How to Set Up Subdomains: A Practical Guide for 2026
Learn how to set up subdomains for your website. Our guide covers DNS records (A, CNAME), Cloudflare, wildcard subdomains, and common pitfalls.
You're probably here because you need one of three things working today. A blog on blog.yourdomain.com, an app on app.yourdomain.com, or a staging environment that doesn't collide with your production site. On paper, setting up a subdomain looks simple. In practice, the DNS part is easy and the surrounding details are where people lose time.
That mismatch is why generic registrar tutorials feel incomplete. They show where to click, but they usually skip the parts that matter once you leave the happy path: what record type to choose, when Cloudflare proxying helps, how wildcard subdomains can go sideways, and how to test dev.yourdomain.com locally before you've deployed anything.
A subdomain is just a prefix attached to your main domain. The useful part isn't the syntax. It's the separation. You can give your app, docs, store, regional site, or redirect domain its own routing, hosting, security rules, and deployment process without buying a new domain.
Table of Contents
- Why Subdomains Are Your Website's Secret Weapon
- The Foundation Understanding DNS Records for Subdomains
- Practical Setup at Your Registrar and Host
- Cloudflare Specifics Proxying CNAME Flattening and Security
- Advanced Subdomain Strategies Wildcards and Local Testing
- Putting It All to Work Branded Links with 302.sh
Why Subdomains Are Your Website's Secret Weapon
A company starts with one site. Then different operational demands emerge. The marketing team needs a CMS, the product team ships an app on a different stack, support adopts a hosted help center, and engineering wants preview environments that do not touch production. Subdomains solve that without forcing everything into one platform.
blog.example.com, app.example.com, and help.example.com still look like part of the same brand, but each can point to different infrastructure, follow different deployment rules, and be managed by different teams. That separation is the practical reason subdomains show up so often in growing web setups.

Subdomain versus subdirectory
This distinction affects architecture, not just URLs.
A subdomain is blog.example.com. A subdirectory is example.com/blog.
A subdirectory usually stays tied to the main site's hosting, routing, and deployment process. A subdomain gives you a cleaner boundary. You can point it somewhere else, put it behind different security controls, hand it to another provider, or delegate it to another team. In practice, that flexibility is why teams put an app, docs portal, store, or status page on its own hostname instead of forcing everything under one web server.
Subdomains also become more useful once Cloudflare enters the picture. You can proxy some hostnames, leave others as DNS only, flatten CNAMEs where needed, and isolate risky or experimental services without reshaping the entire domain. Generic registrar tutorials rarely get into that. In production, those details are often the difference between a clean setup and a confusing one.
Where subdomains are most useful
- Product separation: Put the application on
app.example.comand leave the root domain for marketing pages. - Operational isolation: Run
staging.example.comor preview environments without mixing them into the production site. - Regional or team boundaries: Use
us.example.comandeu.example.comwhen ownership, infrastructure, or compliance requirements differ. - Vendor flexibility: Move a blog, docs portal, checkout flow, or hosted support center independently.
- Branded redirects: Use a short subdomain for campaign links. For that use case, this guide to what a vanity URL means is a useful companion.
One trade-off is worth being honest about. Subdomains give you freedom, but they also add DNS records, TLS coverage questions, redirect rules, and more places to misconfigure caching or proxying. They are the right tool when part of the site needs its own boundary. They are overkill when a simple folder on the main site would do the job.
That boundary is what makes subdomains strategically useful. You are deciding where one part of your web presence runs, who controls it, and how isolated it should be from everything else.
The Foundation Understanding DNS Records for Subdomains
DNS is the internet's phonebook, but a more useful mental model is a routing table. A request comes in for blog.example.com, and DNS answers the question, “Where should this name go?”
For most subdomain setups, you only need two record types. An A record points a subdomain directly to a server address. A CNAME record points a subdomain to another hostname, which then resolves further. In day-to-day work, that covers most setups.
According to a discussion on r/sysadmin about creating subdomains, setting up a subdomain is technically “trivial” in DNS management because you usually just create an A or CNAME record for a prefix such as blog or server1.sales. The same discussion notes that the default TTL is typically 1 hour, which controls how long resolvers cache the answer before refreshing.
A record when you know the destination server
Use an A record when you want blog.example.com or app.example.com to point straight at infrastructure you control.
Typical cases include:
- A VPS or dedicated server: Your app server terminates requests for that hostname.
- A load balancer: The subdomain should hit your ingress or reverse proxy.
- A static service with a fixed destination: Less common now, but still valid.
This choice is simple and predictable. It's also less abstract than a CNAME, which makes debugging easier when you're tracing traffic.
CNAME when another service owns the endpoint
Use a CNAME when a platform tells you to point your subdomain at a hostname it manages. Hosted documentation platforms, blog providers, SaaS tools, and redirect services often work this way.
A CNAME is a better fit when:
| Situation | Better choice | Why |
|---|---|---|
| You control the server directly | A record | Fewer moving parts |
| A vendor gives you a target hostname | CNAME | Lets the provider manage the underlying routing |
| You expect the upstream target to change | CNAME | You won't need to update your DNS every time |
Some DNS providers also offer ALIAS or ANAME records. These try to behave like a CNAME while keeping compatibility where plain CNAME rules are restrictive. If your provider offers them, they can be useful, but they're provider-specific. Don't assume they work identically across platforms.
TTL is small but important
TTL matters most when you're changing a record that already exists. A shorter TTL usually means changes are picked up faster after caches expire. A longer TTL reduces repeated DNS lookups.
Practical rule: Leave TTL at the default unless you have a reason to change it. Most mistakes in subdomain setup come from pointing at the wrong place, not from the TTL value.
That's the core of how to set up subdomains at the DNS layer. Pick the record type based on who owns the destination, then make sure the service on the other side is prepared to answer for that hostname.
Practical Setup at Your Registrar and Host
The actual clicks differ between GoDaddy, Namecheap, Cloudflare, and other DNS providers, but the workflow stays the same. You define the subdomain name, choose the record type, add the target, and save.

