Part 2 covered what Cloudflare actually is beneath the marketing: a network that sits between your visitors and your infrastructure, handling traffic at a scale most hosting companies can't touch. That foundation matters here, because Part 3 is where things get concrete. You're registering a domain. You're deciding where it lives and who controls it. And that decision has financial and security consequences that follow you for years.
Most people pick a registrar the same way they pick a gas station. Whichever one shows up first, whichever one has the lowest number on the sign. That's understandable. The industry has spent decades making sure you don't look too closely at what happens after you click "add to cart."
This part breaks down exactly how Cloudflare's registrar works, why the pricing model is structurally unusual, and what security features you should configure the moment a domain lands in your account. Domain lock, DNSSEC, two-factor authentication: these aren't advanced topics reserved for security professionals. They're the baseline. By the end of this article, you'll know where each setting lives, what it does, and why skipping any of them is a mistake you'll regret at the worst possible time.
The Domain Registrar Racket (And Why It Exists)
How Traditional Registrars Make Money
The domain registration business looks competitive on the surface. Dozens of registrars. Prices advertised in bold on every landing page. Comparison sites that rank them by cost. The whole thing feels like a functioning market where consumers win.
It isn't.
The business model is built on acquisition pricing, not honest pricing. A registrar can offer a .com for $1.99 in year one because they're not trying to make money on year one. They're buying your inertia. Switching registrars requires time, attention, and a non-trivial amount of DNS configuration knowledge. Most people don't do it. Most people renew, automatically, at whatever price the registrar decides to charge in year two. That price is rarely $1.99.
The upsells compound the problem. WHOIS privacy protection, which masks your personal contact information from public domain lookup databases, is free at several registrars and free at every registry that supports it natively. Traditional registrars charge $10 to $15 per year for it anyway, bundled into checkout flows designed to make declining feel risky. SSL certificates, email hosting, "premium DNS": all of it layered onto a transaction that should cost about eight dollars.
The Renewal Trap: Low Intro, High Renewal
The math is straightforward once you see it. A user registers a .com at $1.99. They set up email, build a site, maybe print business cards. Twelve months later, an auto-renewal charge hits their card for $19.99. They notice, they're annoyed, and then they do nothing because migrating a domain mid-project feels like exactly the kind of task that can wait until next year. Next year arrives. The charge hits again.
WHOIS privacy gets added at checkout because the flow is designed to make it feel mandatory. It isn't. The General Data Protection Regulation and ICANN's 2018 Temporary Specification changed how registrar contact data is displayed publicly, and many registries now redact personal data by default. The paid privacy add-on is largely a holdover that persists because it still converts.
This is the context you need to understand why Cloudflare's approach stands out. It's not that Cloudflare is generous. It's that their business model doesn't depend on domain registration revenue, which means they have no structural incentive to inflate renewal prices or upsell products you don't need.
What 'At-Cost' Registration Actually Means
ICANN Fees and Registry Wholesale Pricing
Every domain registration flows through a specific chain. At the top sits ICANN, the nonprofit that coordinates the global domain name system. Below ICANN are registries: organizations that operate specific top-level domains. Verisign runs .com and .net. The Public Interest Registry runs .org. Each registry sets a wholesale price for registrations and renewals within their TLD, and that price is what accredited registrars pay.
ICANN itself charges a small per-domain fee, currently $0.18, that every registrar passes along. The wholesale .com price set by Verisign is currently around $9.59 per year. That's the floor. Every registrar pays it. What they charge you on top of it is their margin.
Cloudflare charges exactly the wholesale price plus the ICANN fee. No markup. No margin. No upsell layer on top. WHOIS privacy is included at no additional cost for all supported TLDs, because Cloudflare has no financial reason to charge for it separately.
How Cloudflare Passes Costs Directly to Users
The practical difference shows up clearly in a direct comparison. A .com renewal at GoDaddy runs $21.99 per year without a promo code. Namecheap lands around $13.98. Cloudflare comes in at approximately $9.77, which is the Verisign wholesale rate plus the ICANN fee, rounded to current figures.
That gap compounds. Over five years on a single domain, the difference between Cloudflare and a traditional registrar can exceed $60. For someone managing ten domains, the math becomes genuinely significant.
