I’m in the process of transferring DNS records from Cloudflare. I notice that most of the CNAME, and one A type records are “Proxied” by Cloudflare. We are using Cloudflare for DDoS protection.
Question 1: Should I copy ALL of the records into Netlify? Including those that are marked “Proxied”?
Question 2: Since we have a Netlify Business plan, and aren’t on the HPE - do we have any DDoS protection?
Question 3: If no to question 2, can we host our site on Netlify and have Cloudflare proxy the records to gain DDoS protection?
The final step in Netlify is: “Update your domain’s name servers”. I have inherited this account and am trying to run things to ground. I see that we are using Cloudflare, but the domain was initially purchased from Bluehost years ago. Which leads to my next question.
Question 4: Where do I “Update ‘our’ domain’s name servers”?
Not if you don’t wish to use Netlify DNS, but if you do, you most likely will have to copy all of those.
We do monitor and protect our entire CDN as a whole from DDoS, but individual sites might not benefit much from that protection. However, we’re working on improving that.
Yes you can, but we don’t recommend it as it might break some of our features. But, if those features are not too important to you, then you’re good to go. Details here:
Do not do this if you don’t want to use Netlify DNS. But if you want to, you’d have to update the nameservers in the settings from where you purchased the domain, so Bluehost in this case. If you wish to continue using Cloudflare, simply add Netlify specific records in Cloudflare and turn off the orange cloud icon.
You wish to host various branches, so Branch subdomains would have easier DNS configuration and automatic SSL.
Your domain will get a wildcard SSL certificate (but it would cover the domains hosted by Netlify only)
You also get to enable IPv6 support for your domain.
Netlify is able to automatically choose and point your domain to the optimum CDN which is why it keeps on assigning different IPs to your domain.
External DNS is useful when:
You already have a lot of DNS records and it’s a pain to migrate them all.
You’re comfortable with making changes to DNS manually if you have to make some changes and wait for the support team to be able to configure SSL for your Branch subdomains.
You absolutely need to use other tools like Cloudflare.
Other than that, it’s a question of choice - you may choose what you’re most comfortable with.
We really want to use Netlify for all the reasons stated in the article you provided. Our greatest concern is DDoS protection.
It is my understanding that DDoS protection is provided to Netlify HPE clients. And we want to be on the HPE, but before we vector all of our traffic to the Netlify site we want to verify performance and reliability.
It would be extremely expensive for us in marketing outlay to commit and not have things work out.
Bottom line, your recommendation is for us to use Netlify’s DNS in order to take advantage of all of the capabilities of your system?
And we want to @perry. It’s the DDoS protection that concerns us.
gotcha, @JohnnyK ! i am actually going to put you in touch with someone from a different team who can chat with you a little bit more about your needs and HPE. in the mean time, are things working now? if not, let us know.
@perry I’m working with Matt Youn regarding the HPE. He’s awesome. So you don’t need to bug anyone else from that team.
Regarding Cloudflare: just to reiterate why using both Cloudflare and Netlify is kind of self-defeating:
I’m taking my precompiled site on Netlify’s edge, and having Cloudflare consume it and express it to visitors. In so doing, besides not taking full advantage of all of Netlify’s features, I am degrading the very purpose of deploying to an edge in the first place.
I think that’s a fair summary. I would say it a bit differently, to focus on this point:
"Using Cloudflare between the browser and Netlify adds an additional point of failure to every web request. Instead of just needing Netlify to work well, you also rely on Cloudflare working well for each and every web request. Further, this configuration leads to many known problems with Netlify services - from split testing to caching unexpectedly (we tell them not to cache; they cache anyway so your site can become out of sync for up to 5 minutes based on their default settings) to analytics data being pretty useless (“you had 1000 page loads from 3 IP addresses! Which are cloudflare’s proxy servers…not your actual visitors, so we can’t count visitors, only Cloudflare nodes that talked with us”.
To be clear, Cloudflare is a great service with a lot of great features; their DNS hosting is great and I am very impressed with all that they give - I feel like both of our companies tend to “deliver more value than we extract” and that makes me happy for both of us! But, putting the Cloudflare proxy (or any proxy; we have the most experience troubleshooting failed Cloudflare connections since it is the most popular proxy for folks using our service, though!) in front of a Netlify site creates problems, delays, and may not offer any real benefits depending on your workload.
To address your original point, we in general keep your site up even when it is attacked - we are obviously very invested in keeping sites online as much as possible regardless of tier.