Skip to content

DNS with Cloudflare

The lab needs public DNS to serve hostnames instead of raw IPs. This guide uses Cloudflare's free tier because it's the smoothest setup among the consumer DNS providers, but any DNS host works — Route 53, Oracle DNS, Namecheap DNS, DigitalOcean, etc. The shape of what you set up is the same everywhere.

What you need

  • A domain you own. If you don't have one, buy one from any registrar (Cloudflare Registrar sells at cost, Namecheap is fine, Porkbun is well-regarded). Any .com or .io runs $10-15/year.
  • A Cloudflare account (free).
  • Access to change nameservers at your registrar.

Add the domain to Cloudflare

  1. Sign up at cloudflare.com (free).
  2. Add a Site → enter your domain.
  3. Pick the Free plan (yes, it's really free).
  4. Cloudflare scans your existing DNS records at your current provider (if any) and imports them. Review — for a fresh domain, this list is empty or nearly so.
  5. Cloudflare gives you two nameservers (e.g., alice.ns.cloudflare.com and bob.ns.cloudflare.com).
  6. Change your nameservers at your registrar to those two. This is registrar-specific; log into your registrar and look for "Nameservers" or "DNS" in the domain settings.
  7. Wait. Nameserver propagation takes anywhere from 5 minutes to 48 hours. Usually under an hour. Cloudflare will email you when it detects the change.

Create A records

Once Cloudflare is authoritative for your domain, DNS → Records → Add record:

Type Name Content Proxy status TTL
A lab <web-1-public-ip> DNS only (gray cloud) Auto
A demo <web-2-public-ip> DNS only (gray cloud) Auto
A arm <arm-1-public-ip> DNS only (gray cloud) Auto

That creates lab.yourdomain.com, demo.yourdomain.com, arm.yourdomain.com resolving to your three instances.

Gray cloud, not orange cloud

Set every record to "DNS only" (the gray cloud icon), not "Proxied" (orange).

Why: the orange cloud puts Cloudflare's proxy in front of your instance, which:

  • Terminates TLS at Cloudflare (so Let's Encrypt's tls-alpn-01 challenge fails — Caddy can't answer it because Cloudflare intercepts port 443).
  • Hides your instance's IP (fine for some scenarios, awkward for a lab where you want the honest topology).
  • Adds Cloudflare between you and every request (great for DDoS protection, unnecessary complexity for a lab).

Orange cloud is genuinely powerful for production sites. For a personal lab with Caddy handling TLS, use gray cloud and let your instance speak HTTPS directly.

Verify DNS

From your local machine:

dig +short lab.yourdomain.com
# Should return your web-1 public IP.

dig +short lab.yourdomain.com @1.1.1.1
# Cloudflare's own resolver — will return the record even if your
# local resolver is caching an old NXDOMAIN.

If dig returns nothing:

  • Cloudflare might not yet be authoritative — check dig NS yourdomain.com
  • Local DNS might be caching the old NXDOMAIN — try @1.1.1.1 or wait
  • The record might have a typo (check the IP)

Certificate issuance

Once DNS resolves, on the instance:

sudo systemctl reload caddy

Then watch the log:

sudo journalctl -u caddy -f

You should see a successful ACME exchange within 30 seconds. If it fails:

  • Rate-limited? Let's Encrypt has strict rate limits. If you've tried the same hostname many times in a short window, use the staging endpoint temporarily by adding acme_ca https://acme-staging-v02.api.letsencrypt.org/directory in your Caddyfile's global block, verify staging works, then remove it.
  • DNS didn't propagate yet? Wait 5 minutes and reload again.
  • Port 443 blocked? Check OCI security list + nftables.

Multiple subdomains, one instance

You can have as many subdomains as you want pointing at the same instance:

A  lab       → <web-1-ip>
A  docs      → <web-1-ip>
A  status    → <web-1-ip>
A  landing   → <web-1-ip>

Caddy's SNI-based routing handles them all — see Multiple hostnames on one IP.

TTL

Cloudflare's default TTL is Auto (5 minutes when the record is proxied, 1 hour when it's DNS-only). For a lab, 1 hour is fine.

If you're actively changing an IP (e.g., migrating), drop it to 60 seconds temporarily.

Cloudflare features you can enable safely with gray-cloud records

Some Cloudflare features apply at the DNS level and are free regardless of whether the record is proxied:

  • DNSSEC — enable it. One click. Zero downside.
  • Email routing — free email forwarding at your domain. Great for hello@yourdomain.com.
  • Analytics: DNS Query volume — good visibility.

Features that require orange-cloud (skip unless you switch that record): Bot management, WAF, page rules, workers, tunnels.

Next

Head to Multiple hostnames on one IP to serve several sites from one Caddy instance.