Cloudflare Radar has long published domain ranking information, providing insights into popular and trending domains. And in February 2025, we added a number of DNS-related insights to Radar, based on analysis of traffic to our 1.1.1.1 Public DNS Resolver.

Building on this, today we are launching a new TLD page on Radar that, based on aggregated data from multiple Cloudflare services, provides insights into TLD popularity, activity, and security, along with links directly into Cloudflare Registrar to enable users to register domain names in supported TLDs.

Before today, Radar already offered insights into TLDs, though these were distributed across a couple of different pages and datasets.

In March 2024, when we launched the Email Security page, we introduced the “Most abused TLDs” metric. This chart highlights TLDs associated with the largest shares of malicious and spam email. The analysis is based on the sending domain’s TLD, extracted from the From: header in email messages, with data sourced from Cloudflare’s cloud email security service.

More recently, during 2025’s Birthday Week, we introduced Certificate Transparency (CT) insights on Radar, leveraging data from CT logs monitored by Cloudflare. One highlight is the Certificate Coverage section, which visualizes the distribution of pre-certificates across the top 10 TLDs. These insights give a different perspective on TLD activity, complementing email-based metrics by showing which domains are actively securing web traffic.

Today, we’re excited to announce the new TLD page on Radar. The landing page and the dedicated per-TLD pages provide TLD managers and site owners with a perspective on the relative popularity of TLDs they manage or may be considering domains in, as well as insights into TLD traffic volume and distribution.

Located under the DNS menu, the landing page introduces a ranking of top-level domains based on DNS Magnitude — a metric originally developed by nic.at to estimate a domain’s overall visibility on the Internet.

Instead of simply counting the total number of DNS queries, DNS Magnitude incorporates a sense of how many unique clients send queries to domains within the TLD. This approach gives a more accurate picture of a TLD’s reach, since a small number of sources can generate a large number of queries. Our ranking is based on queries observed at Cloudflare’s 1.1.1.1 resolver. We aggregate individual client IP addresses into subnets, referred to here as "networks".

The magnitude value ranges from 0 to 10, with higher values (closer to 10) indicating that the TLD is queried by a broader range of networks. This reflects greater global visibility and, in some cases, a higher likelihood of name collision across different systems. According to ICANN, a name collision occurs when an attempt to resolve a name used in a private name space (such as under a non-delegated Top-Level Domain) results in a query to the public Domain Name System (DNS). When the administrative boundaries of private and public namespaces overlap, name resolution may yield unintended or harmful results. For example, if ICANN were to delegate .home, that could cause significant issues for hobbyists that use the (currently non-delegated) TLD within their local networks.

$Magnitude=\frac{ln(unique\ networks\ querying\ the\ TLD)}{ln(all\ unique\ networks)}*10$

The table displays a paginated ranking of the top 2,500 TLDs, along with several key attributes. Each entry includes the TLD itself — which links to a dedicated page for delegated TLDs — as well as its type:

• gTLD (generic TLD): used for general purposes, such as .com or .info.

• grTLD (generic restricted TLD): limited to specific communities or uses, such as .name.

• ccTLD (country code TLD): assigned to individual countries or territories, such as .uk or .jp.

• iTLD (infrastructure TLD): reserved for technical infrastructure, such as .arpa.

• sTLD (sponsored TLD): operated by a sponsoring organization representing a defined community, such as .edu or .gov.

The status column indicates whether the TLD is delegated, meaning it is officially assigned and active in the root zone of the DNS, or non-delegated, meaning it is not currently part of the public DNS. The table also shows the manager of each TLD — typically the organization or registry responsible for its operation — and the corresponding DNS magnitude value.

While the top 10 TLDs include stalwarts such as .com/.net/.org and ccTLDs that have been commercially repurposed, such as .io/.co/.tv, the TLD at the top of the list may be a bit surprising: .su.

This TLD was delegated for the Soviet Union back in 1990, but its use waned after the dissolution of the USSR, with constituent republics becoming independent and using their own dedicated ccTLDs. (ICANN reportedly plans to retire .su in 2030.) Looking at a single day’s worth of data, the .su TLD does not rank #1 by unique networks. However, over a longer period of time, such as seven days, it sees queries from more unique networks than other TLDs, placing it atop the magnitude list. Further analysis of the top hostnames observed within this TLD suggests that they are mostly associated with a popular online world-building game. Interestingly, over half of the queries for .su domains come from the United States, Germany, and Brazil.

The new TLD section also offers dedicated pages for individual TLDs. By clicking on a TLD in the DNS Magnitude table or searching for a TLD in the top search bar, users can access a page with detailed insights and information about that TLD. It’s important to note that while non-delegated TLDs are included in the DNS Magnitude ranking, TLD-specific pages are only available for delegated TLDs. The list of delegated TLDs, along with their type and manager, is sourced from the IANA’s Root Zone Database.

When a user enters an individual TLD page, they see two main cards. The first card provides general information about the TLD, including its type, manager, DNS magnitude value, DNSSEC support, and RDAP support. DNSSEC support is determined by checking whether the TLD has a Delegation Signer (DS) record in the root zone. We also parse the record to get the associated DNSSEC algorithm. RDAP support is indicated if the TLD is listed in the IANA RDAP bootstrap file. RDAP (Registration Data Access Protocol) is a new standard for querying domain contact and nameserver information for all registered domains.

The second card contains WHOIS data for the TLD, including its creation date, the date of the last update, and the list of nameservers. If the TLD is supported by Cloudflare Registrar, an additional card appears, giving users direct access to registration options. As of today, Cloudflare Registrar supports over 400 TLDs.

Below these cards, the page features the DNS query volume section, which presents insights based on queries to Cloudflare’s 1.1.1.1 resolver for domains under the TLD. This section includes a chart showing DNS queries over the selected time period, along with a donut chart breaking down queries by type, response code, and DNSSEC support. A choropleth map further illustrates the percentage of DNS queries by country, highlighting which regions generate the most queries for domains under the TLD.

Each individual TLD page also includes a Certificate Transparency section, offering visibility into TLS/SSL certificate issuance for the TLD. This section displays a line chart showing the total number of certificates issued over the selected period, as well as a donut chart depicting the distribution of certificate issuance among the top Certificate Authorities.

When we launched the DNS page earlier in 2025, we provided query volumes by TLDs, but this was limited to ccTLDs. Today, we’re extending that dataset to include all delegated TLDs. With these new insights, we’ve added the “Top-level domain distribution” section to the DNS page, featuring a line chart that shows the distribution of queries to 1.1.1.1 across the top 10 TLDs, alongside a table extending this ranking to the top 100. Not surprisingly, .com tops the ranking with more than 60% of queries, followed by .net, .arpa (an infrastructure TLD), and .org.

It is also worth noting that both Radar search and the API support both punycode (A-Label/ASCII-Label) and internationalized domain name (IDN) (U-Label/UNICODE-Label) representations of non-ASCII TLDs. For example, the U-Label representation of the South Korean TLD .kr is written as 한국 and the A-Label representation is xn--3e0b707e.

Because TLDs are a foundational component of the Domain Name System, it is critical that the associated name servers are highly performant. Based on billions of daily queries to these name servers, we plan to add insights into their performance to Radar’s TLD pages in 2026. These insights will provide TLD managers with an external perspective on query responsiveness, and will give developers and site owners a perspective on the potential impact of the performance of the associated TLD name servers as they look to register new domain names.

The underlying data for these new TLD pages is available via the API and can be interactively explored in more detail using Radar’s Data Explorer and AI Assistant. And as always, Radar and Data Assistant charts and graphs are downloadable for sharing, and embeddable for use in your own blog posts, websites, or dashboards.

