Cloudflare DNS Operations Skill
Low-level Cloudflare DNS and zone management operations using Cloudflare API for manual record management and advanced configuration.
Quick Start
Quick DNS operations:
# Load environment variables source /home/dawiddutoit/projects/network/.env # List all DNS records /home/dawiddutoit/projects/network/scripts/cf-dns.sh list # Add A record /home/dawiddutoit/projects/network/scripts/cf-dns.sh add A api.temet.ai 192.168.68.100 # Add CNAME record /home/dawiddutoit/projects/network/scripts/cf-dns.sh add CNAME www temet.ai # Update existing record /home/dawiddutoit/projects/network/scripts/cf-dns.sh update api.temet.ai 192.168.68.200 # Delete record /home/dawiddutoit/projects/network/scripts/cf-dns.sh delete api.temet.ai
Table of Contents
- •When to Use This Skill
- •What This Skill Does
- •Instructions
- •3.1 Setup API Authentication
- •3.2 List DNS Records
- •3.3 Add DNS Records
- •3.4 Update DNS Records
- •3.5 Delete DNS Records
- •3.6 Manage Zone Settings
- •3.7 Dynamic DNS Updates
- •Supporting Files
- •Expected Outcomes
- •Requirements
- •Red Flags to Avoid
When to Use This Skill
Explicit Triggers:
- •"Add DNS record"
- •"Update DNS record"
- •"Delete DNS record"
- •"Dynamic DNS"
- •"Cloudflare API operations"
- •"Manual DNS management"
Implicit Triggers:
- •Need to add DNS record outside domain management system
- •Dynamic home IP updates needed
- •Testing DNS configurations
- •Bulk DNS operations required
- •Zone settings need manual adjustment
Debugging Triggers:
- •"How do I add a DNS record?"
- •"How to update my home IP?"
- •"What DNS records exist?"
What This Skill Does
- •Setup Auth - Configures Cloudflare API credentials
- •Lists Records - Shows all DNS records in zone
- •Adds Records - Creates new A, AAAA, CNAME, TXT records
- •Updates Records - Modifies existing record values
- •Deletes Records - Removes DNS records
- •Manages Settings - Configures SSL, caching, security settings
- •Dynamic DNS - Automates home IP updates
Instructions
3.1 Setup API Authentication
Required credentials:
- •Cloudflare email address
- •Cloudflare API token or Global API Key
- •Zone ID for temet.ai domain
Step 1: Get Zone ID
- •Go to: https://dash.cloudflare.com
- •Select domain: temet.ai
- •Click: Overview tab
- •Find: API section in right sidebar
- •Copy: Zone ID
Example: 1234567890abcdef1234567890abcdef
Step 2: Get API Token
Recommended: Use API Token (scoped permissions)
- •Go to: https://dash.cloudflare.com/profile/api-tokens
- •Click: Create Token
- •Select template: Edit zone DNS
- •Zone Resources: Include → Specific zone → temet.ai
- •Click: Continue to summary → Create Token
- •Copy token (shown only once)
Alternative: Use Global API Key (full account access)
- •Go to: https://dash.cloudflare.com/profile/api-tokens
- •Scroll to: API Keys section
- •Click: View next to Global API Key
- •Copy key
⚠️ Security note: API Token is more secure (scoped permissions).
Step 3: Add to .env
# Edit .env nano /home/dawiddutoit/projects/network/.env # Add (using API Token - recommended): CLOUDFLARE_EMAIL="your-email@example.com" CLOUDFLARE_ZONE_ID="your-zone-id-here" CLOUDFLARE_API_KEY="your-api-token-here" # Or using Global API Key: CLOUDFLARE_EMAIL="your-email@example.com" CLOUDFLARE_ZONE_ID="your-zone-id-here" CLOUDFLARE_GLOBAL_API_KEY="your-global-api-key-here"
Step 4: Test Access
source /home/dawiddutoit/projects/network/.env
curl -s -X GET "https://api.cloudflare.com/client/v4/user" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
| jq '.success'
Expected output: true
3.2 List DNS Records
Using helper script:
/home/dawiddutoit/projects/network/scripts/cf-dns.sh list
Expected output:
DNS Records for temet.ai: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Type Name Value ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CNAME pihole tunnel-id.cfargotunnel.com CNAME jaeger tunnel-id.cfargotunnel.com A home 1.2.3.4 ...
