sfw/fix
Error 1014 high

Cloudflare Error 1014: CNAME Cross-User Banned

A CNAME points to a hostname in a different Cloudflare account, which Cloudflare refuses to resolve by default.

What you see

Error 1014: CNAME Cross-User Banned
You've requested a page on a website that is part of the Cloudflare network.
The host is configured as a CNAME across accounts, which is not allowed.

What’s actually happening

A hostname that CNAMEs to a target on Cloudflare returns this error instead of loading. It shows up the moment you point your record at a SaaS vendor's Cloudflare-hosted hostname, or when two teams keep their domains in separate Cloudflare accounts and one references the other. DNS resolves, but Cloudflare halts the request at the edge because the source and target zones live under different accounts. Same-account CNAMEs work; cross-account ones don't.

Common causes

  • Your CNAME points to a hostname whose zone sits in a different Cloudflare account, and the target hasn't onboarded you via Cloudflare for SaaS.
  • A SaaS provider expects you to set up a custom hostname through their Cloudflare for SaaS flow, but only the DNS CNAME was created.
  • Two business units run separate Cloudflare accounts and one domain CNAMEs to the other's proxied record.
  • An R2 / custom-domain target where the destination zone has a zone hold enabled or is banned.

How to fix it

  1. Use Cloudflare for SaaS on the target sideThe account that owns the target hostname must add your domain as a Custom Hostname under SSL/TLS > Custom Hostnames (Cloudflare for SaaS). Once they provision it, your CNAME to their fallback origin resolves and the 1014 clears. This is the standard fix for the provider-customer case.
  2. Move both records into the same Cloudflare accountIf you control both domains, put the target zone in the same account as the source (or recreate the target record there). CNAMEs within one account aren't restricted, so the cross-user ban no longer applies.
  3. Point at an origin that isn't proxied by another accountChange the CNAME to a hostname that resolves to an IP or to a target not sitting behind a different Cloudflare account — for example the vendor's documented non-Cloudflare endpoint, or a direct A/AAAA record.
  4. For R2/custom domains, clear the zone holdIf the target is an R2 bucket or similar, disable Zone Hold on the destination zone (Manage Account / zone settings). If the zone is banned, resolve any phishing reports and unpaid invoices before contacting Cloudflare support.

Stop it recurring

When integrating a SaaS vendor, complete their Cloudflare for SaaS custom-hostname onboarding before pointing DNS, instead of just creating a raw CNAME.

Related errors

Cloudflare Error 1009: Access Denied — country or region banned

high

A Cloudflare geo rule blocked the visitor's country before the request reached your origin, returning a 403.

Cloudflare Error 1012: Access Denied

high

Cloudflare blocked the visitor's IP or network over detected malicious activity, returning a 403 before the origin.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.