CONFIGURING CLOUDFLARE DNS FOR SAAS CUSTOM DOMAINS
When setting up a custom domain for your application on a SaaS platform, you might encounter a frustrating roadblock: Cloudflare’s unique proxy system requires special DNS configuration that differs from traditional hosting. This becomes particularly challenging when your SaaS provider needs to validate domain ownership, but Cloudflare’s proxy prevents standard TXT or HTTP validation methods from working correctly. In this guide, we’ll explore why this happens and how to properly configure your custom domains with Cloudflare to work seamlessly with SaaS platforms.
Understanding the Problem: Why Validation Fails
If you’ve encountered an error message like “hostname cannot be activated with TXT or HTTP validation token,” you’re experiencing a common issue with Cloudflare-proxied domains. Here’s why it happens:
Cloudflare Proxying: When you add a domain to Cloudflare and enable the proxy (orange cloud icon), all traffic routes through Cloudflare’s servers before reaching your origin server.
Validation Interference: SaaS platforms typically validate domain ownership using either:
- TXT records (which Cloudflare doesn’t proxy but can still interfere with)
- HTTP validation (which fails because requests are intercepted by Cloudflare)
DNS Target Requirements: Many SaaS platforms require your DNS to point directly to their infrastructure using specific CNAME or A records.
The solution isn’t to abandon Cloudflare’s valuable security and performance benefits, but rather to configure your DNS correctly.
The Solution: Direct DNS Pointing to SaaS Zone
To successfully activate your custom hostname while using Cloudflare, you need to:
- Point Directly to SaaS Provider: Configure your DNS to point directly to the SaaS provider’s zone/infrastructure
- Use the Right Record Type: Typically a CNAME record (sometimes an A record)
- Configure Proxy Status Correctly: Often requiring the gray cloud (proxy disabled) during validation
Let’s walk through the step-by-step process with examples for popular SaaS platforms.
Step-by-Step Configuration Guide
1. Access Your Cloudflare DNS Settings
Log into your Cloudflare account and navigate to the DNS section for your domain.
2. Add the Correct DNS Record
Create a new DNS record with the following properties:
| Setting | Value |
|---|---|
| Type | CNAME (usually) |
| Name | Your subdomain (e.g., “app” for app.yourdomain.com) |
| Target | Your SaaS provider’s endpoint |
| Proxy status | Gray cloud (initially) |
| TTL | Auto |
3. Common SaaS Provider Targets
Different SaaS platforms require specific target values:
| SaaS Platform | Target Format | Notes |
|---|---|---|
| Heroku | yourapp.herokudns.com | Use the DNS target shown in heroku domains output |
| Netlify | Your-site-name.netlify.app | Add domain in Netlify first, then use the target they provide |
| Vercel | cname.vercel-dns-0.com | Use vercel domains inspect for exact target |
| Shopify | shops.myshopify.com | mystore.myshopify.com |
| Azure App Service | yourapp.azurewebsites.net | contoso.azurewebsites.net |
| AWS Amplify | yourapp.amplifyapp.com | myproject.amplifyapp.com |
| GitHub Pages | yourusername.github.io | developer.github.io |
Important: Always check your SaaS provider’s dashboard for the exact DNS target after adding your custom domain. Providers frequently assign unique targets that change over time.
4. Verify Domain in SaaS Platform
Follow your SaaS provider’s domain verification process. This typically involves:
- Adding the custom domain in their dashboard
- Following their verification instructions
- Waiting for DNS propagation (can take up to 48 hours, though usually much faster)
5. Re-enable Cloudflare Proxy (Optional)
Once your domain is verified and working properly, you may be able to re-enable Cloudflare’s proxy by clicking the DNS record’s cloud icon to turn it orange. However, some SaaS platforms require that the proxy remains disabled.
Common Issue: Certificate Errors
If you enable Cloudflare’s proxy and encounter SSL/TLS certificate errors, you might be facing a certificate mismatch. This happens because:
- Cloudflare issues its own certificate for your domain
- Your SaaS provider has also issued a certificate
- These certificates can conflict when proxying is enabled
To resolve this:
- Use Cloudflare’s “Full SSL” or “Full SSL (Strict)” encryption mode
- Or keep the proxy disabled (gray cloud) for this specific subdomain
- Some SaaS providers offer specific Cloudflare integration settings
Real-World Example: Setting Up a Custom Domain on Platform.sh with Cloudflare
Let’s walk through a concrete example for Platform.sh:
# 1. In Cloudflare DNS, add:
Type: CNAME
Name: app (for app.yourdomain.com)
Target: projectid-region.platformsh.site
Proxy status: Gray cloud (disabled)
# 2. In Platform.sh console:
- Add domain: app.yourdomain.com
- Select "None/Other" for DNS provider
- Wait for validation
# 3. After validation:
- Platform.sh will issue an SSL certificate
- Your custom domain now works with your application
SaaS-Specific Configurations
Heroku
Heroku provides a unique DNS target for each custom domain. Run heroku domains to get your specific target, which will be in the format random-name.herokudns.com:
$ heroku domains -a your-app-name
=== your-app-name Heroku Domain
your-app-name.herokuapp.com
=== your-app-name Custom Domains
Domain Name DNS Target
─────────────── ────────────────────────
example.com hidden-sierra-7936.herokudns.com
Keep the Cloudflare proxy disabled during verification, but you can enable it afterward in most cases.
Netlify
Netlify works well with both proxied and unproxied Cloudflare configurations:
- First, add your custom domain in Netlify’s dashboard
- Netlify will provide the correct DNS target (typically
your-site-name.netlify.appor a custom target) - Create the CNAME record in Cloudflare using the target from Netlify
- Netlify handles SSL automatically
AWS Amplify
AWS Amplify requires specific DNS settings:
- Add a CNAME record pointing to the Amplify domain
- Keep proxy disabled (gray cloud)
- Wait for AWS to validate and issue an SSL certificate
Testing Your Configuration
After setting up your DNS, verify it’s working correctly:
- Check DNS propagation: Use a tool like whatsmydns.net to check if your DNS changes have propagated
- Verify SSL: Visit your custom domain with HTTPS to ensure the certificate is valid
- Test functionality: Make sure your application works as expected on the custom domain
Troubleshooting Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Validation failing | Proxy enabled | Disable Cloudflare proxy (gray cloud) |
| SSL errors | Certificate mismatch | Use “Full SSL” in Cloudflare settings |
| Domain not resolving | DNS propagation | Wait longer (up to 48 hours) |
| 404 errors | Wrong target | Verify DNS target is correct |
| 522 errors | Connection issues | Check SaaS platform status |
Benefits of Using Cloudflare with SaaS Platforms
Despite the initial configuration challenges, combining Cloudflare with your SaaS platform offers significant benefits:
- Enhanced Security: Protection against DDoS attacks, malicious bots, and other threats
- Performance Optimization: Global CDN, caching, and optimization tools
- Analytics: Detailed traffic analysis and insights
- Page Rules: Custom behaviors for specific URLs or sections
- Firewall: Additional layer of security rules
Conclusion
Properly configuring Cloudflare DNS for your SaaS custom domain requires understanding how DNS validation works and the specific requirements of your SaaS provider. By following the steps outlined in this guide, you can successfully integrate your custom domain with both your SaaS platform and Cloudflare’s security and performance benefits.
Remember the key lesson: when activating a custom hostname that uses Cloudflare, ensure your DNS target points directly to the SaaS zone rather than relying on TXT or HTTP validation tokens.