If you share our TLD charts and graphs on social media, be sure to tag us: @CloudflareRadar (X), noc.social/@cloudflareradar (Mastodon), and radar.cloudflare.com (Bluesky). If you have questions or comments, or suggestions for data that you’d like to see us add to Radar, you can reach out to us on social media, or contact us via email.

Transferring your domains to a new registrar isn’t something you do every day, and getting any step of the process wrong could mean downtime and disruption. That’s why this Speed Week we’ve prepared a domain transfer checklist. We want to empower anyone to quickly transfer their domains to Cloudflare Registrar, without worrying about missing any steps along the way or being left with any unanswered questions.

• Confirm you want to use Cloudflare’s nameservers: We built our registrar specifically for customers who want to use other Cloudflare products. This means domains registered with Cloudflare can only use our nameservers. If your domain requires non-Cloudflare nameservers then we’re not the right registrar for you.

• Confirm Cloudflare supports your domain’s TLD: You can view the full list of TLDs we currently support here. Note: We plan to support .dev and .app by mid-July 2023.

• Confirm your domain is not a premium domain or internationalized domain name (IDNs): Cloudflare currently does not support premium domains or internationalized domain names (Unicode).

• Confirm your domain hasn’t been registered or transferred in the past 60 days: ICANN rules prohibit a domain from being transferred if it has been registered or previously transferred within the last 60 days.

• Confirm your WHOIS Registrant contact information hasn’t been updated in the past 60 days: ICANN rules also prohibit a domain from being transferred if the WHOIS Registrant contact information was modified in the past 60 days.

• Gather your credentials for your current registrar: Make sure you have your credentials for your current registrar. It’s possible you haven’t logged in for many years and you may have to reset your password.

• Make note of your current DNS settings: Make note of your current DNS settings: When transferring your domain, Cloudflare will automatically scan your DNS records, but you’ll want to capture your current settings in case there are any issues. If your current provider supports it, you could use the standard BIND Zone File format to export your records.

• Remove WHOIS privacy (if necessary): In most cases, domains may be transferred even if WHOIS privacy services have been enabled. However, some registrars may prohibit the transfer if the WHOIS privacy service has been enabled.

• Disable DNSSEC: You can disable DNSSEC by removing the DS record at your current DNS host and disabling DNSSEC in the Cloudflare dashboard.

• Renew your domain if up for renewal in the next 15 days: If your domain is up for renewal, you’ll need to renew it with your current registrar before initiating a transfer to Cloudflare.

• Unlock the domain: Registrars include a lightweight safeguard to prevent unauthorized users from starting domain transfers – often called a registrar or domain lock. This lock prevents any other registrar from attempting to initiate a transfer. Only the registrant can enable or disable this lock, typically through the administration interface of the registrar.

• Sign up for Cloudflare: If you don’t already have a Cloudflare account, you can sign up here.

• Add your domain to Cloudflare: You can add a new domain to your Cloudflare account by following these instructions.

• Add a valid credit card to your Cloudflare account: If you haven’t already added a payment method into your  Cloudflare dashboard billing profile, you’ll be prompted to add one when you add your domain.

• Review DNS records at Cloudflare: Once you’ve added your domain, review the DNS records that Cloudflare automatically configured with what you have at your current registrar to make sure nothing was missed.

• Change your DNS nameservers to Cloudflare: In order to transfer your domain, your nameservers will need to be set to Cloudflare.

• (optional) Configure Cloudflare Email Routing: If you’re using email forwarding, ensure that you follow this guide to migrate to Cloudflare Email Routing.

• Wait for your DNS changes to propagate: Registrars can take up to 24 hours to process nameserver updates. You will receive an email when Cloudflare has confirmed that these changes are in place. You can’t proceed with transferring your domain until this process is complete.

• Request an authorization code: Cloudflare needs to confirm with your old registrar that the transfer flow is authorized. To do that, your old registrar will provide an authorization code to you. This code is often referred to as an authorization code, auth code, authinfo code, or transfer code. You will need to input that code to complete your transfer to Cloudflare. We will use it to confirm the transfer is authentic.

• Initiate your transfer to Cloudflare: Visit the Transfer Domains section of your Cloudflare dashboard. Here you’ll be presented with any domains available for transfer. If your domain isn’t showing, ensure you completed all the proceeding steps. If you have, review the list on this page to see if any apply to your domain.

• Review the transfer price: When you transfer a domain, you are required by ICANN to pay to extend its registration by one year from the expiration date. You will not be billed at this step. Cloudflare will only bill your card when you input the auth code and confirm the contact information at the conclusion of your transfer request.

• Input your authorization code: In the next page, input the authorization code for each domain you are transferring.

• Confirm or input your contact information: In the final stage of the transfer process, input the contact information for your registration. Cloudflare Registrar redacts this information by default but is required to collect the authentic contact information for this registration.

• Approve the transfer with Cloudflare: Once you have requested your transfer, Cloudflare will begin processing it, and send a Form of Authorization (FOA) email to the registrant, if the information is available in the public WHOIS database. The FOA is what authorizes the domain transfer.

• Approve the transfer with your previous registrar: After this step, your previous registrar will also email you to confirm your request to transfer. Most registrars will include a link to confirm the transfer request. If you follow that link, you can accelerate the transfer operation. If you do not act on the email, the registrar can wait up to five days to process the transfer to Cloudflare. You may also be able to approve the transfer from within your current registrar dashboard.

• Follow your transfer status in your Cloudflare dashboard: Your domain transfer status will be viewable under Account Home > Overview > Domain Registration for your domain.

• Test your site and email: After the transfer is complete, you’ll want to test your site to ensure everything is working properly. If you encounter any issues or have any questions you can always talk with us on our community forums or Discord server.

• Build something new: Perhaps this is a domain that you bought but haven’t launched anything on yet. Now that you’ve transferred it, it’s a great time to build and launch something new on it. You could start a new project built on your favorite frontend framework using C3, build a blog using Nuxt.js and Sanity.io on Cloudflare Pages, or try building your first ChatGPT plugin with Cloudflare Workers.

Everything on the web starts with a domain name. It is the foundation on which a company’s online presence is built. If that foundation is compromised, the damage can be immense.

As part of CIO Week, we looked at all the biggest risks that companies continue to face online, and how we could address them. The compromise of a domain name remains one of the greatest. There are many ways in which a domain may be hijacked or otherwise compromised, all the way up to the most serious: losing control of your domain name altogether.

You don’t want it to happen to you. Imagine not just losing your website, but all your company’s email, a myriad of systems tied to your corporate domain, and who knows what else. Having an attacker compromise your corporate domain is the stuff of nightmares for every CIO. And, if you’re a CIO and it’s not something you’re worrying about, know that we literally surveyed every other domain registrar and were so unsatisfied with their security practices we needed to launch our own.

But, now that we have, we want to make domain compromise something that should never, ever happen again. For that reason, we’re excited to announce that we are extending a new level of domain record protection to all our Enterprise customers. We call it Cloudflare Domain Protection, and we’re including it for free for every Cloudflare Enterprise customer. For those customers who have domains secured by Domain Protection, we will also waive all registration and renewal fees on those domains. Cloudflare Domain Protection will be available in Q1 — you can speak to your account manager now to take advantage of the offer.

It’s not possible to build a truly secure domain registrar solution without an understanding of how a domain gets compromised. Before we get into more details of our offering, we wanted to take you on a tour of how a domain can get compromised.

There are three types of domain compromises that we often hear about. Let’s take a look at each of them.

One of the most serious compromises is an unauthorized transfer of the domain to another registrar. While cooperation amongst registrars has improved greatly over the years, it can still be very difficult to recover a stolen domain. It can often take weeks — or even months. It may require legal action. In a best case scenario, the domain may be recovered in a few days; in the worst case, you may never get it back.

