DNS Backup for Cloudflare
Why back up Cloudflare DNS
Cloudflare manages your DNS, but it doesn’t back it up. There’s no change history, no undo button, no diff between what your zone looked like yesterday and today. If someone deletes a record or a migration goes wrong, you’re reconstructing from memory.
BackupMyDNS connects to Cloudflare with read-only API access, captures a full zone snapshot every time a record changes, and stores the diff. Every record, every version, downloadable as a standard BIND zone file.
What permissions we need
BackupMyDNS requires a scoped API token with a single permission: Zone:Read. This is the most restrictive access Cloudflare offers for DNS. We cannot modify, create, or delete any records. We can only read them.
You create this token in Cloudflare’s dashboard under My Profile > API Tokens > Create Token. Scope it to specific zones or all zones in your account. The token never leaves our encrypted storage.
What Cloudflare’s export misses
Cloudflare has a BIND zone file export. It covers the basics. But it has gaps that matter:
No proxied status. Cloudflare’s orange cloud / grey cloud (proxied vs DNS-only) is critical to how your traffic flows, but it’s not part of the BIND format. A zone export won’t tell you which records were proxied. BackupMyDNS captures this metadata separately.
Truncated TXT records. Long TXT values — DKIM keys, SPF includes, domain verification strings — can get truncated or split inconsistently in Cloudflare’s export. We capture the full value via the API.
No change history. Cloudflare’s export is a point-in-time snapshot. There’s no way to see what changed between two exports, or when a record was added or removed. BackupMyDNS stores every version and lets you diff any two snapshots.
No automation. You have to manually click Export every time. Nobody does this consistently across 50 domains.
Cloudflare-specific gotchas
Proxied vs DNS-only confusion. The most common Cloudflare misconfiguration is toggling the proxy status on a record that shouldn’t be proxied (MX, SRV, or a record pointing to a service that needs the real IP). When this happens silently, having a backup with the previous state is the fastest way to diagnose it.
DNSSEC records. Cloudflare manages DNSSEC automatically. These records exist in your zone but aren’t ones you created. They can cause confusion during migrations if you don’t know which records are Cloudflare-managed.
Forgotten subdomains. Large zones accumulate records over years. Development subdomains, old verification TXT records, staging CNAMEs. People forget they exist until they break something during a cleanup.
Page Rules are not DNS. Cloudflare Page Rules, redirects, and Workers routes are sometimes confused with DNS records. They’re not — and they’re not in a zone file export. Know the difference before you assume your export covers everything.
Pricing
Your first domain is free with daily checks and 30 days of retention. Pro plans start at $14/mo for up to 100 zones with hourly checks and 1 year of retention. Business plans at $49/mo cover 1,000 zones with 10-minute checks and unlimited retention.
All data is AES-256 encrypted at rest. Fort Knox mode available — we email you the backup and delete it from our systems.
Get started
Connect your Cloudflare account with a read-only API token. Setup takes under two minutes.