Moving a domain's DNS from the registrar to Cloudflare — and turning the whole site HTTPS on the way
One of the group’s .com.tw domains had its DNS hosted on the local registrar’s “self-managed DNS” panel, and its website ran bare HTTP — in 2026, with the browser flagging “Not secure”. Moving the DNS to Cloudflare solved DNS management and HTTPS in one pass.
Why move
- The registrar panel is limited (fixed number of records, no API, no proxy/CDN);
- The origin server couldn’t easily do HTTPS itself — while Cloudflare’s edge certificates give visitors HTTPS without touching the origin;
- The group’s other domains already live on Cloudflare; one panel fewer.
The migration
- Add the site in Cloudflare (free plan suffices). Cloudflare auto-scans existing DNS records — verify every line against the registrar panel (auto-scan misses records, especially TXT and rarely-used subdomains; sloppiness here breaks mail verification/SPF after the move);
- Change nameservers at the registrar: replace the NS entries with the two Cloudflare assigns. That’s exactly what the registrar’s “self-managed DNS” page is for;
- Wait for NS propagation (TTL-dependent, minutes to hours) until the zone shows active;
- Turn on HTTPS: SSL/TLS → Edge Certificates:

One toggle (actual screenshot): every http request gets a 301 to https
- Always Use HTTPS on — all HTTP 301s to HTTPS;
- Pick the encryption mode by origin capability (Flexible if the origin has no cert, Full with a self-signed one, aiming for Full (strict));
- Consider HSTS only after everything runs stable (it’s hard to walk back — confirm every subdomain serves HTTPS first).
The two classic failure points
- Mail records: MX and the SPF/DKIM/DMARC TXT records must move complete — and never enable the orange-cloud proxy on hostnames MX points to (the proxy only carries HTTP; proxied MX kills mail);
- The propagation overlap: during NS switchover both DNS providers may be queried. Make both record sets identical before switching NS, and the “switchover window” ceases to exist.
Lessons
- DNS migration risk isn’t the switch — it’s the omissions. Copy the full record list line by line and verify before touching NS;
- For legacy sites whose origin can’t change, Cloudflare edge HTTPS is the value king: zero code changes, and visitors get full encryption plus the padlock;
- Screenshot the registrar’s old DNS records before leaving — if you ever need to roll back, that screenshot is the only floor you have.