The ability to easily transfer a domain between registrars is vitally important, and is part of what keeps the market for domain registration competitive. However, it also introduces potential risk. The transfer process used by most registries involves using a token to authorize the transfer. Prior to the widespread practice of redacting publicly accessible whois data, an email approval process was also used. To steal a domain, a malicious actor only needs to gain access to the authorization code and be able to remove any domain locks.

Unauthorized transfers start often with a compromised account. In many cases, the customer may have their account credentials compromised. In other cases, attackers use elaborate social engineering schemes to take control of the domain, often moving the domain between registrar accounts before transferring the domain to another registrar.

Name server updates are another way in which domains may be compromised. Whereas a domain transfer is typically an attempt to permanently take over a domain, a name server update is more temporary in nature. However, even if the update can usually be quickly reversed, these types of domain hijacks can be very damaging. They open the possibility of stolen customer data and intercepted email traffic. But most of all: they open an organization up to very serious reputational damage.

Most domain suspensions and deletions are not the result of malicious activity, but rather, they often happen through human error or system failures. In many cases, the customer forgets to renew a domain or neglects to update their payment method. In other cases, the registrar mistakenly suspends or deletes a domain.

Regardless of the reason though: the result is a domain that no longer resolves.

While these are certainly not the only ways in which domains may be compromised, they are some of the most damaging. We have spent a lot of time focused on these types of compromises and how to prevent them from happening.

Like a lot of folks, we’ve long been frustrated by the state of the domain business. And so this isn’t our first rodeo here.

We already have a registrar service — Cloudflare Registrar — which is open to any Cloudflare customer. We make it super easy to get started, to integrate with Cloudflare, and there’s no markup on our pricing — we promise to never charge you anything more than the wholesale price each TLD charges. The aim: no more "bait and switch" and “endless upsell” (which, according to our customers, are the two most common terms associated with the domain industry). Instead, it’s a registrar that you love. Obviously, it’s Cloudflare, so we incorporated a number of security best practices into how it operates, too.

For our most demanding enterprise customers, we also have Custom Domain Protection. Every client using Custom Domain Protection defines their own process for updating records. As we said when we introduced it: “if a Custom Domain Protection client wants us to not change their domain records unless six different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally.”

Yes, it’s secure, but it’s also not the most scalable solution. As a result, we charge a premium for it. As we spoke to our Enterprise customers, however, there was a need for something in between — a Goldilocks solution, so to speak, that offers a high level of protection without being quite so custom.

Enter Cloudflare Domain Protection.

Our approach to securing domains with Domain Protection is quite straightforward: identify the various attack vectors, and design a layered security mode to address each potential threat.

Before we take a look at each security layer, it’s important to understand the relationship between registrars and registries, and how that impacts domain security. You can think of registries as the wholesaler of domain names. They manage the central database of all registered domains within the Top-Level-Domain (TLD). They are also responsible for determining the wholesale pricing and establishing TLD specific policies.

Registrars, on the other hand, are the retailer of domains and are responsible for selling the domains to the end user. With each registration, transfer, or renewal, the registrar pays the registry a transaction fee.

Registrars and registries jointly manage domain registrations in what’s called the Shared Registration System (SRS). Registrars communicate with registries using an IETF standard called the Extensible Provisioning Protocol (EPP). Embodied in the EPP standard are a set of domain status that can be applied by registrars and registries to lock the domain and prevent updates, deletions, and transfers (to another registrar).

Registrars are able to apply “client” locks, frequently referred to as Registrar Locks. Registries apply “server” locks, also known as Registry Locks. It’s important to note that the registry locks always supersede the registrar locks. This means that the registrar locks cannot be removed until the registry locks have been removed.

Now, let’s take a closer look at our planned approach.

We start by applying the EPP Registrar Locks to the domain name. These are the EPP client locks that prevent domain updates, transfers, and deletions.

We then apply an internal lock that prevents any API calls to that domain from being processed. This lock functions outside of EPP and is designed to protect the domain should the EPP locks be removed, as well as situations where an operation may be executed outside of EPP. For example, in some TLDs the domain contact data is only stored at the registrar and never transmitted to the registry. In these cases, it’s important to have a non EPP locking mechanism.

After the registrar locks are applied, we will request the registry to apply the Registry Locks using a special non-EPP based procedure. It’s important to note that not all registries offer Registry Lock as a service. In some instances, we may not be able to apply this last locking feature.

Lastly, a secure verification procedure is created to handle any future requests to unlock or modify the domain.

Our aim is to make Cloudflare Domain Protection the most scalable secure solution for domains that’s available. We want to ensure that the domains that matter most to our customers — the mission critical, high value domains — are securely protected.

Eligible domains that are explicitly included under a Cloudflare Enterprise contract may be included in our Domain Protection registration service at no additional cost. And, as we mentioned earlier, this will also cover registration and renewal fees — so not only will securing your domain be one less thing for you to worry about, so too will be paying for it.

Interested in applying Cloudflare Domain Protection to your domain names? Reach out to your account manager and let them know you’re interested. Additional details will be coming in early Q1, 2022.

I joined Cloudflare a few weeks ago, and as someone new to the company, there’s a ton of information to absorb. I have always learned best by doing, so I decided to use Cloudflare like a brand-new user. Cloudflare customers range from individuals with a simple website to companies in the Fortune 100. I’m currently exploring Cloudflare from the perspective of the individual, so I signed up for a free account and logged into the dashboard. Just like getting into a new car, I want to turn all the dials and push all the buttons. I looked for things that would be fun and easy to do and would deliver some immediate value. Now I want to share the best ones with you.

Here are my five ways to get started with Cloudflare. These should be easy for anyone, and they’re free. You’ll likely even save some money and improve your privacy and security in the process. Let’s go!

If you’re like me, you’ve acquired a few (dozen) Internet domains for things like personalizing your email address, a web page for your nature photography hobby, or maybe a side business. You probably registered them at one or more of the popular domain name registrars, and you pay around $15 per year for each domain. I did an audit and found I was spending a shocking amount each year to maintain my domains, and they were spread across three different registrars.

Cloudflare makes it easy to transfer domains from other registrars and doesn’t charge a markup for domain registrar services. Let me say that again; there is zero price markup for domain registration with Cloudflare Registrar. You’ll pay exactly what Cloudflare pays. For example, a .com domain registered with Cloudflare currently costs half of what I was paying at other registrars.

Not only will you save on the domain registration, but Cloudflare doesn’t nickel-and-dime you like registrars who charge extra for WHOIS privacy and transfer lock and then sneakily bundle their website hosting services. It all adds up.

To get started registering or transferring a domain, log into the Cloudflare Dashboard, click “Add a Site,” and bring your domains to Cloudflare.

DNS servers do the work of translating hostnames into IP addresses. To put a domain name to use on the Internet, you can create DNS records to point to your website and email provider. Every time someone wants to put a website or Internet application online, this process must happen so the rest of us can find it. Cloudflare’s DNS dashboard makes it simple to configure DNS records. For transfers, Cloudflare will even copy records from your existing DNS service to prevent any disruption.

The Cloudflare DNS dashboard will also improve security on your domains with DNSSEC, protect your domains from email spoofing with DMARC, and enforce other DNS best practices.

I’ve now moved all my domains to Cloudflare DNS, which is a big win for me for security and simplicity. I can see them all in one place, and I’m more confident with the increased level of control and protection I have for my domains.

Once I moved my domains, I was eager to set up a new website. I have been thinking lately it would be fun to have a place to post my photos where they can stand out and won’t get lost in the stream of social media. It’s been a while since I’ve built a website from scratch, but it’s fun getting back to basics. In the old days, to host a website you’d set up a dedicated web server or use a shared web host to serve your site. Today, many web hosts provide ready-to-go templates for websites and make hosting as easy as one click to set up a new site.