What 'At-Cost' Doesn't Cover
Cloudflare's at-cost model applies to standard domain registration and renewal. Premium domains, which are short or high-value names sold by registries at elevated prices, still carry those elevated registry prices. Cloudflare passes those through without additional markup, but the base cost can be substantially higher than a standard registration.
The other advantage is predictability. The renewal price equals the registration price. There are no promotional rates that expire, no loyalty discounts that require a phone call to apply, no surprise invoices. What you pay in year one is what you'll pay in year five.
Renewal Transparency: No Surprises, Ever
How Cloudflare Displays Renewal Pricing Upfront
Before you complete a domain registration in the Cloudflare dashboard, the renewal price is displayed on the same screen as the registration price. Not in a tooltip. Not in a footnote linked from a footnote. On the page, in the same font size, before you enter payment information.
This is unusual. Most registrars show you the first-year price prominently and bury the renewal rate somewhere in the checkout flow or, more often, nowhere at all until the renewal invoice arrives.
The transparency extends to the domain management dashboard. Under Account Home > Registrar, each domain in your account shows its expiration date, its auto-renewal status, and its renewal price. Nothing is hidden. Nothing requires a support ticket to find.
Auto-Renewal Settings and Expiration Notifications
Auto-renewal is enabled by default for all Cloudflare-registered domains, which is the right default. A domain that expires because you forgot to renew it can be catastrophically expensive to recover, if it's recoverable at all. Squatters watch expiration queues.
You can disable auto-renewal from the domain's management page if you have a specific reason to do so, but think carefully before turning it off. If you do disable it, Cloudflare sends expiration reminder emails at 60 days, 30 days, 7 days, and 1 day before expiration. That's a reasonable safety net, but auto-renewal is a better one.
The renewal charge processes approximately 30 days before the expiration date, giving you time to address any payment failures before the domain actually lapses. No other action is required on your part when auto-renewal is active.
Domain Lock: Protecting Against Unauthorized Transfers
What Domain Lock Is and Why It Matters
Domain lock, also called registrar lock or transfer lock, is a setting that prevents a domain from being transferred to another registrar without explicit action from the account holder. When lock is enabled, any transfer request submitted to the receiving registrar is automatically rejected at the registry level.
This matters because domain hijacking is a real attack vector with real consequences. In 2014, the domain for Perl.com was hijacked and redirected. In 2020, several high-profile cryptocurrency exchange domains were targeted through registrar social engineering attacks. The attacker doesn't need your password if they can convince a registrar's support team to process a transfer. Domain lock adds a layer that support team intervention alone can't bypass.
"Domain theft doesn't always look like hacking. Sometimes it looks like a support ticket."
Don't Skip This Step
Domain lock should be verified immediately after registering or transferring a domain to Cloudflare. The default is locked, but confirming it takes thirty seconds and removes any ambiguity about your domain's protection status.
How to Enable and Verify Domain Lock in Cloudflare
Cloudflare enables domain lock by default for all registered domains. To verify the status, navigate to Account Home > Registrar, select the domain in question, and look for the Domain Lock setting in the configuration panel. The status will display as either locked or unlocked.
If you need to initiate an outbound transfer to another registrar, the process requires two steps. First, disable domain lock from the same configuration panel. Second, request the authorization code (also called the EPP code or auth code) that the receiving registrar needs to pull the transfer. Cloudflare provides this code through the dashboard once lock is disabled. The transfer window typically stays open for five to seven days before lock can be re-enabled automatically.
Do not disable lock speculatively. Disable it only when you have an active transfer in progress, and re-enable it immediately if the transfer falls through.
DNSSEC: Cryptographic Proof Your Domain Is Legitimate
What DNSSEC Does and Why It Matters for End Users
DNSSEC, short for Domain Name System Security Extensions, adds a layer of cryptographic verification to the DNS resolution process. Without it, DNS responses can be forged. An attacker in a position to intercept or poison a DNS resolver's cache can redirect your domain to a server they control, and the visitor's browser has no way to know the response is fraudulent.
The specific attack DNSSEC prevents is called DNS cache poisoning or DNS spoofing. A resolver caches the fraudulent record. Every user that resolver serves gets the wrong answer. They type your domain, they hit the attacker's server, and nothing in the connection process alerts them that something is wrong until it's too late.
DNSSEC solves this by signing DNS records with a cryptographic key. Resolvers that support DNSSEC validation check the signature against a chain of trust that runs from the root DNS zone down to your specific domain. A forged record fails the signature check and gets rejected.
