Automating the Internet: A Complete Guide to Cloudflare DNS API (CRUD)
Managing DNS records manually via a dashboard is fine for a hobby site. But if you want dynamic infrastructure, CI/CD-driven deployments, or simply the power to control the internet with scripts, you need the Cloudflare DNS API.
This guide walks you through full CRUD operations (Create, Read, Update, Delete) on Cloudflare DNS records using simple, production-ready curl commands. We’ll also cover security best practices and what to do if your API token is accidentally leaked.
Why Automate DNS?
Automated DNS management is essential when you:
-
Deploy applications dynamically (Docker, Kubernetes, CI/CD)
-
Rotate servers or IPs frequently
-
Manage multiple subdomains or environments (dev/stage/prod)
-
Want reproducible, scriptable infrastructure (IaC mindset)
Cloudflare’s API makes all of this possible.
π Step 1: Security First — Creating an API Token
Before touching the API, you need an API token with the least privilege possible.
How to Create a Cloudflare API Token
-
Log in to Cloudflare Dashboard
-
Navigate to My Profile → API Tokens
-
Click Create Token → Create Custom Token
-
Configure permissions:
-
Permission:
Zone | DNS | Edit -
Resources:
Include | Specific Zone | yourdomain.com
-
-
(Optional but recommended) Enable Client IP Filtering if you have a static IP
-
Click Continue to Summary → Create Token
-
Copy the token and store it securely (password manager or
.envfile)
β οΈ Never hard-code API tokens into source code.
π¨ Emergency: "I Pushed My Token to GitHub!"
If you accidentally commit your token to a public repository:
Do NOT panic — act immediately.
Roll the Token (Fastest & Safest)
-
Go to Cloudflare Dashboard → API Tokens
-
Click the three dots (β―) next to the compromised token
-
Select Roll
What rolling does:
-
Instantly invalidates the old secret
-
Generates a new secret
-
Keeps permissions and zone bindings intact
-
Update your
.envfiles or secrets manager with the new token
β Rolling is better than deleting, because it avoids reconfiguration.
π οΈ Required Setup
You’ll need two values for every API call:
-
Zone ID
Found in Domain → Overview → Right Sidebar -
API Token
The secret you just created
π‘ Windows CMD users:
-
Use double quotes
"only -
Write commands in one line
-
Escape inner quotes with
\"
π 1. READ — Fetch DNS Records
Before updating or deleting a record, you must know its Record ID (not the Zone ID).
Get All CNAME Records
curl -X GET "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records?type=CNAME" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json"
Get All A Records
curl -X GET "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records?type=A" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json"
Filter by Name
?name=subdomain.yourdomain.com
π Important:
Look for the field:
"id": "RECORD_ID"
You’ll need this ID for update and delete operations.
β 2. CREATE — Add a New DNS Record
Create an A Record (IP Address)
curl -X POST "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "api",
"content": "192.168.1.50",
"proxied": true,
"ttl": 1,
"comment": "Created via API"
}'
Create a CNAME Record (Point to Another Domain)
Perfect for Vercel, Railway, Netlify, Heroku, etc.
curl -X POST "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
--data '{
"type": "CNAME",
"name": "blog",
"content": "my-blog.vercel.app",
"proxied": true,
"ttl": 1
}'
Key Fields Explained
-
proxied: true→ Enables Cloudflare protection (orange cloud) -
proxied: false→ DNS-only (grey cloud) -
ttl: 1→ Auto TTL
π 3. UPDATE — Modify an Existing Record
Use PATCH when you want to update only specific fields.
β οΈ You cannot change the record type with PATCH.
To change type, you must DELETE and CREATE a new record.
Update Record Content (IP or Target)
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records/<RECORD_ID>" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
--data '{
"content": "203.0.113.10",
"proxied": true,
"comment": "Updated via automation"
}'
β 4. DELETE — Remove a DNS Record
Clean up unused or deprecated services.
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/<YOUR_ZONE_ID>/dns_records/<RECORD_ID>" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json"
DNS Cache (“Ghost Record” Issue)
If updates don’t reflect immediately:
-
Flush local DNS cache:
ipconfig /flushdns -
Query Cloudflare DNS directly:
nslookup subdomain.yourdomain.com 1.1.1.1 -
Wait 5–10 minutes for global propagation
β Final Thoughts
With Cloudflare’s DNS API, you can:
-
Fully automate DNS changes
-
Integrate DNS into CI/CD pipelines
-
Build dynamic, scalable infrastructure
-
Recover instantly from mistakes (token rolling)
Once you master these CRUD operations, DNS becomes code — not a manual chore.
π Happy Automating!
1 Comments
BlogForge
To create an API token, from the Cloudflare dashboard, go to : https://dash.cloudflare.com/profile/api-tokens