I wanted to learn by doing, so I took the do-it-yourself route. What I discovered in the process is an architecture called Jamstack. It’s a bit different from the traditional way of building and hosting websites. With Jamstack, your site doesn’t live at a traditional hosting provider, nor is it dynamically generated from CGI scripts and a database. Your content is now stored on a code repository like GitHub. The site is pre-generated as a static site and then deployed and delivered directly from Cloudflare’s network.

I used a Jamstack static site generator called Hugo to build my photo blog, pushed it to GitHub, and used Cloudflare Pages to generate the content and host my site. Now that it’s configured, there’s zero work necessary to maintain it. Jamstack, combined with Pages, alleviates the regular updates required to keep up with security patches, and there are no web servers or database services to break. Delivered from Cloudflare’s edge network, the site scales effortlessly, and it’s blazingly fast from a user perspective.

By the way, you don’t need to register a domain to deploy to Pages. Cloudflare will generate a pages.dev site that you can use.

For extra credit, have a look at the Cloudflare Workers serverless platform. Workers will allow you to write and deploy even more advanced custom code and run it across Cloudflare’s globally distributed network.

At first, it wasn’t evident to me how I was going to use Cloudflare for Teams. I initially thought it was only for larger organizations. After all, I’m sitting here in my home office, and I’m just a team of one. Digging into the product more, it became clear that Teams is about privacy and security for groups of any size.

We’ve discussed the impressive Cloudflare DNS infrastructure, and you can take advantage of the Cloudflare DNS resolver for your devices at home by simply configuring them to point to Cloudflare 1.1.1.1 DNS servers. But for more granular control and detailed logging, you should try the DNS infrastructure built into the Cloudflare for Teams Gateway feature.

When you point your home network to Cloudflare for Teams DNS servers, your dashboard will populate with logs of all DNS requests coming from your network. You can set up rules to block DNS requests for various categories, including known malware, phishing, adult sites, and other questionable content. You’ll see the logs instantly and can add or remove categories as needed. If you trigger one of the rules, Cloudflare will display a page that shows you’ve hit one of these blocked sites.

Malware can bypass DNS, so filtering DNS is no silver bullet. Think of DNS filtering as another layer of defense that may help you avoid nefarious sites in the first place. For example, known phishing sites sent as URLs via email won’t resolve and will be blocked before they affect you. Additionally, DNS logs should give you visibility into what’s happening on the network and that may lead you to implement even better security in other areas.

There’s so much more to Cloudflare for Teams than DNS filtering, but I wanted to give you just a little taste of what you can do with it quickly and for free.

Finally, let’s discuss the challenge of securing Internet communications on your mobile phones, tablets, and devices at home and while traveling. We know that the SSL/TLS encryption on secure websites provides a degree of protection, but the apps you use and sites you visit are still visible to your ISP and upstream network operators. Some providers sell this data or use it to target you with ads.

If you install the 1.1.1.1 app, Cloudflare will create an always-on, encrypted tunnel from your device to the nearest Cloudflare data center and secure your Internet traffic. We call this Cloudflare WARP. WARP not only encrypts your traffic but can even help accelerate it by routing intelligently across the Cloudflare network.

WARP is a compelling VPN replacement without the risks associated with some shady VPN providers who may also want to sell your data. Remember, Cloudflare will never sell your data!

The Cloudflare WARP client combined with Cloudflare for Teams gives you enhanced visibility into DNS queries and unlocks some advanced traffic management and filtering capabilities. And it’s all free for small teams.

Hopefully, my exploration of the Cloudflare product portfolio gives you some ideas of what you can do to make your life a little easier or your team more secure. I’m just scratching the surface, and I’m excited to keep learning what’s possible with Cloudflare. I’ll continue to share what I learn, and I encourage you to experiment with some of these capabilities yourself and let me know how it goes.

Today, we are excited to announce that all Cloudflare customers now have full Registrar access, including the ability to register new domains.

Second, starting today — and over the course of the next few weeks — we will be introducing over 40 new top-level domains (TLDs). We’re starting with .uk, our most requested country code extension. Initially, customers will only be able to transfer in existing .uk domains from other registrars, but support for new registrations will become available within the next few weeks. In keeping with our at-cost model, .uk domains will be priced at the wholesale registry fee.

In the domain name world, there are two key players: registrars and registries. Understandably, the two are often confused. One way to look at it is that registries are the wholesalers and registrars are the retailers. Registries host the centralized database of registered domains within a TLD. They are responsible for establishing the policies and business rules for the TLD. They also set the wholesale price. Registrars sell domains to end users and manage those registrations on an ongoing basis. They set the retail fee, collect payment, provide customer support, and ensure registrations are renewed and kept up to date. They often provide complementary services such as DNS, web hosting, and email.

There are various “types” of registrars. Retail registrars primarily sell to SMBs and individuals. Corporate registrars typically provide services to large enterprises, and often offer brand protection and monitoring services. There are also registrars that focus on the reseller market, essentially enabling other companies to act as domain resellers.

Registrars typically interact with registries using a standard protocol called the Extensible Provisioning Protocol (EPP). While EPP is well-defined in various RFCs, each registry often has its own flavor and uses protocol extensions in support of their specific policies.

Cloudflare has operated a registrar for many years. Initially, we became a registrar solely to manage and protect our own mission-critical domains. Over time, we began offering highly secure registration services to some of our customers as well. This evolved into our Custom Domain Protection service. This was a high-end niche service for customers with very specific needs. As we learned more about the registrar space, however, we wanted to expand this service to everyone. We believed that we could provide a highly secure, privacy-focused, and cost-effective registrar for everyone. So, in 2018 we announced the launch of Cloudflare Registrar.

There are two ways to have Cloudflare handle your domain registration: through the registration of a brand-new domain or through the transfer of an existing domain from another registrar. Unlike many new registrars starting from scratch, we had a large and sophisticated customer base. Our customers were already using our DNS services for domains they had registered through other registrars. So, we initially focused on helping them transfer existing domains to Cloudflare. At the time, we estimated that if our customers transferred all of their domains to us, they would collectively save over $50 million per year in registration fees.

And we’ve done just that. Since our launch in 2018, we have transferred in hundreds of thousands of domains. Collectively, it’s saved our customers millions of dollars in annual registration fees.

In 2020, new registrations were launched in beta. Access was first provided to our Biz, Pro, and Enterprise customers by default, and then over the following months we enabled several thousand additional customers who had previously expressed interest.

Part of the reason why we launched our beta for new registrations was the excitement we saw around new domain registrations. Though we intentionally started only with domain transfers, folks began asking for new domain functionality almost immediately. We heard this initially from customers who hadn’t yet purchased a domain. Since they didn’t have anything to transfer in, they would have to go through the somewhat cumbersome process of registering a new domain with another provider and only then transfer their domain to Cloudflare.

As time went by, however, we began to hear requests from our existing Registrar customers.

After all, domain portfolios are not static. Companies, large and small, are continually updating their domain assets. Whether through the development of new products, expansion into new markets, M&A activities, or brand protection, the ability to register new domain names is vitally important. In Q2 of this year, there were 11.7 million new registrations in .com and .net alone. Cloudflare customers have registered over 2 million new domains through other registrars in the first half of this year alone. And these are just the ones we know about!

Today, we’re excited to open up new registrations to all of our customers. You no longer need to register new domains at another registrar and then transfer those domains to Cloudflare.

Registering a new domain is simple. Log into the Cloudflare dashboard and click Add a Site. In addition to adding an existing domain, you can now register a new one.

