Cloudflare DNS Configuration (DNS Only Mode)

Overview

Mode: DNS Only (Grey Cloud) Custom Domain: medullalabs.io Hosting: GitHub Pages Certificate: GitHub Pages (Let’s Encrypt)

DNS Records Configuration

Required DNS Records

In your Cloudflare dashboard (DNS section), configure these records:

1. A Records for Apex Domain (medullalabs.io)

Add four A records pointing to GitHub Pages IP addresses:

Type: A
Name: @
IPv4 address: 185.199.108.153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: A
Name: @
IPv4 address: 185.199.109.153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: A
Name: @
IPv4 address: 185.199.110.153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: A
Name: @
IPv4 address: 185.199.111.153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Why four IPs? GitHub Pages uses multiple IPs for redundancy and load balancing.

2. CNAME Record for WWW Subdomain

Type: CNAME
Name: www
Target: medullalabs.github.io
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Status: ✅ This is already correctly configured based on our earlier check.

AAAA Records for IPv6 Support

Add these for IPv6 support:

Type: AAAA
Name: @
IPv6 address: 2606:50c0:8000::153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: AAAA
Name: @
IPv6 address: 2606:50c0:8001::153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: AAAA
Name: @
IPv6 address: 2606:50c0:8002::153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Type: AAAA
Name: @
IPv6 address: 2606:50c0:8003::153
Proxy status: DNS only (grey cloud ☁️)
TTL: Auto

Cloudflare Settings for DNS Only Mode

SSL/TLS Settings

Since you’re using DNS only mode, Cloudflare is not proxying traffic. These settings don’t affect your site, but here’s the recommended configuration:

Path: SSL/TLS tab in Cloudflare dashboard

Encryption mode: Full (strict)

Note: This doesn’t actually apply in DNS-only mode, but it’s good to have configured if you ever switch to proxied mode.

Other SSL settings:

DNS Settings

Path: DNS → Settings

DNSSEC: Enabled (recommended for security)

Page Rules (Optional)

You can create a page rule to redirect www to non-www (or vice versa):

Option 1: Redirect www to apex

URL: www.medullalabs.io/*
Setting: Forwarding URL
Status Code: 301 - Permanent Redirect
Destination URL: https://medullalabs.io/$1

Option 2: Redirect apex to www

URL: medullalabs.io/*
Setting: Forwarding URL
Status Code: 301 - Permanent Redirect
Destination URL: https://www.medullalabs.io/$1

Recommendation: Redirect www to apex (medullalabs.io) since that’s what’s in your CNAME file.

Visual Guide: DNS Only (Grey Cloud)

When viewing your DNS records in Cloudflare, each record should show:

Type    Name    Content                  Proxy status    TTL
─────────────────────────────────────────────────────────────
A       @       185.199.108.153          ☁️ DNS only     Auto
A       @       185.199.109.153          ☁️ DNS only     Auto
A       @       185.199.110.153          ☁️ DNS only     Auto
A       @       185.199.111.153          ☁️ DNS only     Auto
CNAME   www     medullalabs.github.io    ☁️ DNS only     Auto

Important: The cloud icon should be GREY (☁️), not orange (🟠).

What DNS Only Mode Means

How Traffic Flows

User Browser
    ↓
Cloudflare DNS (resolves to GitHub IPs)
    ↓
GitHub Pages Servers (185.199.108-111.153)
    ↓
Your Website (medullalabs.io)

What You Get

DNS resolution through Cloudflare (fast, reliable) ✅ DNSSEC support (if enabled) ✅ GitHub Pages SSL (Let’s Encrypt certificate) ✅ GitHub Pages CDN (GitHub’s edge network)

What You Don’t Get

❌ Cloudflare CDN/caching ❌ Cloudflare DDoS protection ❌ Cloudflare SSL certificate (using GitHub’s instead) ❌ Cloudflare security features (WAF, bot protection)

Why choose DNS only?