Using direct API call:
source /home/dawiddutoit/projects/network/.env
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
| jq -r '.result[] | "\(.type)\t\(.name)\t\(.content)"'
Filter by type:
# List only A records /home/dawiddutoit/projects/network/scripts/cf-dns.sh list | grep "^A" # List only CNAME records /home/dawiddutoit/projects/network/scripts/cf-dns.sh list | grep "^CNAME"
3.3 Add DNS Records
Add A record (IPv4):
/home/dawiddutoit/projects/network/scripts/cf-dns.sh add A api.temet.ai 192.168.68.100
Add AAAA record (IPv6):
/home/dawiddutoit/projects/network/scripts/cf-dns.sh add AAAA ipv6.temet.ai 2001:db8::1
Add CNAME record:
/home/dawiddutoit/projects/network/scripts/cf-dns.sh add CNAME www temet.ai
Add TXT record (verification/SPF):
/home/dawiddutoit/projects/network/scripts/cf-dns.sh add TXT _verification "verification-code"
Add record with proxy enabled (orange cloud):
# Using direct API call
source /home/dawiddutoit/projects/network/.env
curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "proxied.temet.ai",
"content": "192.168.68.100",
"ttl": 1,
"proxied": true
}' | jq '.'
Common record types:
| Type | Example | Purpose |
|---|---|---|
| A | 192.168.68.100 | IPv4 address |
| AAAA | 2001:db8::1 | IPv6 address |
| CNAME | target.example.com | Alias to another domain |
| TXT | "verification-code" | Text records (verification, SPF) |
| MX | 10 mail.example.com | Mail exchange |
3.4 Update DNS Records
Update existing record:
/home/dawiddutoit/projects/network/scripts/cf-dns.sh update api.temet.ai 192.168.68.200
Script automatically:
- •Finds existing record by name
- •Gets record ID
- •Updates content to new value
- •Preserves type and proxy settings
Update with direct API call:
source /home/dawiddutoit/projects/network/.env
# Step 1: Get record ID
record_id=$(curl -s -X GET \
"https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records?name=api.temet.ai" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
| jq -r '.result[0].id')
# Step 2: Update record
curl -X PUT \
"https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records/${record_id}" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "api.temet.ai",
"content": "192.168.68.200",
"ttl": 1,
"proxied": false
}' | jq '.'
3.5 Delete DNS Records
Delete record by name:
/home/dawiddutoit/projects/network/scripts/cf-dns.sh delete api.temet.ai
Confirm before deletion:
Script will show:
Found record: A api.temet.ai → 192.168.68.100 Delete this record? (y/N):
Using direct API call:
source /home/dawiddutoit/projects/network/.env
# Step 1: Get record ID
record_id=$(curl -s -X GET \
"https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records?name=api.temet.ai" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
| jq -r '.result[0].id')
# Step 2: Delete record
curl -X DELETE \
"https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/dns_records/${record_id}" \
-H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-H "X-Auth-Key: ${CLOUDFLARE_API_KEY}" \
| jq '.'
3.6 Manage Zone Settings
View all zone settings:
/home/dawiddutoit/projects/network/scripts/cf-settings.sh all
View specific setting:
# SSL/TLS mode /home/dawiddutoit/projects/network/scripts/cf-settings.sh get ssl # Security level /home/dawiddutoit/projects/network/scripts/cf-settings.sh get security_level # Caching level /home/dawiddutoit/projects/network/scripts/cf-settings.sh get cache_level
Update setting:
# Set SSL to Full /home/dawiddutoit/projects/network/scripts/cf-settings.sh set ssl full # Enable always HTTPS /home/dawiddutoit/projects/network/scripts/cf-settings.sh set always_use_https on # Enable HTTP/3 /home/dawiddutoit/projects/network/scripts/cf-settings.sh set http3 on
Enable security suite:
# Enables: SSL Full, Always HTTPS, WAF /home/dawiddutoit/projects/network/scripts/cf-settings.sh enable-security
Enable performance suite:
# Enables: Brotli, HTTP/2, HTTP/3 /home/dawiddutoit/projects/network/scripts/cf-settings.sh enable-performance
Purge cache:
# Purge all cached files /home/dawiddutoit/projects/network/scripts/cf-settings.sh purge-cache
Enable development mode:
# Bypass cache for 3 hours /home/dawiddutoit/projects/network/scripts/cf-settings.sh dev-mode on # Disable development mode /home/dawiddutoit/projects/network/scripts/cf-settings.sh dev-mode off
3.7 Dynamic DNS Updates
Scenario: Home internet IP changes, need to update DNS automatically.