Start the registration process by entering the domain name or keyword into the search box, and we’ll provide a suggested list of available domains. After making your selection, you’ll need to select one of the plans (FREE is an option) and provide some basic information. Once you check out, we’ll create the zone and add the domain to your account. The entire process can be completed in less than a minute.

What about pricing? It’s important to note that our registrar pricing is “at-cost.” That means we charge our customers exactly what we pay the registry, plus any applicable ICANN transaction fees. In certain cases, the registry fees are in a currency other than US dollars. In those situations, we convert the price we charge our customer to USD based on the current exchange rate. As the exchange rate changes, we periodically update the USD price — but never more often than once per month.

Beyond registering new domains, we’ve also recognized the need to expand the list of supported TLDs. Our customer base is already highly diverse and becoming even more so all the time. While .com is often considered the “king” of TLDs — especially within the U.S. — that’s not necessarily the case in other countries. Today, there are over 1,500 top-level domains. There are the legacy TLDs like .com, .net, and .org. There are also over 1,000 “new” TLDs such as .online, .live, and .cloud. There’s even .horse! And there are the country code TLDs, such as .uk, .in, and .au. In many areas of the world, the local country code TLD is much more popular than .com.

We believe we owe it to our customers to provide them with domains in the TLDs that work best for them. We have spent much of our effort in support of legacy and new TLDs. Now, we will be turning our focus towards supporting more country code TLDs.

In the coming weeks, you can expect to see us add over 40 new extensions, including .us, .co, .me, and .tv. You can also check out the full list of TLDs we currently support and dates for upcoming launches here.

In the coming months we will be adding even more new extensions, with a focus on country-codes such as .de, .in, .ca, and .au to name just a few. We’re also planning to support premium (non-standard) priced domains, as well as Internationalized Domain Names (IDNs).

It’s just another step on the road to building a better — and more inclusive — Internet. To learn more about Cloudflare Registrar and how to use it, visit our developer documentation.

We announced Cloudflare Registrar in September. We launched the product by making it available in waves to our existing customers. During that time we gathered feedback and continued making improvements to the product while also adding more TLDs.

Staring today, we’re excited to make Cloudflare Registrar available to all of our customers. Cloudflare Registrar only charges you what we pay to the registry for your domain and any user can now rely on that at-cost pricing to manage their domain. As part of this announcement, we’d like to share some insights and data about domain registration that we learned during the early access period.

When you launch your domain to the world, you rely on the Domain Name System (DNS) to direct your users to the address for your site. However, DNS cannot guarantee that your visitors reach your content because DNS, in its basic form, lacks authentication. If someone was able to poison the DNS responses for your site, they could hijack your visitors' DNS requests.

The Domain Name System Security Extensions (DNSSEC) can help prevent that type of attack by adding a chain of trust to DNS queries. When you enable DNSSEC for your site, you can ensure that the DNS response your users receive is the authentic IP address of your domain.

Across the industry, adoption of DNSSEC is abysmal. According to Verisign, 1% of .com domains use DNSSEC; less than 0.8% of .net domains do. Why is adoption so low? It’s inconvenient to enable DNSSEC for a site. Additionally, some registrars charge for the feature. APNIC observed that registrars who charge for DNSSEC see significantly lower adoption.

Cloudflare has made DNSSEC available for free for years, but we could not address the convenience factor until we launched our registrar. While we can create DS records, your registrar has to post them to the registry. Now that Cloudflare is a registrar, in addition to an authoritative DNS provider, we can make it one-click. We announced that feature in January. Since launching, 25% of domains on Cloudflare Registrar now use DNSSEC.

We’re going to keep working to make it even easier to enable for your domains. We want to help our customers reach 100% DNSSEC enablement by removing the need for even a single click.

When you begin a domain transfer to Cloudflare, we ask that you input an auth code that your current registrar provides and that is unique to each domain that you transfer. We use that auth code to send your request to the registry, who manages all domain names for given TLD. The registry confirms that the code is valid and then tells your current registrar to release the domain.

Once your current registrar receives that request, you have two options: manually approve the transfer or wait five days. If you wait five days and do nothing, the transfer will complete. While that might feel easier, we’ve been surprised to see that 62% of transfers were completed by manual approval.

Historically, domains used either country-code TLDs (ccTLDs) or generic TLDs (gTLDs). The generic ones include the 4 extensions behind the world’s most popular domains: .com, .net, .org and .info. In 2005, ICANN began considering adding new top-level domain extensions. In 2012, ICANN started accepting applications from registries, current and prospective, who wanted to manage TLDs. They received 1,930.

Of those 1,930 applications, 1,232 became supported extensions and were classified as new gTLDs (ngTLDs). Today, Cloudflare Registrar supports all 4 legacy gTLDs, 1 ccTLD and 241 ngTLDs. gTLDs continue to represent the vast majority of domains registered with Cloudflare. That distribution is consistent with trends in the domain name industry. We expect that to change a bit as we expand into more ccTLDs.

2,081 different TLDs are represented on Cloudflare and use our authoritative DNS. I imagine that number has grown in the time it took to publish this post. We support 246 TLDs on Registrar today. We know that many of you have domains you want to transfer that use TLDs we do not support currently, particularly amongst ccTLDs. From massive ccTLDs like .uk, to more obscure ngTLDs like .boutique, we’ve received a lot of requests to expand the list. For a reason I don’t understand yet, members of the Cloudflare engineering team own over 2% of all active .horse domains in the world and use them for internal testing projects. We’re working on that one, too, so we can make this page built on Workers return a Yes.

We’re working on it. Most ccTLDs require a unique accreditation and validation flow. We’re working every day to add to that list of supported TLDs, starting with the largest ones on Cloudflare.

Cloudflare Registrar is now available to all users. You can start transferring your domains by following this link here. Have questions? Instructions are available here.

When you launch your domain to the world, you rely on the Domain Name System (DNS) to direct your users to the address for your site. However, DNS cannot guarantee that your visitors reach your content because DNS, in its basic form, lacks authentication. If someone was able to poison the DNS responses for your site, they could hijack your visitors' requests.

The Domain Name System Security Extensions (DNSSEC) can help prevent that type of attack by adding a chain of trust to DNS queries. When you enable DNSSEC for your site, you can ensure that the DNS response your users receive is the authentic address of your site.

We launched support for DNSSEC in 2014. We made it free for all users, but we couldn’t make it easy to set up. Turning on DNSSEC for a domain was still a multistep, manual process. With the launch of Cloudflare Registrar, we can finish the work to make it simple to enable for your domain.

You can now enable DNSSEC with a single click if your domain is registered with Cloudflare Registrar. Visit the DNS tab in the Cloudflare dashboard, click "Enable DNSSEC", and we'll handle the rest. If you are not on Cloudflare Registrar, you can read more about transferring your domain here.

The Domain Name System (DNS) translates a site’s domain name, like cloudflare.com, to the address of the server hosting that site. When users request your website, their browser starts with a DNS query to find that IP address.

The query first asks the Internet root servers to locate the servers responsible for the top-level domain (TLD). In the case of .com, those servers are managed by the registry Verisign. Verisign then finds the authoritative nameservers for that particular domain and requests the IP from them. If you use Cloudflare for your site’s DNS, Cloudflare manages those nameservers and we respond with an anycast IP for your site, which is ultimately returned to your visitor.

DNS assumes each request in that chain can be trusted, but the protocol does not actually verify the response. That presumption leaves the series of requests vulnerable to attack. In that scenario, an attacker poisons the responses for your site with directions to a malicious one. Instead of arriving at your webpage, your visitors are directed to a site that can be used for phishing or other malicious purposes. To solve that problem, a layer is needed to verify that each response can be trusted.

