Cloudflare DNS export: what you get and what you lose

Cloudflare's zone file export is better than most, but it still drops proxied status, page rule context, and change history. Here's exactly what's included and what's missing.

Cloudflare gives you a BIND-format zone export. It’s under DNS > Advanced > Export DNS File. Compared to some providers, it’s solid. But if you’re relying on it as your backup, you’re missing more than you think.

What the export includes

The BIND export gives you a standard zone file with your records listed in a format any DNS server can import. A records, AAAA, CNAME, MX, TXT, SRV, CAA — they’re all there.

The format is portable. You can take this file and import it into Route53, DNSimple, or any provider that accepts BIND zone files. For a basic migration, it works.

What the export misses

Here’s where it falls short.

Proxied status. Every A and CNAME record in Cloudflare has a proxy toggle — the orange cloud vs. grey cloud. This controls whether traffic routes through Cloudflare’s CDN and WAF or goes direct to your origin. The BIND export doesn’t capture this. Every record exports as if it’s DNS-only.

If you import this file into a fresh Cloudflare zone, every record defaults to DNS-only. Your CDN caching, WAF rules, DDoS protection, and performance optimizations are silently disabled. Traffic goes straight to your origin.

Long TXT values. BIND zone files have a 255-character limit per TXT string. Cloudflare handles this by splitting long values into multiple quoted strings within the record. Most of the time this works, but edge cases exist — especially with DKIM keys and complex SPF includes that approach the 512-byte UDP limit. Some import tools mishandle the split strings.

Record metadata. Cloudflare’s API returns each record with metadata: the record ID, creation timestamp, whether it’s locked, the TTL setting (which differs from the zone default). The BIND export flattens this. You get the record data, but not the context around it.

Page Rules and redirects. If you’re using Cloudflare Page Rules or Bulk Redirects that depend on specific DNS records, those rules aren’t part of the zone export. You get the DNS record, but not the redirect logic attached to it.

No change history. The export is a point-in-time snapshot. There’s no diff, no timeline, no way to see what the zone looked like yesterday or last month. If someone changed a record this morning and you need the old value, the export won’t help you. It only knows “now.”

The API gives you more

Cloudflare’s API — specifically the zones/:zone_id/dns_records endpoint — returns everything the export includes plus the metadata the export drops. Proxied status, record IDs, timestamps, TTL settings, tags. It’s the complete picture.

But calling the API manually and storing the results is just building your own backup system. You need to poll regularly, detect changes, store snapshots, and build a way to diff them.

What an automated backup captures

BackupMyDNS connects to Cloudflare using a read-only API token with Zone:Read and DNS:Read permissions. It captures every record exactly as the API returns it — including proxied status and metadata that the BIND export drops.

Every change triggers a new snapshot. You get diffs between any two points in time. You can download standard zone files for portability, or use the full API-level snapshots for complete fidelity.

The export button is a starting point. An automated backup is the safety net.

Free for your first domain. Connect Cloudflare in under a minute.