diff --git a/CHANGES b/CHANGES
index 17490a683..c029bd00c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2595,4 +2595,4 @@
 * backups: Add idrive e2
 * Support proxyAuth for proxy app
 * Update addons to use Ubuntu jammy
-
+* cloudflare: add config for default value of proxied
diff --git a/src/dns/cloudflare.js b/src/dns/cloudflare.js
index 043f059d6..0908b2be7 100644
--- a/src/dns/cloudflare.js
+++ b/src/dns/cloudflare.js
@@ -16,6 +16,7 @@ const assert = require('assert'),
     debug = require('debug')('box:dns/cloudflare'),
     dig = require('../dig.js'),
     dns = require('../dns.js'),
+    ipaddr = require('ipaddr.js'),
     safe = require('safetydance'),
     superagent = require('superagent'),
     util = require('util'),
@@ -134,7 +135,13 @@ async function upsert(domainObject, location, type, values) {
         };
 
         if (i >= records.length) { // create a new record
-            debug(`upsert: Adding new record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: false`);
+            // cloudflare will error if proxied is set for wrong record type or IP
+            if (type === 'A' || type === 'AAAA' || type === 'CNAME') {
+                const isUnicast = ipaddr.parse(value).range() === 'unicast';
+                data.proxied = isUnicast ? !!domainConfig.defaultProxyStatus : false; // only set at install time
+            }
+
+            debug(`upsert: Adding new record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`);
 
             const [error, response] = await safe(createRequest('POST', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records`, domainConfig)
                 .send(data));
@@ -243,15 +250,18 @@ async function verifyDomainConfig(domainObject) {
         if (typeof domainConfig.email !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'email must be a non-empty string');
     }
 
+    if (typeof domainConfig.defaultProxyStatus !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'defaultProxied must be a boolean');
+
     const ip = '127.0.0.1';
 
-    const credentials = {
+    const sanitizedConfig = {
         token: domainConfig.token,
         tokenType: domainConfig.tokenType,
-        email: domainConfig.email || null
+        email: domainConfig.email || null,
+        defaultProxyStatus: domainConfig.defaultProxyStatus
     };
 
-    if (process.env.BOX_ENV === 'test') return credentials; // this shouldn't be here
+    if (process.env.BOX_ENV === 'test') return sanitizedConfig; // this shouldn't be here
 
     const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 }));
     if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain');
@@ -272,5 +282,5 @@ async function verifyDomainConfig(domainObject) {
     await del(domainObject, location, 'A', [ ip ]);
     debug('verifyDomainConfig: Test A record removed again');
 
-    return credentials;
+    return sanitizedConfig;
 }