DNSSEC builds that trust by adding cryptographic signatures to each handoff in the relay. Those signatures establish a chain of trust from the authoritative nameservers, through the TLD server, and all the way to the root servers of the Internet. Your visitors’ DNS resolver can validate that the IP address returned for your domain name was provided by the authentic source.

We began advocating for DNSSEC in 2014 and launched beta support in 2015. We’re committed to expanding its adoption on the internet. However, we’ve only been able to provide DNSSEC for your domain when you completed a series of manual actions. To make DNSSEC ubiquitous, we first have to make it easy to enable like we did for one-click SSL.

Historically, enabling DNSSEC required you to generate a DS record from a service like Cloudflare, copy it down, and then save it to your registrar so they could send it to your registry. That’s tedious. We can now remove those steps for you. When Cloudflare is your registrar, we can automatically apply DNSSEC through our support for CDS and CDNSKEY.

Instead of asking you to save the records yourself, Cloudflare Registrar automatically scans available DS records (and validates them) for domains that use our nameservers. When we notice that you have DNSSEC enabled, we grab the details and send it to the registry for you.

To turn on DNSSEC, navigate to the DNS tab for your domain in the Cloudflare dashboard. In the DNSSEC card, select “Enable” and that’s it. We’ll handle the rest. Your records will be set in the next 24-36 hours. It’s free, it’s one-click, and it helps secure your site.

If you have started transferring your domain to Cloudflare registrar, you can use the one-click DNSSEC feature as soon as the transfer completes. If you already have DS records for your domain, the domain transfer will protect the DS record and make sure it’s still current after the transfer.

While this feature removes some of the chore to enable DNSSEC, we’re committed to removing any hurdle to making the Internet safer. We’re working on supporting DNSSEC by default for sites on Cloudflare. We have some work to do to reach this goal, but we’re excited to help make DNSSEC the new normal.

Interested in helping us with that work? Visit the Cloudflare jobs page here to join our team.

As an organization, we could choose to celebrate Cloudflare’s birthday in lots of different ways (a press release, a company party, or fun gifts for all our employees). But at Cloudflare, we have a unique birthday tradition: we roll up our sleeves and give our customers and the Internet community a new capability (i.e. a gift) every day of our birthday week.

Some of this past week’s launches have been entirely new offerings, like providing key-value storage across Cloudflare’s global cloud network with Cloudflare Workers KV.  Other birthday week launches help improve the overall Internet ecosystem: the Bandwidth Alliance reduces data transfer charges from major cloud hosts and Cloudflare Registrar reduces the hidden fees typical of many domain registration providers. Other new offerings are focused on improving the Internet’s security and performance and are completely free to use. For example, Encrypted SNI helps fix one of the security holes in the Internet, and our support of the QUIC protocol promises to help make mobile browsing faster.  

We believe the only real way to help build a better Internet is to keep innovating, keep building, and keep launching -- every single day.  In fact, our prelude to this year’s Birthday Week was Crypto Week, a full week dedicated to announcing new technologies that use cryptography to make the Internet better.  No promises, but it is entirely imaginable that in coming years Cloudflare won’t just be celebrating a Birthday Week, but we’ll be launching new capabilities every day of a Birthday Month!

Below is a wrap-up of the capabilities launched this past week.

Cloudflare is fixing one of the core Internet bugs by keeping hostnames private using Encrypted Server Name Indication (SNI). All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled by default. Explore the protection of Encrypted SNI.

Cloudflare is looking forward to the standardization of the new QUIC protocol being developed by the IETF. Applications are being accepted for early access to our test implementation that allows developers to validate their QUIC deployments before supported web browsers become available. Learn more about QUIC.

The Bandwidth Alliance is a group of forward-thinking cloud and networking companies that are committed to discounting or waiving data transfer (also known as bandwidth) fees for shared customers.  Learn how the Bandwidth Alliance reduces costs.

Cloudflare Registrar lets you securely register and manage your domain name with transparent, no-markup pricing that eliminates surprise renewal fees and hidden add-on charges. Be one of the first to buy a domain or transfer your domain to Cloudflare. Register for early access to the Cloudflare Registrar.

Cloudflare Workers KV provides access to a secure low latency key-value store at all 153 Cloudflare data centers. Developers can use Cloudflare Workers and Workers KV to augment existing applications or to build entirely new applications on top of Cloudflare's global cloud network. Workers KV scales seamlessly to support applications serving dozens or millions of users. Explore how Workers KV allows for serverless key-value storage.

Another way we’ll soon be serving the Internet community is by hosting the fourth annual Cloudflare Internet Summit next week at our San Francisco office on Thursday, October 4th. We don’t spend any time talking about Cloudflare at the Internet Summit. Instead we facilitate discussions with the people who inspire and challenge us. The Internet Summit focuses on the future of the Internet and will feature a series of fireside chats, intimate panel discussions, and lively conversations from some of the brightest thought leaders, executives, entrepreneurs, researchers, and operators. Tickets are almost sold out, so register for the Cloudflare Internet Summit now or plan to tune in to our live stream!

Every website, large or small, started with an idea, rapidly followed by registering a domain. Most registrars offer promotions for your initial domain registration and then quietly hike the price with each renewal. What they don’t tell customers is that the price they pay to a registry, for your registration, is set by the registry. In some cases, we’ve found registrars charging eight times the wholesale price for a domain renewal.

Today, we’re launching Cloudflare Registrar, the first domain registrar you can love. Cloudflare Registrar will never charge you more than what we pay to the registry for your domain. No markup and no surprise fees. For eight years Cloudflare has built products that make the internet faster and safer. It's time for us to start where your internet journey starts, your domain.

When you register a domain, you become the owner, or registrant, for that domain for a set period of time. Now that you are the registrant, you can create an authoritative record that tells the world the nameservers for your domain. The domain name system, or DNS, uses those nameservers to direct traffic to the IP address of your server.

When you put your site behind Cloudflare, you change your nameservers at your registry to ones we provide. Once we are responsible for your authoritative DNS, we can deliver the features that make your site faster and safer.

Your registry keeps the authoritative record for your nameservers. Each top-level domain (TLD) has a single registry that is responsible for maintaining those records. For example, .com is a TLD. Verisign is the exclusive registry for .com. As the TLD’s registry, Verisign stores the contact information and the nameservers for every .com domain in the world. As the registrant for a domain, you can tell your domain’s registry which nameservers DNS should use.

So where do registrars fit in this relationship? Domain registrars communicate your ownership, and subsequent changes, of a domain to the registry for that TLD. Registries trust registrars to only accept changes from the domain owner and to accurately convey that information so that the registry can update their record. While there is one registry for every TLD, hundreds of registrars are able to register a domain.

Domain transfers tell your registry that a different registrar can now set those authoritative records for you. The relationship is based on trust. Registries only trust one registrar, at any given time, to make changes on your behalf.

Transferring a domain to a new registrar informs the registry that they should instead trust that new registrar to modify information. The process requires some steps at both your new registrar and the one you are leaving. Each registrar handles transfers a bit differently, but in general they follow a pattern based on rules set by ICANN, the organization responsible for regulating domain registration.

To transfer a domain, you first need to select your new registrar. You will start by inputting the domain you plan to transfer. The new registrar will query your domain settings to see if it is available for transfer.

If you registered or transferred your domain in the last 60 days, you cannot transfer it just yet. Your new registrar will also check to see if your domain is locked at your old registrar.

Registrars include a lightweight safeguard to prevent unauthorized users from starting domain transfers: registrar lock. You might also see it written as domain lock. When enabled, the lock prevents any other registrar from attempting to initiate a transfer.

Only the registrant can enable or disable this lock, typically through the administration interface of the registrar. To proceed with a transfer, you will need to remove this lock if it is enabled.

Next, your new registrar needs to confirm with your old registrar that the transfer flow is authorized. To do that, your old registrar will provide an authorization code to you. You will need to take that to your new registrar who will use it to confirm the transfer is authentic.

When you have completed the steps above, your new registrar can process the transfer. ICANN requires that any transfer also extend the expiration date of your domain by at least one year. That’s one year from your current expiration date, not one year from the date of transfer. For example, if you transfer a domain on October 10, 2018, but it expires on March 10, 2019, your new expiration date will be March 10, 2020.

Just like domain registration, domain renewal pricing is set by the registry. Some registrars charge up to 30 times the price they billed at registration for renewals.

Many registrars thrive by raising renewal rates or adding fees for services you can find for free. However, no registrar has a better method for connecting to a registry. They all follow a standard established twenty years ago. If a company can’t deliver unique value in a space, you shouldn’t have to pay above market rate for those services. Cloudflare Registrar will only charge you what the registries charge us. In a marketplace built on upsell and bait-and-switch, we’re selling domain registration at the wholesale price.

More than ten million sites rely on Cloudflare for performance and security. The majority of those use our free service. We don’t charge anything to add DNSSEC to your site or to rely on us to provide SSL for your site. When we democratize features that help the Internet operate, we can drive costs down further and improve the level of service for all users. Selling domains at the wholesale price pushes back against a group of companies who do the opposite and find every opportunity to charge more for basic features.

Broadcasting the registrant contact information, via the WHOIS service, can invite mountains of spam to your personal addresses. Cloudflare Registrar will be offering personal data redaction on WHOIS, that meets current ICANN guidelines, for free. Your privacy should not come at a markup.

Cloudflare Registrar's supported TLD list can be found here. We're working to expand this selection.

We will be rolling out access to Cloudflare Registrar in stages, based on factors like how long you’ve been a Cloudflare customer. To claim your place in line, sign up for early access here. We’ll show you your position and let you know when you can start transferring domains.

Want to get access earlier? We would like to invite you to donate to Girls Who Code, a nonprofit which works to close the gender gap in the technology industry. By donating through the early access link above, you can support their mission and get access to Cloudflare Registrar earlier.

Sign up for Early Access!

Make sure to claim your spot in line, and then move up, at the link here. Watch your inbox for your invitation to get started. We’ll notify you when it’s time to move to the first registrar you can love.

At launch, you’ll be able to transfer domains that are active in your Cloudflare account. Want to be able to transfer all of your domains? Be sure to start adding them to Cloudflare.

Subscribe to the blog for daily updates on all our Birthday Week announcements.

“I love my domain registrar.” Has anyone ever said this? From before Cloudflare even launched in September 2010, our early beta customers were literally begging us: "Will you please launch a registrar too?!" Today we're doing just that, launching the first registrar we hope you’ll be able to say you love. It's built around three principles: trust, security, and always-fair pricing. And it’s available to all Cloudflare customers.

Cloudflare has actually run a registrar for some time. Like many of our best products, it started by solving an internal issue we had. Cloudflare has several mission-critical domains. If the registration of these domains were ever compromised, it would be, in a word, bad.

For years, we worked with our original domain registrar to ensure these domains were as locked down as possible. Unfortunately, in 2013, a hacker was able to compromise several of the systems of the registrar we used and come perilously close to taking over some of our domains.

That began a process of us looking for a better registrar. Unfortunately, even the registrars that charge hefty premiums and promise to be very secure turn out to have pretty lousy security. We ultimately decided the only way to get the level of security we needed was to build a registrar ourselves.

A handful of our customers noticed we had our own registrar and asked us about it. Those conversations turned into our Enterprise Registrar product with Custom Domain Protection for our most security-conscious clients. Every client using Custom Domain Protection defines their own process for updating records. For instance, if a Custom Domain Protection client wants us to not change their DNS records unless 6 different individuals call us, in order, from a set of predefined phone numbers, each reading multiple unique pass codes, and telling us their favorite ice cream flavor, on a Tuesday that is also a full moon, we will enforce that. Literally.

That, obviously, doesn't scale. As a result, we charge a significant premium for our Custom Domain Protection product. (If you're interested you can learn more about it here.) Running that, however, has helped us define a set of best practices that we think every registrar should follow. And that got us thinking: can we build a better registrar for everyone?

With a good idea on how to build a more secure registrar we asked our customers what they hated about their current registrar. Two phrases kept coming up: "bait and switch" and “endless upsell.” If you've ever registered a domain, you know the drill. You get a discounted price when you first register, but with each renewal the price soars. In the best cases we've found, it's around two times the original offer. In the worst, it's more than twenty times. It's gross. That’s in addition to the constant upsells for other products that either should be included for free (for example, DNSSEC) or that you just don’t want (for example, worthless trusted site seals).

The thing is, registering a domain is a commodity. There's no meaningful difference between any of the existing mass market registrars. Each top level domain registry (TLDs like .com .org .info .io, etc) sets a wholesale price for registering a domain under them. These prices are known and remain relatively consistent over time. All the registrar does is record you as the owner of a particular domain. That just involves sending some commands to an API. In other words, domain registrars are charging you for being a middle-man and delivering essentially no value to justify their markup. The more we looked at it, the more crazy the whole market looked to us.

The last time we saw a market as messed up as this was when we looked into the market for SSL certificates. Back in 2014, we decided it was crazy that people should have to pay to be encrypted online. During our Birthday Week celebrations that year, we became one of the first services to say that you should get encryption at no extra cost, even on our free plan. Since then there's been an encryption revolution, and we're proud that nearly all forward-thinking services offer SSL for free. If some service you're using still charges you extra to support encryption they’re ripping you off.

Granted, the economics of registering a domain are a bit different, but only a bit. TLDs need to do some work to make sure no two people register the same domain. And it makes sense for there to be some cost to keep someone from just registering every possible combination of characters. But why should registrars charge any markup over what the TLDs charge? That seemed as nutty to us as certificate authorities charging to run a bit of math. When we see a broken market on the Internet we like to do something about it.

Today, on Cloudflare’s 8th birthday, we’re giving all our customers a present: a registrar they can love.

Here's the promise of the Cloudflare Registrar: we'll follow the best possible security practices and offer you the best possible price. What do we mean by that? From the security side, we promise we'll allow you to enable two-factor authentication, we’ll lock your domain registration by default, and automatically enable best-practice security services like DNSSEC.

From the price side it’s even simpler: we promise to never charge you anything more than the wholesale price each TLD charges. That’s true the first year, and it’s true every subsequent year. If you register your domain with Cloudflare Registrar you’ll always pay the wholesale price with no markup.

For instance, Verisign, which administers the .com TLD, currently charges \$7.85 per year to register a .com domain. ICANN imposes a \$0.18 per year fee on top of that for every domain registered. Today, if you transfer your .com domain to Cloudflare, that's what we'll charge you per year: \$8.03/year. No markup. All we're doing is pinging an API, there's no incremental cost to us, so why should you have to pay more than wholesale?

You may be able to find a cheaper price somewhere else under some promotion. But, ultimately, there's a wholesale price that the other registrar must cover so inevitably you know there's going to be a bait and switch — with the price getting jacked up in the future — along with endless upsells.

Cloudflare Registrar will also be offering personal data redaction on WHOIS, that meets current ICANN guidelines, for free. Broadcasting the registrant contact information, via the WHOIS service, can invite mountains of spam to your personal addresses. Like your domain, your privacy should not come at a markup.

You can't actually register a new domain with the Cloudflare Registrar. Not yet. Today, the service is restricted to existing Cloudflare customers transferring their existing domains to us. If you’ve had trouble transferring domains before, just wait: we’ve made the process extremely smooth and easy.