Step-by-Step: Enabling DNSSEC on a Cloudflare-Registered Domain
When your domain is both registered at Cloudflare and using Cloudflare's nameservers, enabling DNSSEC is a single operation. The entire DS record publication process is handled automatically. You don't need to copy key material between systems or manually enter records at a parent zone.
Navigate to your domain in the Cloudflare dashboard. Select DNS from the left navigation. Scroll to the DNSSEC section at the bottom of the page. Click Enable DNSSEC.
Cloudflare generates the zone signing keys, signs your DNS records, and publishes the DS record (Delegation Signer record) to the parent zone automatically. The DS record is the link in the chain of trust between your domain and the root. It contains a hash of your zone's public key, and it's what validating resolvers check to confirm your signatures are legitimate.
After enabling, the dashboard displays the DS record values that were published: the key tag, algorithm, digest type, and digest itself. These are informational when Cloudflare manages both sides of the chain. If you were managing DNSSEC with a third-party DNS provider and a separate registrar, you'd need to copy these values manually into your registrar's control panel. With Cloudflare handling both, that step doesn't exist.
Propagation typically completes within a few minutes. Once active, the DNSSEC status indicator in the dashboard shows the zone as signed and the DS record as published.
Two-Factor Authentication: Locking Down Your Account
Why 2FA Is Critical for Domain Security
Domain lock and DNSSEC protect your domain at the registry and DNS level. Neither one helps if someone gets into your Cloudflare account. Account compromise is the upstream attack. Everything downstream from it, your domain configuration, your DNS records, your lock status, becomes accessible to whoever is logged in.
Account-level security deserves the same attention as domain-level security. More, actually. A compromised account can undo every protection you've configured.
Setting Up 2FA on Your Cloudflare Account
Cloudflare supports two primary two-factor authentication methods. The first is a TOTP app (Time-based One-Time Password), which includes apps like Google Authenticator, Authy, and 1Password. The second is a hardware security key using the WebAuthn standard, which includes devices like YubiKey. Hardware keys are meaningfully more resistant to phishing than TOTP codes, because the key's response is bound to the specific domain you're authenticating against.
To enable 2FA, go to My Profile > Authentication in the Cloudflare dashboard. Select your preferred method and follow the enrollment flow. Before you finish, Cloudflare prompts you to save backup codes. Do not skip this step. If you lose access to your authenticator app and haven't saved backup codes, account recovery is a slow, manual process with no guarantee of a quick resolution.
Save Your Backup Codes Somewhere Real
Backup codes stored only in your email are only as secure as your email account. Save them in a password manager, print them, or store them in an encrypted file somewhere offline. Losing 2FA access to a domain registrar account is a recoverable situation, but it isn't a fast one.
Cloudflare also supports passkeys as an authentication option, a newer standard that ties authentication to a device-bound cryptographic credential rather than a shared secret. Passkey support is available in account settings for users who want to move toward passwordless authentication. It's worth exploring if you're already using a password manager or device that supports the standard.
Part 4 moves from registration and account security into the actual structure of DNS: what records exist, what each one does, and how to read and configure a zone file without second-guessing every entry. If you've ever stared at an MX record and wondered whether you had it right, that's exactly where Part 4 starts.
Part 2 laid the groundwork: what Cloudflare actually is, how it sits between your users and your infrastructure, and why so many developers and small teams treat it as their default starting point. Now it's time to get specific about one piece of that picture that doesn't get enough attention. The registrar. Not glamorous. Not the thing people write tutorials about. But get it wrong and every subsequent step in this series gets harder.
This part covers Cloudflare Registrar from every angle that matters: what makes it structurally different from the registrars you've probably used before, how to buy or transfer a domain, what the dashboard actually looks like when you're managing things day to day, and where the gaps are. Because there are gaps. Knowing them upfront saves you from discovering them at the worst possible moment.
Centralized Domain and DNS Management: One Dashboard to Rule Them All
The Advantage of Registrar and DNS Under One Roof
The standard workflow for most people who've been managing domains for a few years looks something like this: domain registered at GoDaddy or Namecheap, nameservers pointed at Cloudflare for DNS, SSL handled by Cloudflare, maybe a firewall rule somewhere in there. It works. It's also four separate mental contexts every time something breaks at 11pm and you're trying to figure out which layer is the problem.
