← Back

Migrate from Cloudflare to aigw, zero downtime

Five steps. The Cloudflare-specific catch is proxy ("orange cloud") records. Read step 0 first.

Step 0: Audit what Cloudflare is doing for you beyond DNS

If your Cloudflare zone has any record with the orange cloud (proxy enabled), Cloudflare is more than a DNS provider for that record. They're terminating TLS, applying WAF rules, caching, and possibly routing through Workers. Authoritative DNS only points at IPs and hostnames; it cannot replace those features.

Before migrating, decide for each proxied record:

Switch it to "DNS only" (grey cloud) on Cloudflare first, see if anything breaks. If your origin has its own TLS and rate-limiting, you're probably fine.
Or keep that record's traffic flowing through Cloudflare proxy: don't migrate that hostname's DNS to aigw, leave it pointing at Cloudflare's CNAME target.
Or replace Cloudflare's WAF / cache with something else (Bunny CDN, Fastly, your own nginx, etc.) before migrating.

Workers, Page Rules, Transform Rules: these run inside Cloudflare's proxy. They don't exist in plain DNS. Audit + replace before you switch nameservers.

Step 1: Confirm your NS TTL (T-2 days)

Cloudflare's free plan publishes apex NS records with a TTL of 1 day (86400s). That's the window you have to ride out after switching delegation. Cloudflare doesn't expose the apex NS TTL for editing on the free plan, so you can't pre-cut it. Plan to leave both zones in place for at least 24h after the cutover.

On Cloudflare Enterprise you can change NS TTL via API. If you're on Enterprise, drop it to 300s now and check back in 24h.

Step 2: Export records and build the parallel zone in aigw

On Cloudflare: dashboard → your zone → DNS → Records → "Export". You get a BIND-format zonefile.

In aigw: console.aigw.app → New zone → paste the BIND file or recreate records by hand. Skip the apex NS records, aigw auto-publishes ns1.aigw.app + ns2.aigw.app.

For each previously-proxied record, set the aigw A/AAAA to the origin IP you decided in step 0. If you're keeping Cloudflare proxy for some hostnames, leave those out of the aigw zone entirely (don't create competing records).

Step 3: Verify both providers agree

Ask each authoritative directly and compare:

# Cloudflare (use your assigned nameservers, e.g. dale.ns.cloudflare.com)
dig @dale.ns.cloudflare.com www.example.com A

# aigw
dig @ns1.aigw.app www.example.com A

Answers should match for every record you intend to serve from aigw. For records you're leaving proxied through Cloudflare, the Cloudflare answer will be a Cloudflare anycast IP, that's expected.

Step 4: Flip the registrar

Important: if your domain was registered with Cloudflare Registrar, you cannot move nameservers away from Cloudflare without first transferring the domain to a different registrar. Cloudflare Registrar locks the NS records to Cloudflare's.

If your domain is on Cloudflare Registrar and you want to move just DNS: transfer the domain to Namecheap / Porkbun / IONOS first (takes 5–7 days; comes with a free 1-year extension). After transfer, change the NS records at the new registrar to:

ns1.aigw.app
ns2.aigw.app

If your domain is at a third-party registrar, just change the NS records there. Cloudflare's zone stops getting queried within 24–48h.

Step 5: Monitor + decommission

Watch the aigw workspace overview. Within an hour you should see query volume from real resolvers landing on your zone. The zone status flips to Active on first real query.

Leave the Cloudflare zone in place for at least 24h after the cutover, it's a free hedge in case anything goes wrong. After 48h of zero meaningful traffic to Cloudflare for that zone, you can remove it.

Questions or stuck?

Email hello@aigw.app with your domain and which step you're on. Usually responds within a day, often within an hour.