We anticipate there's going to be quite a bit of demand, so we’ll be rolling invitations out slowly to make sure we provide a terrific transition experience. To claim your place in line, you need to be a Cloudflare customer and sign up for Early Access (Domain Transfer is now GA, new domains coming soon). Invitations will then go out over the next few weeks based on loyalty: the longer you've used Cloudflare, the sooner you'll get your invitation. Just our way of thanking our most loyal customers and helping them save money on their domain registration fees.

One twist: we’re providing another way to jump to the front of the queue. Just as we want to thank and reward our most tenured customers, we also want to help support those organizations that are attempting to make a meaningful difference in our industry.  One such organization is Girls Who Code, which aims to help close the gender gap in the technology industry.  To support this organization’s efforts, we’re inviting customers to make a contribution to Girls Who Code during the Early Access registration process, and those who do will move to the front of our Early Access invitation queue.

We estimate that if every one of our customers moved their domains to the Cloudflare Registrar, they’d save over $50 million per year.

Combined with our Bandwidth Alliance announcement yesterday, we hope the announcements this Birthday Week will save our customers well over $100 million per year they’d been paying for their infrastructure before.

If you're not yet a Cloudflare customer, but you want to use Cloudflare Registrar, we encourage you to sign up for our core service now. We don't prioritize based on how much you pay us — or if you pay us at all — so even new free customers will get a place in the queue.

After we've given existing Cloudflare customers a chance to take advantage of the Cloudflare Registrar, we'll open it up more broadly. At that time, we'll allow new domain registration as well. But, regardless of when you sign up, our promise will always be the same: best security practices at the wholesale registration price. A registrar you can trust, and, we hope, one you can love.

Subscribe to the blog for daily updates on all our Birthday Week announcements.

At CloudFlare, we’ve constructed one of the world’s largest networks purpose-built to protect our customers from a wide range of attacks. We’re so good at it that attackers increasingly look for ways to go around us, rather than go through us. One of the biggest risks for high-profile customers has been having their domain stolen at the registrar.

In 2013, we became intimately familiar with this problem when domains for the New York Times were hijacked and the newspaper’s CTO reached out to us to help get it back. We were able to assist, but the newspaper had its web and email traffic rerouted for hours.

Since the New York Times domain hijack, a number of other sites have had their domains stolen. We ourselves have seen multiple attempts to take control of CloudFlare’s registrar account. Thankfully, none have been successful—but some have gotten closer than we were comfortable with. Given the risk, we began looking for a registrar with security protocols that we could trust.

In the early days of the Internet, domain registration was free. As the Internet began to take off, demand for domain registrations exploded. In 1993, unable to keep up with demand, InterNIC (the quasi-governmental organization that had handled the global registry of domain names) transferred responsibility for the registry to a private company called Network Solutions.

Originally, Network Solutions continued to provide domain registration free of change while they managed the registry. In 1995, however, InterNIC authorized the company to collect a $100 fee for each two-year registration. This effectively divided the services Network Solutions provided in half:

• Registry: The part that managed the global list of domains.

• Registrar: The part that allowed individuals and organizations to add domains to the list.

By 1998, there was significant pressure to create a competitive market for registrars. Network Solutions was forced to amend their contract to allow multiple registrars to add domains to the global registry. On November 30, 1999, the new system launched with multiple registrars competing largely on price. The price of domain registrations dropped rapidly over the next ten years. Today, most registrars are volume operations. While this has democratized domain registration, it has done little to incentivize investment in high-security systems.

There are a couple of registrars that have tried to differentiate themselves with security services. Generally, their primary business is not security; It’s something else, like intellectual property theft detection. In our search for a high-security registrar for CloudFlare’s domains, we didn’t find any that met our standards. And, it’s worth noting, the New York Times was using one of the supposedly security-focused registrars when their domain was hijacked.

Domain hijacking at the registrar works by tricking the registrar into changing the nameservers or title information associated with a domain. The registrar pushes that change up to the registry, after which the entire Internet treats those changes as authoritative. In the worst cases, attackers can even move the domain to a new registrar, making the recovery process much more difficult.

The fundamental problem of registrar security is that domains are owned by organizations, but the global registrar infrastructure is designed for individuals. For high-profile domains, regular security controls like passwords don’t work because employees (the people that have the passwords) eventually leave, but the domain always stays with the company. In addition, most registrars allow any privileged user to silently remove security settings for the account—there is no two-man rule.

This means anyone with access to your registrar account can hijack your domain and point it to any IP address they want, be it an attacker that compromised your account or a rogue employee. Once a domain hijack occurs, your only recourse is to appeal to your registrar (and, if the attacker managed to switch registrars, the registrar that now controls the domain) and hope they do the right thing. If that doesn’t work, you’re stuck filing a legal complaint directly with ICANN. That process can take anywhere from weeks to months, all the while, visitors to your domain are being directed to a web server that you don’t control.

The solution is a high-touch, offline-only change policy. When setting out to find a secure registrar, we defined the following security requirements:

• Consistent use of Registrar Lock

• Consistent use of Registry Lock

• Multi-user, offline confirmation for all DNS changes

• Two-factor authentication enforced for all registrant accounts

• Support for DNSSEC

Many registrars support Registrar Lock, which prevents the registry from altering information unless the lock is explicitly removed. The problem is, if an attacker compromises your registrar account, they can unlock it and make whatever changes they want.

Registry Lock prevents changes by any registrar until the lock is removed. Unlocking at the registry level requires out-of-band communication between the registrar and Verisign (the global registry operator for several top-level domains), and is thus very manual. Since most registrars are volume operations, it’s very difficult to find one that takes the time to literally pick up the phone and call Verisign every time someone makes a change to their DNS settings.

About a year ago, we came to the conclusion that the only way we would find a registrar that met our security standards was to become one ourselves. So, that’s what we did. Today, all of CloudFlare’s critical domains are registered through our own ICANN accredited registrar. Any changes rely on a strict change control process.

Today, we are opening CloudFlare Registrar to our enterprise-level customers. The service is available to all enterprise customers that care about the highest level of domain registrar security. The first users of our domain registrar service include dwolla.com and nasdaqprivatemarket.com.

CloudFlare Registrar automatically implements both registrar and registry locks in order to restrict unauthorized changes to domains. We lock domains to CloudFlare’s DNS and require two-factor authentication to be implemented on any CloudFlare Registrar account.

Before any transfers are made, we require both online and offline confirmation from multiple independent sources. And, we can customize the authorization process in order to integrate with our customers’ change control systems. For example, if your organization requires separate authorized users from your security, engineering, and legal departments to approve a domain transfer, CloudFlare Registrar can do that.

In addition, we will automatically renew all CloudFlare Registrar domains when they have less than one year left on their registration term. This means the domains will never expire, no matter what.

CloudFlare Registrar protects domains from being hijacked at the registry, but they’re still vulnerable to DNS on-path attacks. Universal DNSSEC adds an additional layer of security by authenticating all DNS queries for your domains with cryptographic signatures. In cases where CloudFlare is both the registrar and the DNS provider of a domain, we can seamlessly deliver DNSSEC. As a result, all CloudFlare Registrar customers will have DNSSEC automatically enabled by default.

Curious about how secure your own domains are? Check out our domain and registrar security tool that grades your domain against 5 best practices: Registry Lock, Registrar Lock, Role Accounts, generous expiration windows, and DNSSEC.

CloudFlare Registrar is not designed for the masses. There are plenty of great mass-market registrars. However, if you’re an organization where losing your domains would be a front-page story, then CloudFlare Registrar is for you.

If you’re an existing CloudFlare enterprise customer, contact your Dedicated Account Manager to get started with CloudFlare Registrar. If you’re not yet a CloudFlare customer, get in touch with our sales team, and we can help you fully lock down your domains.