GitHub Pages Configuration

After DNS is configured, ensure GitHub recognizes your domain:

  1. Go to: Repository Settings → Pages
  2. Custom domain: Should show medullalabs.io
  3. DNS check: Should show “DNS check successful” ✅
  4. HTTPS: Should show “Enforce HTTPS” checkbox (check it after cert provisions)

Wait for certificate: GitHub will automatically provision a Let’s Encrypt certificate (10-60 minutes after DNS propagates).

Verification Steps

1. Check DNS Propagation

# Check A records
dig medullalabs.io +short

# Should return GitHub Pages IPs:
# 185.199.108.153
# 185.199.109.153
# 185.199.110.153
# 185.199.111.153

# Check CNAME for www
dig www.medullalabs.io +short

# Should return:
# medullalabs.github.io
# 185.199.108.153
# 185.199.109.153
# 185.199.110.153
# 185.199.111.153

2. Check HTTPS Certificate

Wait 10-60 minutes after DNS propagates, then:

# Check certificate
curl -vI https://medullalabs.io 2>&1 | grep -A 5 "Server certificate"

# Should show:
# - Issuer: Let's Encrypt
# - Subject: medullalabs.io
# - Valid from/to dates

3. Test Website Access

# Test apex domain
curl -I https://medullalabs.io

# Should return: HTTP/2 200

# Test www subdomain
curl -I https://www.medullalabs.io

# Should return: HTTP/2 200 or 301 redirect

Troubleshooting

Issue: DNS not resolving

Check:

  1. DNS records are correctly configured in Cloudflare
  2. Records are set to “DNS only” (grey cloud)
  3. Wait for TTL to expire (usually 5 minutes)
  4. Clear local DNS cache

Fix:

# Flush DNS cache (macOS)
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Flush DNS cache (Windows)
ipconfig /flushdns

# Flush DNS cache (Linux)
sudo systemd-resolve --flush-caches

Issue: Certificate not provisioning

Symptoms: “Your connection is not private” error

Common causes:

  1. CNAME file missing from repository (✅ Already added)
  2. DNS not fully propagated yet
  3. GitHub hasn’t finished certificate provisioning
  4. CAA DNS record blocking Let’s Encrypt

Fix:

  1. Verify CNAME file exists in repo root
  2. Wait 24 hours for full propagation
  3. Remove and re-add custom domain in GitHub Pages settings
  4. Check for CAA records: 
    dig medullalabs.io CAA +short

    If CAA records exist and don’t include Let’s Encrypt, remove them

Issue: Mixed content warnings

Symptom: Site loads but browser shows “Not Secure”

Cause: Loading HTTP resources on HTTPS page

Fix: Ensure all assets use HTTPS or protocol-relative URLs in your HTML/CSS

Issue: Redirect loop

Symptom: Browser shows “Too many redirects”

Cause: Conflicting redirect rules

Fix:

  1. Check Cloudflare Page Rules (remove conflicting rules)
  2. Ensure only one redirect direction (www → apex or apex → www)
  3. Don’t redirect in both Cloudflare and GitHub Pages

Current Status

Based on our checks:

A records: Pointing to GitHub Pages IPs ✅ www CNAME: Correctly pointing to medullalabs.github.io ✅ CNAME file: Added to repository ✅ Repository: Committed and pushed

Waiting for: GitHub to provision SSL certificate (10-60 minutes)

Next Steps

  1. Verify DNS in Cloudflare - Ensure grey cloud on all records
  2. Wait for certificate - Give GitHub 30-60 minutes to provision Let’s Encrypt cert
  3. Check GitHub Pages settings - Verify “Enforce HTTPS” can be enabled
  4. Test both domains - Ensure both medullalabs.io and www.medullalabs.io work with HTTPS

When to Switch to Proxied Mode (Orange Cloud)

Consider switching to proxied mode if you need:

To switch: Just click the cloud icon next to each DNS record to turn it orange.

Note: If you switch to proxied mode, change SSL/TLS encryption to “Full (strict)”.

Support Resources

GitHub Pages:

Cloudflare:

Let’s Encrypt: