Cloudflare Tunnel Requires You to Move Your DNS — Here's What That Means

Cloudflare Tunnel is a free, well-engineered tool for exposing local services to the internet. But there is a prerequisite that most guides bury in a footnote: you must move your domain's DNS to Cloudflare. For many people this is fine. For others, it is a dealbreaker they only discover after they have already bought a domain and started setting things up.

What Cloudflare Tunnel actually requires

Cloudflare Tunnel works by running a daemon called cloudflared on your local machine. It opens an outbound connection to Cloudflare's network, and Cloudflare routes incoming requests from your domain through that connection to your local service. The architecture is sound — outbound tunnels work behind CGNAT, firewalls, and restrictive networks.

But for Cloudflare to route traffic from your domain to your tunnel, your domain must be added to your Cloudflare account. And Cloudflare offers two ways to add a domain:

Option 1: Full Setup (free — but you must change your nameservers)

This is the default and recommended mode. You add your domain to Cloudflare, and Cloudflare assigns you two nameservers. You then go to your domain registrar and replace your existing nameservers with Cloudflare's. Once propagation completes (up to 24 hours), Cloudflare becomes the authoritative DNS provider for your entire domain.

Every DNS record for that domain — your website, your email MX records, your SPF/DKIM records, any subdomains — is now managed through Cloudflare's dashboard. When you set up a tunnel, Cloudflare can automatically create the CNAME record that points your subdomain to the tunnel.

This is what Cloudflare's own documentation recommends. It is what most tutorials assume. It is what the Home Assistant Cloudflared app expects.

Option 2: Partial (CNAME) Setup — but not on the Free plan

Cloudflare also supports a "Partial" or "CNAME" setup where you keep your existing DNS provider and just point individual subdomains to Cloudflare via CNAME records. This avoids the nameserver change.

The catch: Partial setup is only available on Cloudflare's Business plan ($200/month) or Enterprise plan. It is not available on Free or Pro.

✗ Common misconception

"I'll just point a CNAME at my tunnel from my existing DNS provider." — This does not work on the Free plan. The tunnel's .cfargotunnel.com subdomain only proxies traffic for DNS records within the same Cloudflare account. Without your domain added to Cloudflare in Full or Partial setup, traffic will not route through the tunnel.

What this means in practice

If you want to use Cloudflare Tunnel on the Free plan (which is what most home users, Home Assistant users, and self-hosters are on), you have exactly one path:

Buy a domain

You need your own domain name — Cloudflare Tunnel does not provide you with a subdomain. You can buy a domain from any registrar, including directly from Cloudflare Registrar. The domain must use a valid public TLD (.com, .net, .uk, etc.). Once you own the domain, you can create subdomains within Cloudflare's dashboard.

Add the domain to Cloudflare

Create a free Cloudflare account and add your domain. Cloudflare will scan your existing DNS records and import them.

Change your nameservers to Cloudflare's

Go to your registrar (Namecheap, Cloudflare Registrar, Porkbun, GoDaddy, Google Domains, etc.) and replace the nameservers with the two Cloudflare nameservers assigned to your account. This transfers DNS authority for your entire domain to Cloudflare.

Wait for propagation

Nameserver changes can take up to 24 hours to propagate globally. During this window, DNS resolution may behave unpredictably if you have existing services running on the domain.

Now you can create a tunnel

Once the domain is active on Cloudflare, you can create a tunnel and assign a public hostname (subdomain) to it. Cloudflare creates a CNAME record pointing to your tunnel's UUID.

This is not a complicated process, but it is a significant one — especially if your domain already handles email, a website, or other services. Moving nameservers means all DNS management for that domain now happens in Cloudflare's dashboard.

The Home Assistant Cloudflared app makes this explicit

The popular Cloudflared app for Home Assistant states this requirement clearly in its documentation:

From the Cloudflared app docs

"A domain name (e.g. example.com) using Cloudflare for DNS." — The app creates CNAME records via the Cloudflare API during startup, which only works when Cloudflare controls the DNS zone. The domain's nameservers must point to Cloudflare.

The app also requires you to enable WebSockets for your domain in the Cloudflare dashboard, and to configure trusted_proxies in Home Assistant's configuration.yaml — because with Cloudflare Tunnel, requests arrive from Cloudflare's IP range, not from your local network.

Why this matters

For many people, moving nameservers to Cloudflare is perfectly acceptable. Cloudflare's DNS service is fast and reliable, and for a domain that exists solely for your Home Assistant tunnel, there is no downside.

But there are real scenarios where this requirement creates friction:

You already use your domain for other things

If your domain handles email (with MX records managed by your hosting provider), runs a website, or has complex DNS configurations, migrating all of that to Cloudflare introduces risk. Cloudflare scans and imports your existing records, but the import is not always complete or correct. An incorrect migration can break email delivery, take down your website, or disrupt other services — and the 24-hour propagation window means it can take time to notice and fix.

You manage DNS through your hosting provider

Many people use their web host's DNS because it integrates tightly with their hosting — automatic record creation for new sites, SSL provisioning, email setup. Moving nameservers to Cloudflare means managing DNS in one place and hosting in another, which adds operational complexity.

