[bunker]/domains
guide

Set up Cloudflare DNS with a bunkerdomains domain

Swap nameservers from bunker default to Cloudflare without breaking mail. Validation, gotchas.

shadowdev avatar@shadowdev2026-05-274 min read

Cloudflare gives you fast DNS, DDoS mitigation, and proxy control—without asking who you are or why your domain exists.

TL;DR Add your domain to Cloudflare, copy the two nameservers they assign, paste them into your bunkerdomains dashboard to replace the default NS records, then wait 6–48 hours for propagation. Re-add any MX or TXT records you need after the swap.

Why use Cloudflare with bunkerdomains

You registered through us for privacy. Cloudflare gives you tooling: caching, SSL termination, rate-limiting, analytics. The combination keeps your identity off WHOIS and your origin IP off the internet.

No credit card required at Cloudflare Free tier. They don't care what you host as long as you stay within their ToS—proxy traffic only, no constant video streaming, no malware C2. Read their terms; most legitimate use cases pass.

Add the domain to Cloudflare

  1. Log into dash.cloudflare.com
  2. Click Add a site in the top nav
  3. Enter your domain exactly: example.is
  4. Select Free plan
  5. Cloudflare scans existing DNS records (often finds nothing if you just registered; that's fine)
  6. Click Continue

Cloudflare assigns you two nameservers—something like:

cody.ns.cloudflare.com
reza.ns.cloudflare.com

Copy both. You need them in 30 seconds.

Replace nameservers at bunkerdomains

  1. Log into your bunkerdomains dashboard
  2. Click the domain in your list
  3. Navigate to DNS / Nameservers
  4. Delete the existing NS records (usually ns1.bunkerdomains.com and ns2.bunkerdomains.com)
  5. Add two new NS records:
    • Hostname: @ → Value: cody.ns.cloudflare.com
    • Hostname: @ → Value: reza.ns.cloudflare.com
  6. Save changes

No confirmation email. No ticket. The change submits to the registry within 15 minutes.

Wait for propagation

Global DNS takes 6–48 hours. Most resolvers pick up the change in under 12.

Check status:

dig NS example.is +short

When you see Cloudflare's NS pair in the output, propagation reached your location. Cloudflare dashboard shows a green checkmark when they detect the change.

Rebuild records in Cloudflare

Switching nameservers wipes the authoritative zone. Anything you had—MX for mail, TXT for SPF/DKIM, A records for subdomains—is gone until you re-add it in Cloudflare.

  1. Go to DNS → Records in Cloudflare dashboard
  2. Add your A/AAAA records for @ and www pointing to your origin server
  3. Add MX records if you run mail:
    • Type: MX → Name: @ → Mail server: mail.example.is → Priority: 10
  4. Add TXT for SPF:
    • Type: TXT → Name: @ → Content: v=spf1 mx -all
  5. Add DKIM, DMARC, verification tokens as needed

Toggle the orange cloud icon per record:

  • Orange (proxied): Traffic routes through Cloudflare; hides origin IP, enables caching/WAF
  • Grey (DNS-only): Direct resolution; no proxy, no DDoS mitigation

Use grey cloud for MX records—Cloudflare doesn't proxy SMTP. Use orange for HTTP/HTTPS subdomains you want to protect.

Common mistakes

MistakeConsequenceFix
Forget to copy MX before NS swapEmail stops delivering; no bounces, silent dropCheck old NS records in bunkerdomains dashboard before you change them; screenshot or save to text file
Leave DNSSEC enabled at registryValidation fails after NS change; domain unreachableDisable DNSSEC in bunkerdomains dashboard before swapping NS, or rotate DS records immediately after
Proxy MX records (orange cloud)Mail servers can't connect; delivery failsSet MX to grey cloud (DNS-only) in Cloudflare

DNSSEC rotation (if you need it)

Most setups skip DNSSEC. If you enabled it at bunkerdomains and want to keep it under Cloudflare:

  1. Go to DNS → Settings in Cloudflare, enable DNSSEC
  2. Cloudflare displays DS record values (Key Tag, Algorithm, Digest Type, Digest)
  3. Copy all four fields
  4. Return to bunkerdomains dashboard → DNS / DNSSEC
  5. Delete old DS records
  6. Add new DS record with Cloudflare's values
  7. Save

Registry propagates DS in 1–6 hours. Until then, validators may fail. Accept the brief window or disable DNSSEC entirely.

Verify the setup

# Confirm NS delegation
dig NS example.is +short
 
# Confirm A record resolves through Cloudflare
dig A example.is +short
 
# Check MX if you added mail
dig MX example.is +short

Visit https://example.is in a browser. If you see your site (or Cloudflare's "Welcome" page if you haven't pointed A records yet), DNS works.

Check Cloudflare Analytics → Traffic after a few hours. If you see requests, the proxy is active.

Done

You kept bunkerdomains for anonymous registration and Cloudflare for tooling—no handshake, no shared metadata. The combination works because neither provider requires the other's data to function.

shadowdev avatar

@shadowdev

Anonymous engineer

Has shipped infrastructure for adult creators, crypto exchanges, and a few projects that no longer exist. Knows the registrar landscape inside out.

ShareMastodonXRedditHacker News

Pages that go deeper

Pre-written deep dives matching the topics this guide touches on.

All guides