Skip to main content
Some clients want their DNS managed somewhere else. They might already have an account with a DNS provider their team knows, they might want a single dashboard for many domains across many registrars, or they might want features that go beyond DNS (a CDN, a bot-mitigation layer, a serverless edge runtime). External DNS is the answer. Set the nameservers at the registry to the third party’s, and the domain answers from their infrastructure. The registration stays at Noxity; only the DNS moves. For most cases we recommend Cloudflare. Three reasons it’s our default suggestion:
  • The free tier covers more than DNS. Anycast DNS hosting is included, plus a CDN, basic DDoS mitigation, and TLS at the edge — all on the same plan.
  • Orange-cloud mode routes traffic through Cloudflare’s edge so visitors hit a server geographically near them, not your origin every time.
  • Free Origin Certificates give you a long-lived TLS cert that’s valid between Cloudflare’s edge and your origin server. Fits the way Noxity hosting plans serve traffic.

Cloudflare basics

A short tour. The full Cloudflare docs cover each feature in depth; this section gives you the shape.

Adding the domain

  1. Sign up at cloudflare.com and add the domain to your account.
  2. Cloudflare scans the existing DNS at the registrar and imports any records it finds. Review the imported list before continuing.
  3. Cloudflare gives you two nameserver hostnames (e.g. kim.ns.cloudflare.com, walt.ns.cloudflare.com).
  4. In the Noxity domain panel, switch the nameservers to those two hostnames. The change propagates after the previous nameservers’ TTL.
  5. Cloudflare’s dashboard goes from “Pending” to “Active” once it sees the new nameservers in the public DNS.

DNS records

Manage A, AAAA, CNAME, MX, TXT, SRV, and CAA records from the DNS tab in Cloudflare. Their UI is broadly the same as any zone editor: type, host, value, TTL, optional priority for MX/SRV. The TTL setting includes an “Auto” option that lets Cloudflare manage the cache lifetime. Pick a fixed TTL only if you have a specific reason; Auto handles the common cases well.

The orange cloud (proxy mode)

Each DNS record has a toggle that flips between DNS only (grey cloud) and Proxied (orange cloud).
  • Grey cloud (DNS only). Cloudflare resolves the record, returns the origin’s IP, and steps out of the way. The origin sees the visitor directly.
  • Orange cloud (Proxied). Cloudflare returns one of its own edge IPs, terminates the TCP/TLS connection at the edge, and proxies the request to your origin. Cloudflare can cache, modify, or block requests at this layer.
Orange cloud is what makes the rest of Cloudflare’s product surface work: caching, page rules, the WAF, edge workers. Most A/AAAA/CNAME records you add for a website should be orange-clouded. A few records have to stay grey: SMTP/IMAP for mail (Cloudflare doesn’t proxy mail traffic), explicit “direct origin” hostnames (direct.example.com), and any non-HTTP service.

Caching

When orange cloud is on, Cloudflare caches static assets at its edge by default. Their cache rules ship with sensible defaults: images, CSS, JS, fonts cached at the edge; HTML by default not cached. Two knobs to know:
  • Cache rules in the Caching section let you override what’s cached and for how long. Useful when you want to cache HTML for static-rendered sites or short-cache an API.
  • Purge (everything, or by URL) drops the cache when you’ve shipped a change. Keep this in your deploy pipeline so visitors don’t see stale assets.

Origin certificates for SSL

Once orange cloud is on, browsers connect to Cloudflare over a Cloudflare-managed cert (the visible one, valid for the domain). Between Cloudflare and your origin server, Cloudflare needs to verify a separate cert: the origin certificate. Free origin certificates are a Cloudflare feature: long-lived (15 years), valid only between Cloudflare’s edge and your origin, signed by a Cloudflare-managed CA. Public clients won’t accept them, but Cloudflare will. The setup flow in Cloudflare’s dashboard:
  1. SSL/TLSOrigin ServerCreate Certificate.
  2. Pick the hostnames the cert should cover. Wildcard *.example.com plus apex example.com is the common combination.
  3. Cloudflare generates the cert and private key. Copy both before closing the page; the private key is only shown once.
  4. Install the cert + key on the origin (cPanel SSL/TLS for Noxity hosting; nginx, Apache, Caddy for self-hosted).
  5. Set the SSL/TLS encryption mode in Cloudflare to Full (strict), which requires the origin to present a valid cert.
For step-by-step installation on a Noxity hosting plan, see Install a Cloudflare origin certificate .

When external DNS is right

  • You want a CDN, a WAF, or edge compute alongside DNS.
  • You manage many domains in one place and Noxity is one of several registrars.
  • Your team already knows a particular provider’s UI and tooling.

When in-house is simpler

  • The domain serves one site on a single hosting plan.
  • You don’t need a CDN.
  • You’d rather have one panel for everything.
For that path, see In-house DNS (hosting plan) or Free NS (standalone).

Need a hand?

Open a ticket

Best for anything that needs an account check or a config change on our end.

Live chat

Faster for quick questions during business hours.