DNS and Proxy Configuration Guide
This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications.
If you're using Cloudflare, check out our dedicated Cloudflare DNS Configuration Guide for step-by-step instructions specific to Cloudflare's interface and features.
DNS Configuration​
DNS records for Zerops services can be configured in two main ways:
- With Proxy: Routes traffic through proxy services, providing additional security and performance features (recommended for DDoS protection)
- Without Proxy (DNS Only): Direct connection to your Zerops service's IP address
DNS allows you to set two records based on IP address type:
- A record for IPv4 - Zerops offers either a free shared IPv4 or a paid dedicated IPv4
- AAAA record for IPv6 - Zerops provides a free dedicated IPv6
With Proxy​
IPv6 only​
Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for both IPv4 and IPv6 users.
Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
Dedicated IPv4​
Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
Shared IPv4 (valid but NOT recommended)​
It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use IPv6 only setup instead.
Without Proxy​
Shared IPv4​
Adding AAAA record is essential for shared IPv4 configuration as it serves as a security measure to prevent unauthorized domain claims.
Dedicated IPv4​
Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
IPv6 only​
This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
Wildcard Domain Configuration​
Zerops supports wildcard domains (*.<your-domain>) that allow routing all subdomains to your project.
DNS Configuration​
Method A: Direct configuration of A and AAAA records​
Configure wildcard DNS records following the same patterns described in the DNS Configuration section, using *.<your-domain> in the Name field:
Method B: Using a CNAME record​
First configure A and AAAA records for your main domain (<your-domain>), then set up a CNAME record:
Certificate Validation​
For proper HTTPS certificate functionality with wildcard domains, configure:
This record enables Zerops to issue and verify a wildcard certificate for your domain.
Higher-Level Wildcard Subdomains​
You can also set up higher-level wildcard subdomains like *.<subdomain>.<your-domain>:
Method A: Direct configuration​
Method B: Using a CNAME record​
or
For certificate validation:
Combining Main Domain and Wildcard Domain​
To use both <your-domain> and *.<your-domain>, specify both variants in your Zerops configuration. Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
Validation Steps​
Test your configuration:
Troubleshooting Guide​
-
DNS Resolution Issues
- Confirm correct record configuration
- Verify proxy status settings
- Check IPv6 address accuracy
- Allow time for DNS propagation (typically 5-10 minutes)
-
Connection Problems
- Test both IPv4 and IPv6 connectivity
- Check proxy server status if applicable
- Confirm port configurations
-
Certificate Issues
- Verify proper _acme-challenge CNAME configuration for wildcard domains
- Check that DNS records match the domains configured in Zerops
- Provider-specific certificate problems: Consult your DNS provider's documentation for SSL/TLS configuration requirements
Technical Background​
Understanding Shared IPv4 Addresses​
Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
- When a visitor makes a request, it first arrives at the shared IPv4 address
- The system looks at the domain name in the request (using SNI - Server Name Indication)
- For security, it checks if this domain properly resolves to your project's IPv6 address
- Only if IPv6 address matches your project will the traffic be routed correctly
This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
Certificate Verification Methods​
When issuing SSL/TLS certificates, different verification methods are used depending on the certificate type:
HTTP-01 vs DNS-01 Verification​
-
Regular certificates (for a single domain like
<your-domain>) are typically issued using the HTTP-01 challenge method. This verification checks that you control the domain by placing a specific file at a specific URL. -
Wildcard certificates (for domains like
*.<your-domain>) must be issued using the DNS-01 challenge method. This method requires creating specific TXT records in your DNS configuration.
How Zerops Handles Wildcard Certificate Verification​
Zerops simplifies the DNS-01 challenge process:
- You create a CNAME record (e.g.,
_acme-challenge.<your-domain> CNAME <your-domain>.zerops.zone) - When a certificate needs to be issued or renewed, Zerops automatically creates the required TXT records on its
zerops.zonedomain - The certificate authority verifies these TXT records through the CNAME redirection
- Once verified, the wildcard certificate is issued without requiring manual intervention