Papa Labs

Moving a domain's DNS from the registrar to Cloudflare — and turning the whole site HTTPS on the way

One of the group’s .com.tw domains had its DNS hosted on the local registrar’s “self-managed DNS” panel, and its website ran bare HTTP — in 2026, with the browser flagging “Not secure”. Moving the DNS to Cloudflare solved DNS management and HTTPS in one pass.

Why move

  • The registrar panel is limited (fixed number of records, no API, no proxy/CDN);
  • The origin server couldn’t easily do HTTPS itself — while Cloudflare’s edge certificates give visitors HTTPS without touching the origin;
  • The group’s other domains already live on Cloudflare; one panel fewer.

The migration

  1. Add the site in Cloudflare (free plan suffices). Cloudflare auto-scans existing DNS records — verify every line against the registrar panel (auto-scan misses records, especially TXT and rarely-used subdomains; sloppiness here breaks mail verification/SPF after the move);
  2. Change nameservers at the registrar: replace the NS entries with the two Cloudflare assigns. That’s exactly what the registrar’s “self-managed DNS” page is for;
  3. Wait for NS propagation (TTL-dependent, minutes to hours) until the zone shows active;
  4. Turn on HTTPS: SSL/TLS → Edge Certificates:

Cloudflare's Always Use HTTPS toggle

One toggle (actual screenshot): every http request gets a 301 to https

  • Always Use HTTPS on — all HTTP 301s to HTTPS;
  • Pick the encryption mode by origin capability (Flexible if the origin has no cert, Full with a self-signed one, aiming for Full (strict));
  • Consider HSTS only after everything runs stable (it’s hard to walk back — confirm every subdomain serves HTTPS first).

The two classic failure points

  1. Mail records: MX and the SPF/DKIM/DMARC TXT records must move complete — and never enable the orange-cloud proxy on hostnames MX points to (the proxy only carries HTTP; proxied MX kills mail);
  2. The propagation overlap: during NS switchover both DNS providers may be queried. Make both record sets identical before switching NS, and the “switchover window” ceases to exist.

Lessons

  1. DNS migration risk isn’t the switch — it’s the omissions. Copy the full record list line by line and verify before touching NS;
  2. For legacy sites whose origin can’t change, Cloudflare edge HTTPS is the value king: zero code changes, and visitors get full encryption plus the padlock;
  3. Screenshot the registrar’s old DNS records before leaving — if you ever need to roll back, that screenshot is the only floor you have.
← All posts