Cloudflare DNS Helper
Create the DNS records the dashboard route catalog expects for direct hostnames and verified E2EE hostnames.
When to use this
Use this guide when the dashboard route catalog shows Direct Hostname or Verified E2EE Hostname in configure state. The fix is usually a wildcard DNS record that points a hostname family at the NFLTR relay.
Choose the hostname family
| Dashboard link | Server setting | Example DNS name |
|---|---|---|
| Direct Hostname | http.share_domain | *.apps.example.com |
| Verified E2EE Hostname | e2ee.tls_passthrough.base_domain | *.secure.example.com |
Add the Cloudflare record
In Cloudflare DNS, add a wildcard record for the hostname family. Use DNS only for verified E2EE hostnames so Cloudflare does not terminate the TLS session before it reaches the agent.
| Type | Name | Target | Proxy status |
|---|---|---|---|
CNAME | *.apps | relay.example.com | Proxied or DNS only |
CNAME | *.secure | relay.example.com | DNS only |
If your relay uses an IP address instead of a hostname, create matching wildcard A or AAAA records.
Configure NFLTR
--http.share_domain=apps.example.com
--e2ee.tls_passthrough.base_domain=secure.example.comAfter the server reloads with these values, refresh the dashboard. The route catalog should move the matching hostname row from configure to ready once DNS resolves.
Check from your terminal
dig +short test.apps.example.com
dig +short test.secure.example.comBoth commands should resolve to the relay target. If the verified hostname still fails, confirm the Cloudflare record is DNS only and that the agent was started in verified mode.