Cloudflare Registrar collapses that. When Cloudflare is both your registrar and your DNS provider, you're not delegating nameservers to an external service. You're already there. DNS changes don't have to propagate to a third-party resolver. They move through Cloudflare's own infrastructure, and the results show up faster than they would in the split-stack model most people are running.
That speed difference isn't trivial. Typical third-party DNS propagation can take anywhere from a few minutes to 48 hours depending on TTL settings and resolver caching. When Cloudflare controls the authoritative nameservers directly, changes frequently resolve globally in under five minutes. That matters during a migration, during an incident, and any time you're making a configuration change that needs to take effect right now.
The operational benefit compounds over time. SSL certificates issued through Cloudflare are tied to your domain automatically. Firewall rules apply at the DNS layer. If you're running Workers, Pages, or Zero Trust later in this series, they all connect to the same domain record you're managing right now. Nothing needs to be re-pointed, re-delegated, or re-verified because it's all already in the same account.
How the Cloudflare Dashboard Unifies Domain, DNS, and Security Settings
Log into your Cloudflare account and select a domain. The left sidebar is your map. DNS shows you every record in your zone. SSL/TLS handles certificate mode and HTTPS enforcement. Security covers WAF rules, bot management, and DDoS settings. Workers Routes lets you attach serverless functions to specific URL patterns. All of it is scoped to that single domain, all of it is in one place.
The Registrar section lives under your account overview rather than inside a specific domain. That's where you manage renewals, WHOIS privacy, transfer locks, and DNSSEC settings. It's a small distinction in navigation but an important one: registrar settings are account-level, DNS and security settings are domain-level. Once you understand that split, the dashboard makes intuitive sense.
Buying a New Domain on Cloudflare: A Practical Walkthrough
Searching for and Selecting a Domain
From your Cloudflare dashboard, navigate to Domain Registration in the left sidebar and click Register Domains. The search bar is straightforward: type the name you want and Cloudflare returns availability across supported TLDs. Pricing shows up immediately next to each result, no bait-and-switch, no "first year special" that hides the renewal rate in fine print. The price you see is what you pay every year.
Cloudflare doesn't mark up registrations. It charges you what it pays the registry, plus ICANN's $0.18 annual fee per domain. For a .com, that's currently $9.77 per year. For a .net, $11.06. These numbers are published openly and they don't change based on whether you're a new customer or a returning one.
Select the domain you want and proceed to checkout. There's no upsell screen pushing hosting packages or email add-ons. You confirm the domain, review the price, and move forward.
Completing Registration and Verifying DNS Activation
The registration form asks for contact information: name, organization, address, phone, and email. WHOIS privacy is enabled by default. You don't have to hunt for it or pay extra to turn it on. Your contact details are replaced with Cloudflare's privacy proxy information in the public WHOIS record.
After purchase, Cloudflare assigns authoritative nameservers to your domain automatically and creates a DNS zone in your account. This typically completes within a few minutes. You can start adding DNS records immediately. The zone is live and waiting before most registrars would have even finished sending you a confirmation email.
One step you cannot skip: ICANN sends a verification email to the address on your registration. You have 15 days to click the verification link. If you don't, ICANN can suspend the domain. Check your inbox immediately after registering, check your spam folder if it doesn't arrive within a few minutes, and click that link before you do anything else.
Transferring an Existing Domain to Cloudflare: Step by Step
Pre-Transfer Checklist: Unlock, Get Auth Code, Disable Privacy
Transferring a domain isn't complicated, but it requires a few things to be true before you can initiate anything. Miss one of them and the transfer either fails silently or sits in a pending state for days while you figure out what went wrong.
Pre-Transfer Requirements
Before initiating a transfer, confirm all three of the following at your current registrar: the domain is unlocked, you have the EPP/auth code in hand, and WHOIS privacy is disabled. All three must be true simultaneously. Disabling privacy but forgetting to unlock the domain is the most common reason transfers stall.
First: unlock the domain. Every registrar has a transfer lock setting, sometimes called a registrar lock or domain lock. It's usually enabled by default and exists to prevent unauthorized transfers. Find it in your current registrar's domain settings and turn it off.
Second: obtain the EPP code, also called the auth code or authorization code. This is a string of characters your current registrar generates that proves you have the right to transfer the domain. Some registrars email it automatically when you unlock the domain. Others require you to request it separately. Give yourself time. Some registrars take 24 hours to generate it.
