Working with CNAME records and your DNS provider
Last updated 2023-08-08
To route traffic to a Fastly service using your domain name, you must associate the domain with your Fastly service and update your domain's CNAME record to point to Fastly. This guide helps you update your domain's CNAME record with your DNS provider and describes how to choose the right hostname.
Fastly is not a DNS provider. The steps you follow when creating a CNAME record for your domain will vary depending on your DNS provider. You must have access privileges to modify DNS records for your domain.
If you can't find your provider's CNAME configuration instructions, Google maintains instructions for most major providers. Those instructions are maintained by Google, not Fastly, and are tailored specifically for Google enterprise services.
Keep in mind the following CNAME configuration limitations. Specifically:
- Shared TLS hostname incompatibility. You can't add a CNAME record for a shared TLS hostname.
- Apex domain incompatibility. You can't use a CNAME record if you plan to use Fastly on your apex domain (e.g.,
www.example.com). Check out our guide to using Fastly with apex domains for more details.
To successfully update your DNS CNAME record, you must choose the right Fastly hostname to use. Choosing the appropriate CNAME record is the final step required before Fastly can start acting as a reverse proxy and begin routing client traffic through Fastly services.
The hostname you choose will differ based on:
- the standard HTTPS (TLS) support requirements for your domain, including whether or not HTTP/2 is enabled.
- any custom TLS options purchased for your domain.
- whether or not you choose to limit your traffic to the North American and EU network or use Fastly's global network.
We've provided recommendations below based on these criteria.
If you don't require TLS support and only need to accept HTTP (Port 80) connections, use one of the following hostnames:
dualstack.nonssl.global.fastly.net.to route traffic through Fastly's entire global network.
dualstack.nonssl.us-eu.fastly.net.to route traffic through Fastly's North American and EU POPs only.
Fastly's non-TLS hostnames refuse HTTPS connections (port 443) to prevent TLS certificate mismatch errors.
s.sni.global.fastly.netfor TLS 1.3 or TLS 1.2.
t.sni.global.fastly.netfor TLS 1.3 + 0RTT or TLS 1.2. The Zero Round Trip Time (0-RTT) feature helps reduce latency for customers returning to your site.
You must use the assigned Fastly TLS hostname provided in the Fastly web interface. Using the incorrect Fastly hostname will cause a TLS Certificate mismatch error for HTTPS (Port 443) traffic.
Once you've determined the appropriate Fastly hostname for your domain, the next step is to create a CNAME record for your domain. Refer to your DNS provider's documentation for exact instructions on how to create or update a CNAME record. If you run your own DNS server or are familiar with the format of BIND zone files, the CNAME record would look similar to this:
www.example.com. 3600 IN CNAME nonssl.global.fastly.net.
In the above example, the domain set up on Fastly is
www.example.com., with a time-to-live (TTL) of
3600 seconds (1 hour), the Record Type is
CNAME, and the Fastly hostname is
nonssl.global.fastly.net. because TLS support isn't required and traffic will be routed through Fastly's entire global network.
- Be sure you've added all domains you want served by Fastly to the appropriate service. If you don't and you point your domain to Fastly, an
unknown domainerror will occur.
- Make sure your service is properly configured. You can test a Fastly service on your local machine by using curl and testing setup before changing domains.
- If you have multiple hostnames on the same domain (e.g.,
app.example.com), you can use a DNS wildcard record (
*.example.com) at your DNS provider so only a single CNAME record is created and maintained. You should also add either a matching
*.example.comdomain or the individual domains to your Fastly service.
- Before changing a CNAME to point to a Fastly hostname, change your service configuration to lower the CNAME's TTL to a small number (we suggest 60 seconds) and wait for the old TTL to expire. Creating a DNS CNAME record for your domain after the TTL expiration ensures you have an easy way to roll back changes if you encounter an issue. Once you confirm everything is working properly using Fastly, you can increase the TTL to its original value.
To check your CNAME record, run the following command in a terminal window:
$ dig www.example.com +short
Your output should appear similar to the following:
In most cases, the hostname displayed first will be your current Fastly hostname (in this case,
nonssl.global.fastly.net.). If you don't see a Fastly hostname in the output or if you see an incorrect Fastly hostname, then either your CNAME isn't properly set at your DNS provider or an older CNAME record is still cached by your local DNS resolver.
If you deactivate a service, delete a service, or cancel your account, we strongly recommend modifying or deleting any CNAME records pointing to Fastly hostnames. Follow the instructions on your DNS provider's website. Doing so will minimize the risk of unauthorized use of your domains.