DNS Setup

This guide will show you everything you need to get your network pointed to your protected CNAME.

Step 1: Login to your DNS manager

This guide will assume you are using Cloudflare. Login to Cloudflare, and select your desired domain from the home page.

Step 2: Remove existing DNS records pointed to your backend

Once you are on the DNS management page, visually check to see if you have any DNS records lying around that are currently pointed to your current backend. Let's assume in this example your backend is

By "backend" we are referring to the actual IP address that TCPShield is forwarding traffic to. This is typically the IP address your Bungee instance is listening on.

In our makeshift example, we have the following two records that players currently use to connect.

Step 3: Point subdomains to your protected CNAME

Now that we have removed the old subdomains, we are now ready to point our server to TCPShield. Click the "Add record" button at the top of the page (next to search) and you should be presented with something that looks like this. In this example we will be creating a DNS record for the "mc" and "play" subdomains.

Your protected CNAME is found in the top right of the "Domains" page and is specifically made for you.

If you get DNS validation error code 1004, there are still DNS records that exist which you have not removed yet.

After this step, you should be able to connect successfully to your server via TCPShield. To verify your DNS setup is correct, enter your domain name into http://dnschecker.org/ and select "CNAME" and you should get your protected CNAME back.

Aside: Allowing players to login without a subdomain

If you want your players to login to your server without a subdomain, i.e. examplepvp.com ensure you have a wildcard record setup with us (this is typically default). Now, we will go through the process of creating an SRV record such that your players can login directly with your domain name.

First, we need to create a subdomain that our SRV will point to. In this example, follow the steps above but set the name to "tcpshield" and the target to your protected CNAME as normal. Ensure proxy status is off when you create this record.

You should have something that looks like this:

Now, we will create an SRV record such that when players enter examplepvp.com in their client, it will redirect them to tcpshield.examplepvp.com seamlessly. This is fairly straight forward to do, and copying the example below will obtain the desired behavior.

Ensure you remove any other SRVs you may have on your root-level domain before you proceed to this step.

After you fill out the necessary details, click save. You should then be able to login directly with your root-level domain on Minecraft without issues. If you cannot connect right away, give your DNS time to update. If you still cannot connect, there is likely an error with your current DNS configuration or you have stale SRV records lying around that are configured to your root-level domain.

Do not set the "target" on your SRV record to your protected TCPShield CNAME! You will get "Invalid host" in the client as a result. Also, the SRV port MUST BE 25565! The mapping to your port happens on our side, not on DNS side of things.

If you have any other issues or questions regarding to DNS setup, do not hesitate to reach out to our staff. Most DNS configuration issues are typically very trivial to diagnose and resolve. Before you reach out, we would like to encourage you to double check your configuration using https://www.whatsmydns.net to ensure that the DNS records have propagated to the world.

Last updated


Need help?