Automating Cloudflare DNS with Traefik Using Traeflare

Yassine Fathi

Yassine Fathi

4 min read
Automating Cloudflare DNS with Traefik Using Traeflare
Photo by Denys Nevozhai / Unsplash

Managing DNS records for multiple services can become tedious when running a modern infrastructure. Services often come and go, subdomains change, and you spend a lot of time hopping between your reverse proxy (like Traefik) and DNS providers (like Cloudflare) to keep everything in sync.

Traeflare is a simple yet powerful tool designed to automate this process. It automatically updates your Cloudflare DNS records based on the existing routes you’ve set up in Traefik. No more manual copying and pasting of hostnames or subdomains—Traeflare does the heavy lifting for you.

In this article, we’ll explore:

By the end, you’ll have a clear understanding of how to use Traeflare to streamline DNS management for your Traefik-based infrastructure.

Why Use Traeflare?

1. Automatic DNS Updates

If you’re frequently adding or removing services behind Traefik, updating DNS records in Cloudflare can become repetitive. Traeflare listens to your Traefik configuration and automatically syncs DNS entries to Cloudflare, saving you time and reducing the risk of typos or misconfigurations.

2. Single Source of Truth

Traefik is already the central entry point for your services—why not make it your source of truth for DNS as well? By extracting the hostnames/routes from Traefik and mapping them to Cloudflare records, you can keep everything consistent in one place.

3. Fewer Configuration Mistakes

Manual DNS updates are prone to human error. A single character off in your domain or subdomain could lead to confusion, downtime, or connectivity problems. Traeflare eliminates these mistakes by programmatically handling updates based on your existing Traefik config.

How Traeflare Works

  1. Fetch Traefik Routes
    Traeflare queries the Traefik API (exposed on port 8080 by default) to retrieve configured routes (hostnames).
  2. Compare with Cloudflare
    It then contacts the Cloudflare API to see which DNS entries are already present in your chosen domain’s zone.
  3. Update or Create
    If a subdomain (from Traefik routes) doesn’t exist in Cloudflare, Traeflare creates a new DNS record for you. If it already exists, Traeflare ensures it’s updated with the correct IP address or CNAME as needed.
  4. Prune Old Records (Optional)
    With PRUNE_RECORDS set to true, any outdated or unused records in Cloudflare can be removed automatically, keeping your DNS zone clean and up to date.

Getting Started: Docker Setup

Most users will run Traeflare as a Docker container alongside Traefik. Below is a sample docker-compose.yml snippet:

version: "3"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    # ... your traefik config goes here ...
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080" # Traefik dashboard/API
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  traeflare:
    image: ghcr.io/m4tt72/traeflare:main
    container_name: traeflare
    env_file: .env
    depends_on:
      - traefik
    restart: unless-stopped

.env File Configuration

Create a .env file in the same directory:

TRAEFIK_API_URL=http://traefik:8080
CF_API_URL=https://api.cloudflare.com/client/v4
CF_ZONE_ID=your_zone_id
CF_API_EMAIL=your_cloudflare_email
CF_API_KEY=your_cloudflare_global_api_key
CF_DNS_API_TOKEN=your_cloudflare_dns_api_token
DOMAIN_NAME=example.com
RECORD_TYPE=A
PROXIED=true
PRUNE_RECORDS=true

You only need either CF_API_KEY or CF_DNS_API_TOKEN, depending on how you’ve set up Cloudflare authentication. If you use CF_DNS_API_TOKEN, it must have appropriate permissions to edit DNS records for the specified zone.

Key Environment Variables

Variable Description Default
TRAEFIK_API_URL The URL where Traefik’s API is exposed. Typically http://traefik:8080 http://traefik:8080
CF_API_URL The base URL for the Cloudflare API https://api.cloudflare.com/client/v4
CF_ZONE_ID Unique Zone ID for the domain in Cloudflare (none)
CF_API_EMAIL Cloudflare account email (if using Global API Key) (none)
CF_API_KEY Global API Key from Cloudflare (none)
CF_DNS_API_TOKEN DNS-specific API token with edit permissions (none)
DOMAIN_NAME The domain name you want to update (e.g. example.com) (none)
RECORD_TYPE DNS record type (A or CNAME) A
PROXIED Whether to enable Cloudflare’s proxying feature (true/false) true
PRUNE_RECORDS Remove DNS records not matching current Traefik routes (true/false) true

Choosing the Right Authentication Method

  • Global API Key (using CF_API_KEY + CF_API_EMAIL): This key has full account privileges. This can be easier to set up but less secure if you only need DNS changes.
  • Scoped API Token (using CF_DNS_API_TOKEN): This token can be restricted to DNS operations for a single zone, which is a more secure practice.

Usage & Workflow

  1. Start Traefik
    Ensure your Traefik container is running with the routes you want to expose.
  2. Run Traeflare
    Start the Traeflare container. It will connect to the Traefik API, list all hostnames, and then create or update DNS records on Cloudflare.
  3. Check Cloudflare
    Log in to your Cloudflare dashboard and confirm the newly created or updated DNS records. If PRUNE_RECORDS is set to true, old or unused records will automatically be removed.
  4. Add/Remove Services
    Whenever you add or remove a service in Traefik, simply wait for the Traeflare container to pick up the changes. It’s designed to continuously watch for updates (depending on your configuration or how often you restart/refresh the container).

Pruning Records

By default, Traeflare is set to prune old records (PRUNE_RECORDS=true). This means that if you remove a route from Traefik, Traeflare will detect it’s no longer present and remove the corresponding DNS entry from Cloudflare.

  • Pros: Keeps DNS zone neat; no leftover subdomains.
  • Cons: If you manually created DNS entries in the same zone (e.g., for email or external services), make sure they aren’t named identically to something Traeflare might handle. You could disable pruning or maintain those records with a separate approach.

Best Practices

  1. Use a Separate Cloudflare API Token
    Limit your token’s scope to DNS changes for a single domain. This follows the principle of least privilege.
  2. Monitor Logs
    Check container logs for errors, especially in the initial setup phase. You’ll see logs for each DNS record it attempts to create or update.
  3. Version Control Your Docker Compose
    Keep your docker-compose.yml and .env in a private repository to maintain a record of changes and credentials (make sure .env is in .gitignore).
  4. Set Up Alerts
    Use monitoring tools to alert you if DNS updates fail or if the Traeflare container stops unexpectedly.
  5. Testing
    Test in a staging environment or with a subdomain before deploying to production. Confirm that DNS changes propagate correctly.

Conclusion

Traeflare removes much of the manual overhead involved in managing DNS records for services behind Traefik. By leveraging the Traefik API, Traeflare updates (and optionally prunes) DNS entries in Cloudflare automatically, ensuring that your public-facing routes remain accurate and up to date.

With minimal configuration—just a Docker container and a few environment variables—you can unify your reverse proxy and DNS management strategy. This streamlined approach offers significant time savings, fewer errors, and a more resilient infrastructure overall.

Further Reading

Have questions or feedback? Feel free to open an issue on the GitHub repo or reach out directly. We’d love to hear about your experience with Traeflare in production!

Read more

This website respects your privacy and does not use cookies for tracking purposes. More information