Update enforce-dns-only.mdx

smittal123 · web-flow · commit 4a30102adaa0 · 2026-05-05T12:29:32.000-07:00
Updating enforce dns only devdocs for different zone types.
diff --git a/src/content/docs/dns/proxy-status/enforce-dns-only.mdx b/src/content/docs/dns/proxy-status/enforce-dns-only.mdx
@@ -29,6 +29,18 @@ Enabling this setting exposes your origin IP addresses and removes all Cloudflar
 Due to DNS caching by recursive resolvers, the transitions from proxied to DNS-only and back may not be instantaneous. Since all proxied records have a TTL of **Auto**, this value (five minutes by default) determines how long resolvers may continue to serve Cloudflare's anycast IPs or your origin IP addresses.
 :::
 
+## Zone types
+
+Enforce DNS-only works across all zone setup types:
+
+- [Full setup](/dns/zone-setups/full-setup/): All proxied records in the zone are affected.
+- [Partial (CNAME) setup](/dns/zone-setups/partial-setup/): All proxied records in the zone are affected.
+- [Secondary zones](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/): If [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) is enabled and you have manually set a record's proxy status to proxied, that record will be affected. Records transferred from the primary with their original proxy status are not affected since they are already DNS-only.
+
+:::note
+For secondary zones with overrides enabled, the enforce DNS-only setting will grey-cloud any record you have manually proxied. The proxy status override persists until the record is deleted on the primary and transferred again — changes to content or TTL on the primary do not reset the override.
+:::
+
 ## Preparation
 
 Before relying on enforce DNS-only as part of your incident response plan, you should:
