Cloudflare DNS cutover runbook for website migrations

How to use Cloudflare safely during hosting migrations: proxy mode, TTLs, SSL modes, cache purge, and rollback checks.

Cloudflare can make a migration easier or more confusing. It hides the origin IP, caches content, terminates SSL, and sometimes keeps a broken origin looking half-alive. Treat it as a layer to manage, not a magic switch.

Before migration day

Document current records:

dig NS example.com
dig A example.com
dig CNAME www.example.com
dig MX example.com
dig TXT example.com

In Cloudflare, export the DNS zone if your plan allows it, or take screenshots of the records that matter.

Decide proxy mode per record

Use the orange cloud for normal web traffic:

example.com
www.example.com

Use DNS-only for records that should not go through Cloudflare:

mail.example.com
ftp.example.com
Control panel hostnames
Verification CNAMEs that require direct resolution

Do not proxy mail hostnames. Cloudflare does not proxy SMTP.

Set SSL mode correctly

Use Full (strict) when the origin has a valid certificate. This is the right production setting.

Avoid Flexible. It makes the browser-to-Cloudflare leg HTTPS while Cloudflare-to-origin stays HTTP, which causes redirect loops and hides origin certificate problems.

Preload the new origin

Before changing records, test the new server directly:

curl -I --resolve example.com:443:203.0.113.42 https://example.com/
curl -I --resolve www.example.com:443:203.0.113.42 https://www.example.com/

This bypasses DNS and proves the new origin can answer for the hostname.

Cutover steps

Pause page cache rules or put the site in development mode.
Update the proxied A/AAAA records to the new origin.
Purge Cloudflare cache.
Test from Cloudflare’s edge with normal curl.
Watch origin logs for real traffic.

Cloudflare proxied records show Cloudflare IPs in public DNS, so dig will not show your new origin IP. Use the dashboard or API to verify the origin target.

Cache purge

Purge everything for small sites. For larger sites, purge:

Homepage
Key landing pages
CSS and JS assets if filenames did not change
WooCommerce cart fragments if applicable
Any page with hardcoded absolute asset URLs

If the site looks old after migration, check cache before blaming DNS.

Common problems

525 or 526 errors

Cloudflare cannot validate the origin SSL certificate. Install a valid public certificate or a Cloudflare Origin CA certificate and use Full (strict).

Redirect loop

Usually caused by Flexible SSL, a WordPress home/siteurl mismatch, or an origin forcing HTTP while Cloudflare forces HTTPS.

Admin works, public site stale

Cloudflare or a page cache is serving old HTML. Purge cache and check cache headers.

Email stops working

Someone changed MX, SPF, DKIM, or a proxied mail hostname. Web migrations should not touch email DNS unless planned.

Rollback

Rollback is simple if you kept the old origin running:

Change the proxied A/AAAA records back to the old IP.
Purge cache.
Test with curl -I.
Leave the failed new origin online for investigation.

Do not switch nameservers during a migration unless the migration itself is moving DNS providers. Change the smallest number of records possible.