Third: disable WHOIS privacy. During the transfer process, the gaining registrar needs to send an authorization email to the address on the domain's WHOIS record. If that address is masked by a privacy proxy, the email may not reach you. Turn privacy off before you start.
One additional constraint worth knowing: ICANN's 60-day transfer lock rule prevents you from transferring a domain within 60 days of registering it or within 60 days of a previous transfer. If you just registered a domain somewhere else last week, you're waiting two months before Cloudflare can take it.
Initiating and Completing the Transfer in Cloudflare
Go to Domain Registration in your Cloudflare dashboard and select Transfer Domains. Enter the domain name and paste in your EPP code. Cloudflare verifies the code, confirms the domain is eligible for transfer, and shows you the first-year renewal cost. For most TLDs, the transfer includes one year of registration added to your current expiration date.
After you submit, your current registrar sends an authorization email. Open it and approve the transfer. Some registrars approve automatically after a waiting period if you don't respond, but clicking approve speeds things up considerably.
Transfers typically complete within five to seven days. They often finish faster. While the transfer is in progress, your current DNS continues to function normally. Here's the important part: you can pre-configure your DNS records in Cloudflare before the transfer completes. Add your A records, MX records, and CNAMEs now. When the transfer finalizes and Cloudflare's nameservers become authoritative, your DNS is already correct. Downtime is minimal or zero.
Limitations: What Cloudflare Registrar Doesn't Do (Yet)
TLD Availability Gaps
Cloudflare Registrar supports a solid and growing list of TLDs, but it's not exhaustive. The major ones are covered well: .com, .net, .org, .io, .dev, .app, .co, and most country-code TLDs for major markets. If you're registering a domain for a standard business or technical project, there's a very high probability your preferred TLD is available.
Where you'll run into gaps: highly specialized TLDs like .photography, .boutique, or .accountant may not be supported. Some newer gTLDs added in recent ICANN rounds are still missing. Country-code TLDs for smaller markets are inconsistently available. If you need a specific TLD that Cloudflare doesn't support, the practical answer is to register that domain at a specialized registrar and point its nameservers to Cloudflare for DNS. You lose the registrar consolidation benefit, but you keep everything else.
No Domain Auctions, Aftermarket, or Premium Domain Sales
What Cloudflare Registrar Doesn't Offer
Cloudflare has no domain auction platform, no aftermarket for expired domains, no backorder service, and no domain brokerage. If you want a premium domain that's already registered, you'll need GoDaddy Auctions, Sedo, Afternic, or a dedicated broker. Cloudflare's registrar is built for domains you're registering fresh or transferring in, not for acquiring domains that someone else owns.
There's also no built-in email hosting tied to your domain. Google Domains, before its acquisition by Squarespace, offered Google Workspace bundled at registration. Cloudflare doesn't have an equivalent. For email, you'll set up MX records pointing to a separate provider: Google Workspace, Microsoft 365, Fastmail, or whatever fits your setup. That's not a serious inconvenience, but it's worth knowing before you expect it to be there.
Your Cloudflare Registrar Setup Checklist
Getting your domain configured correctly from the start takes about fifteen minutes. Do it now, before Part 4, and you won't be backtracking later.
Why Cloudflare Registrar Is the Right Foundation for Everything That Follows
At-cost pricing. Transparent renewals. DNSSEC built in. WHOIS privacy by default. DNS and registrar in a single dashboard. These aren't features that make Cloudflare Registrar feel premium. They're the baseline that every registrar should offer but most don't.
The reason this series starts with the registrar before touching DNS configuration, Zero Trust, or Tunnels is simple: the domain is the foundation. Every subsequent part of this series assumes you have a domain under your control, correctly configured, with DNS you can modify quickly and trust to propagate reliably. If that foundation is shaky, everything built on top of it is shaky too.
Complete the checklist above before moving forward. It takes fifteen minutes and it eliminates an entire category of problems that derail people in later parts. Store your 2FA backup codes somewhere you'll actually find them. Store your EPP code if you have it. These are small habits that prevent large headaches.
Part 4 moves into DNS configuration in depth: record types, TTL strategy, proxied versus DNS-only records, and how Cloudflare's proxy layer changes the way you think about A records. The registrar work you just did is the prerequisite. Part 4 is where the DNS layer starts doing real work.