Manual update:
# Get current public IP current_ip=$(curl -s https://api.ipify.org) # Update DNS record /home/dawiddutoit/projects/network/scripts/cf-dns.sh update home.temet.ai $current_ip
Automated script:
#!/bin/bash # /home/dawiddutoit/scripts/dynamic-dns-update.sh source /home/dawiddutoit/projects/network/.env # Get current public IP current_ip=$(curl -s https://api.ipify.org) # Get DNS record IP dns_ip=$(dig +short home.temet.ai @1.1.1.1) # Update if different if [ "$current_ip" != "$dns_ip" ]; then echo "IP changed: $dns_ip → $current_ip" /home/dawiddutoit/projects/network/scripts/cf-dns.sh update home.temet.ai $current_ip else echo "IP unchanged: $current_ip" fi
Schedule with cron:
# Edit crontab crontab -e # Check every 5 minutes */5 * * * * /home/dawiddutoit/scripts/dynamic-dns-update.sh >> /var/log/dynamic-dns.log 2>&1
Notification on change:
#!/bin/bash
# With notification
current_ip=$(curl -s https://api.ipify.org)
dns_ip=$(dig +short home.temet.ai @1.1.1.1)
if [ "$current_ip" != "$dns_ip" ]; then
/home/dawiddutoit/projects/network/scripts/cf-dns.sh update home.temet.ai $current_ip
# Send notification (if ntfy configured)
if [ -n "$NTFY_TOPIC" ]; then
curl -d "Home IP updated: $current_ip" https://ntfy.sh/$NTFY_TOPIC
fi
fi
Supporting Files
| File | Purpose |
|---|---|
references/reference.md | Cloudflare API reference, authentication methods, record types |
scripts/cf-dns.sh | DNS record management helper script |
scripts/cf-settings.sh | Zone settings management helper script |
examples/examples.md | Example API calls, automation scripts, common patterns |
Expected Outcomes
Success:
- •DNS records listed successfully
- •New records added and propagate within minutes
- •Existing records updated correctly
- •Deleted records removed from DNS
- •Zone settings applied successfully
- •Dynamic DNS updates working
Partial Success:
- •Records created but propagation slow (normal, wait 5-10 minutes)
- •Settings applied but not effective immediately (cache may need purging)
Failure Indicators:
- •Authentication failed (403 errors)
- •Zone ID not found
- •Record already exists (can't add duplicate)
- •Record not found (can't update/delete non-existent)
Requirements
- •Cloudflare account with temet.ai domain
- •Cloudflare API token or Global API Key
- •Zone ID for temet.ai
- •curl and jq installed
- •.env file with credentials
- •Network access to Cloudflare API
Red Flags to Avoid
- • Do not use Global API Key if API Token suffices (security best practice)
- • Do not commit API credentials to git (use .env)
- • Do not delete records without confirmation (irreversible)
- • Do not create duplicate records (causes DNS issues)
- • Do not enable proxy on internal IPs (192.168.x.x) - won't work
- • Do not set TTL < 60 seconds (Cloudflare minimum for free plans)
- • Do not purge cache frequently (rate limits apply)
Notes
- •DNS propagation typically takes 1-5 minutes globally
- •Cloudflare proxied records (orange cloud) hide real IP
- •TTL of 1 means "Auto" (Cloudflare manages)
- •Free plan limits: 1000 DNS records per zone
- •API rate limits: 1200 requests per 5 minutes
- •cf-dns.sh and cf-settings.sh scripts located in
scripts/directory - •Use API Token over Global API Key (better security with scoped permissions)
- •Zone settings changes may require cache purge to take effect immediately
- •Dynamic DNS useful for home servers with changing IPs
- •Cloudflare DNS is authoritative after migration from GoDaddy
- •Use domain management system (
manage-domains.sh) for service subdomains - •Use this skill for one-off DNS operations or non-service records