP obscurity for security, plan accordingly.
+- Test in advance: Use the API in a staging or test account to confirm that you understand the behavior before you need it in an emergency.
+
+## Enable enforce DNS-only
+
+Use the [Update DNS Settings](/api/resources/dns/subresources/settings/subresources/account/methods/edit/) endpoint to enable enforce DNS-only for your account:
+
+<APIRequest
+	path="/accounts/{account_id}/dns_settings"
+	method="PATCH"
+	json={{
+		enforce_dns_only: true,
+	}}
+/>
+
+Once enabled, Cloudflare responds to DNS queries for all proxied records with your configured origin IP addresses instead of Cloudflare anycast IPs.
+
+## Disable enforce DNS-only
+
+To restore normal proxy behavior, set `enforce_dns_only` to `false`:
+
+<APIRequest
+	path="/accounts/{account_id}/dns_settings"
+	method="PATCH"
+	json={{
+		enforce_dns_only: false,
+	}}
+/>
+
+After you disable the setting, Cloudflare resumes responding to DNS queries with anycast IP addresses for proxied records and all proxy-based features are restored.
+
+:::note
+Due to DNS caching by recursive resolvers, the transition back to proxied behavior may not be instantaneous. The TTL of your proxied records (default 300 seconds) determines how long resolvers may continue to serve the origin IP addresses after you disable the setting.
+:::
+
+## Exceptions
+
+The enforce DNS-only setting does not affect the following record types:
+
+- [Spectrum](/spectrum/) applications: Already DNS-only CNAME records pointing to Spectrum endpoints.
+- [Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/) fallback origin records: The default origin where [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) are routed.
+- Cloudflare for SaaS records on customer zones: CNAME records on your zone that point to a SaaS provider. Setting these to DNS-only does not help if the SaaS provider's zone remains proxied.
+- [Workers](/workers/) custom domains: Proxied A records pointing to `100::`.
+- [R2](/r2/) custom domains: Proxied CNAME records pointing to `public.r2.dev`.
+- [Web3 gateways](/web3/): Ethereum and IPFS DNSLink gateways (CNAMEs to `ethereum.cloudflare.com` or `ipfs.cloudflare.com`).
+- [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) records: Records required for tunnel routing. Setting these to DNS-only may break tunnel connectivity.
+
+The setting does apply to proxied [Load Balancer](/load-balancing/) records.
+
+## Check current status
+
+Use the [Show DNS Settings](/api/resources/dns/subresources/settings/subresources/account/methods/get/) endpoint to verify the current value:
+
+<APIRequest path="/accounts/{account_id}/dns_settings" method="GET" />
+
+## Related resources
+
+- [Proxy status](/dns/proxy-status/) - Understand how proxied and DNS-only records behave.
+- [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/#edit-proxy-status-in-bulk) - Change proxy status for individual records in bulk within a single zone.
@@ -88,19 +88,19 @@ Consider that the same Cloudflare account has two different zones, `example.com`
 
 DNS management for **example.com**:
 
-| Type | Name   | Content     | Proxy status | TTL  |
-| ---- | ------ | ----------- | ------------ | ---- |
-| CNAME   | `example.com` | `origin.example.net` | DNS only     | Auto |
+| Type  | Name          | Content              | Proxy status | TTL  |
+| ----- | ------------- | -------------------- | ------------ | ---- |
+| CNAME | `example.com` | `origin.example.net` | DNS only     | Auto |
 
 </Example>
 
 <Example>
 
 DNS management for **example.net**:
 
-| Type | Name   | Content     | Proxy status | TTL  |
-| ---- | ------ | ----------- | ------------ | ---- |
-| CNAME   | `origin.example.net` | `<origin>` | Proxied     | Auto |
+| Type  | Name                 | Content    | Proxy status | TTL  |
+| ----- | -------------------- | ---------- | ------------ | ---- |
+| CNAME | `origin.example.net` | `<origin>` | Proxied      | Auto |
 
 </Example>
Original file line number	Diff line number	Diff line change
Expand Up		@@ -41,4 +41,4 @@ For secondary zones:

		- [Secondary DNS override](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/): Enable the options to use Cloudflare [proxy](/dns/proxy-status/) and add `CNAME` records at your zone apex.

		Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.
		Multi-provider DNS does not apply as a setting for secondary zones, as this is already a required behavior for this setup. `SOA` record and the `NS` record TTL are defined on your external DNS provider and only transferred into Cloudflare.