Your organisation controls DNS centrally

In corporate or institutional environments, DNS is typically managed by an IT team and changing nameservers requires approval. Running a personal tunnel through a company domain is unlikely to be approved. Even for personal domains, if you use a DNS provider with advanced features (DNSSEC with specific key management, geo-routing, failover) you may lose functionality when switching to Cloudflare.

You don't want to buy a domain at all

Some people just want to access their Home Assistant from their phone. Buying a domain, setting up a Cloudflare account, changing nameservers, and configuring YAML files is a lot of steps for that use case.

⚠️ What about TryCloudflare / Quick Tunnels?

Cloudflare offers "Quick Tunnels" that generate a random subdomain on trycloudflare.com without requiring a domain or Cloudflare account. However, these are explicitly intended for testing only. The subdomain changes every time you restart the tunnel, there is no SLA, and Cloudflare uses these tunnels to test new features before deploying to production customers. They are not suitable for persistent remote access.

DNS requirement comparison

Different tunnel and remote access services have different requirements when it comes to domains and DNS:

Service	Domain Required	DNS Must Be on Their Servers	Works With Any Registrar	Provides Subdomain
Pluggie	✗ Optional	✗ No DNS change needed	✓	✓ randomly generated *.pluggie.net
Nabu Casa	✗ Optional (your own domain supported)	✗	✓	✓ random-id.ui.nabu.casa
Cloudflare Tunnel	✓ Required	✓ Nameserver change required*	Partial Registration can stay, DNS moves	✗
Tailscale	✗ Not needed	✗	N/A	✓ device.tailnet-name.ts.net *
Homeway	✗ Not needed	✗	N/A	✓ unique URL via Homeway

* Tailscale provides device.tailnet-name.ts.net addresses, but these resolve only on devices running the Tailscale VPN client within your tailnet. They are not accessible from a standard browser on the public internet. Every device that needs access must have Tailscale installed and be signed in to the same network.

Cloudflare's Partial (CNAME) setup avoids the nameserver change, but it requires a Business plan at $200/month — not available on Free or Pro.

There is a separate architectural question beyond DNS: what happens to your traffic once it reaches Cloudflare's servers? Cloudflare Tunnel terminates TLS at their edge, meaning your login credentials, device commands, and camera feeds are decrypted at Cloudflare's infrastructure. We cover this in detail in Cloudflare Tunnel and TLS: What Cloudflare Can See.

When Cloudflare Tunnel is the right choice

None of this is to say Cloudflare Tunnel is a bad tool. It is well-built, maintained by a company with excellent infrastructure, and the Free plan is genuinely generous. It is the right choice when:

You have a dedicated domain that exists solely for your tunnel (buying a cheap .uk or .xyz domain for this purpose is common)
You do not mind managing DNS in Cloudflare's dashboard
You want Cloudflare's additional features: DDoS protection, WAF rules, access policies via Cloudflare Zero Trust
You are comfortable with TLS termination at Cloudflare's edge
You enjoy tinkering and do not mind the multi-step setup process

For the right user profile, it is an excellent solution. The DNS requirement is not a bug — it is how Cloudflare's proxy architecture works. Cloudflare needs to be in the DNS path to route traffic through their network.

When it is not

Cloudflare Tunnel is a less natural fit when:

You do not own a domain and do not want to buy one
Your domain is already in use and you do not want to move its DNS
You want something that works out of the box without YAML configuration, DNS management, and Cloudflare account setup
You want end-to-end encryption where the relay cannot see your traffic
You are setting up a non-technical family member and need the simplest possible path

How Pluggie handles this differently

Pluggie does not require you to own a domain or change any DNS settings. When you install the Pluggie app on Home Assistant or run the Docker container, you receive a randomly generated pluggie.net subdomain. The tunnel connects, your subdomain is live, and your service is accessible from any browser.

Cloudflare Tunnel setup

Buy domain

→

Change nameservers
to Cloudflare

→

Wait for
propagation

→

Create tunnel

→

Configure
YAML

Requires: domain purchase + Cloudflare account + DNS migration + Home Assistant YAML edits

Pluggie setup

Install app

→

Enter access key

→

Configure
YAML

→

Done

Requires: Pluggie account + Home Assistant YAML edit — no domain, no DNS migration

If you want to use your own domain with Pluggie, you can — on paid plans, you point a CNAME record from your domain to Pluggie, and your domain's nameservers stay exactly where they are. There is no requirement to move your DNS anywhere. Your registrar, your DNS provider, your existing records — all untouched.

✓ Pluggie works with any DNS provider

Your own domain on Pluggie requires a single CNAME record pointed at your Pluggie tunnel. Your nameservers stay with your existing provider — Cloudflare, Route 53, Namecheap, Hetzner, your hosting company, wherever they are now. No migration required.

The free tier includes a randomly generated pluggie.net subdomain with End-to-End Encryption and no DNS configuration. No email or credit card required. You can be up and running in under five minutes.

📬 Questions?

If you are evaluating tunnel services and want to understand the differences in more detail, reach out at support@pluggie.net. We are happy to help — even if you end up choosing Cloudflare.