Cloudflare Tunnel subdomain intermittently fails when parent domain is hosted on Active Directory DNS (authoritative zone)

[rewyekha]

Summary

We are using Cloudflare Tunnel (cloudflared) to expose an internal application using HTTPS for a small project.
The tunnel works correctly for external / non-domain devices, but fails for Windows domain-joined machines when the parent domain is hosted on Active Directory–integrated DNS.

The setup worked for about a week and then started failing consistently.

---

Questions

1. Is Cloudflare Tunnel officially supported when the parent domain is hosted on Active Directory authoritative DNS?
2. Is DNS delegation of a subdomain (e.g. apps.example.local) the recommended or required design?
3. Is there any documentation or guidance for AD DNS + Cloudflare Tunnel split-DNS scenarios?

---

Environment

• OS (tunnel host): Windows Server
• Directory: Active Directory
• DNS: AD-integrated DNS (authoritative zone)
• cloudflared: latest stable
• Tunnel type: Named tunnel
• Cloudflare plan: Free
• Clients affected: Domain-joined Windows machines
• Clients working: Mobile devices, non-domain laptops

---

DNS Setup (sanitized)

• Internal AD DNS hosts an authoritative zone:

  example.local
  

• Application is exposed via Cloudflare Tunnel at:

  app.example.local
  

• Cloudflare DNS correctly routes app.example.local to the tunnel

---

Observed behavior

External / non-domain devices

✅ Application works consistently

Domain-joined machines

❌ DNS resolution intermittently fails
❌ Sometimes resolves to parent domain
❌ Sometimes returns NXDOMAIN or timeout

---

Diagnostics

From a domain-joined client

nslookup app.example.local

Example failing output:

Name:    <uuid>.cfargotunnel.com
Address: fd10:xxxx:xxxx::
Aliases: app.example.local

The returned IPv6 address is not reachable from clients.

---

DNS resolution comparison

Resolve-DnsName app.example.local -Server <AD_DNS_IP>   # timeout / failure
Resolve-DnsName app.example.local -Server 1.1.1.1      # OK
Resolve-DnsName app.example.local -Server 8.8.8.8      # OK

---

What we have tried

• DNS forwarders (public resolvers)
• Root hints
• Clearing DNS caches (server and clients)
• Running cloudflared as a service
• Creating CNAME records in AD DNS pointing to *.cfargotunnel.com
• Disabling IPv6 on the DNS server

The issue still persists.

---

Key observation

Because the parent domain is hosted as an authoritative zone in AD DNS, queries for subdomains are not forwarded to public DNS. This appears to conflict with how Cloudflare Tunnel DNS routing is expected to work.

Temporary success seemed to rely on caching behavior, which later expired.

---

Expected outcome

Clear guidance on a supported and permanent DNS architecture for using Cloudflare Tunnel with Active Directory–hosted domains.

[rewyekha]

@cloudflare/cloudflared-maintainers

Follow-up:
This issue appears to be related to AD DNS authoritative behavior rather than tunnel connectivity.
We are looking for confirmation on whether DNS delegation is the only supported architecture when the parent domain is hosted on AD DNS.