Working directly in DNS
If your registrar or DNS provider manages records directly, the path is usually:
- Open DNS management for your domain.
- Add a new record.
- Enter only the prefix in the name field, such as
blog,app, orhelp. - Choose the type. Use A for a direct server destination or CNAME for a hostname managed elsewhere.
- Save and wait for propagation.
The practical detail many people miss is the Name field. You usually enter only blog, not the full domain. The provider appends the rest.
Cloudflare exposes a few extra options when you add A, AAAA, or CNAME records, including Proxy status and TTL, which lets you decide whether the record should stay DNS-only or pass through Cloudflare's edge. That's one of the reasons Cloudflare is worth using even if your hosting is elsewhere.
Using cPanel or a hosting panel
If your hosting provider gives you cPanel, Plesk, or a similar control panel, the setup often feels easier because DNS and hosting are linked.
In cPanel, the typical flow is:
- Open the Domains tool
- Click Create A New Domain
- Enter the subdomain
- Submit the form
The useful part is what happens behind the scenes. Hosting panels often create the directory structure and web server mapping for you at the same time. That reduces the chance of DNS pointing at a server that has no idea what to do with the hostname.
Here's a quick walkthrough if you want to see a panel-based setup in action.
Where setups usually break
The common failure mode isn't DNS syntax. It's incomplete hosting configuration.
BigRock's guide notes that failing to assign the subdomain to a specific hosting directory often leads to 404 errors, and it says up to 30% of beginner setups hit this problem because the folder or mapping was never configured (BigRock's subdomain setup guide).
That lines up with what happens in support threads. DNS resolves correctly, but the web server has no document root, no virtual host entry, or no application route for that hostname.
If DNS is correct and you still get a 404, stop editing records for a minute. Check whether the host, folder, or app server is configured for that exact subdomain.
A clean way to troubleshoot is to split the job into two checks:
- DNS check: Does the name resolve where you expect?
- Hosting check: Does the destination server or platform recognize that hostname?
If the first is right and the second is wrong, no amount of waiting for propagation will fix it.
Cloudflare Specifics Proxying CNAME Flattening and Security
Cloudflare changes the job in a useful way. You are no longer only publishing DNS records. You are also deciding whether Cloudflare should sit in front of the subdomain, present the certificate, inspect requests, cache responses, and hide the origin.

DNS only versus proxied
In Cloudflare, the grey cloud means DNS only. The orange cloud means proxied.
That setting matters more than new users expect.
With DNS only, Cloudflare answers DNS queries but does not proxy the traffic. Clients connect straight to your origin or vendor. Use that for mail-related hostnames, service validation records, some SaaS integrations, and anything non-HTTP that should not pass through Cloudflare's web proxy.
With proxied, visitors connect to Cloudflare first. Cloudflare then connects upstream to your server or platform. That is the default choice for a web app, marketing site, docs portal, or status page where you want TLS managed at the edge, optional caching, WAF rules, rate limiting, bot filtering, and origin IP masking.
A practical rule works well here:
- Use DNS only for infrastructure and vendor plumbing.
- Use proxied for browser-facing subdomains, unless the provider explicitly requires direct access.
The trade-off is visibility and control versus compatibility. Proxying gives you more control, but it can break integrations that expect the client to reach the target service directly or verify the exact DNS response.
Where CNAME flattening helps
CNAME flattening solves a specific DNS annoyance. Some platforms want you to point a hostname at another hostname, but standard DNS rules are awkward in a few common cases, especially at the zone apex. Cloudflare can resolve that chain on its side and return an answer that works cleanly for the client.
For subdomains, the benefit is usually operational clarity rather than raw necessity. You can keep the vendor-directed target, keep Cloudflare in front when appropriate, and avoid exposing every alias hop to the requester. That is especially handy on stacks that mix SaaS endpoints, custom hostnames, and Cloudflare proxying.
I treat flattening as a compatibility tool, not magic. It helps when a platform says "point this hostname to ours," but you still want Cloudflare handling delivery and policy at the edge.
If the same subdomain also does redirect work, choose the redirect status carefully. A temporary campaign redirect and a long-term hostname migration should not use the same default. This guide to 301 vs 302 redirects for subdomain redirects is a good reference before you hard-code that behavior.
Security settings that actually matter
The easy mistake is proxying a subdomain and assuming the security job is done. It is not.
Start with TLS mode. If Cloudflare is set to Flexible, traffic between Cloudflare and your origin can stay unencrypted, which is usually the wrong choice for anything beyond a throwaway test. Full or Full (strict) is the safer baseline, with Full (strict) preferred when the origin certificate is valid and under your control.
Then check origin exposure. If a subdomain is proxied but the origin IP is still public and reachable, attackers can bypass Cloudflare and hit the server directly. Lock down the origin where possible so it only accepts traffic from Cloudflare or from your private network path.
WAF rules, rate limits, and bot controls are where Cloudflare starts paying for itself. Apply them per subdomain, not only at the root. An API host, an admin panel, and a public blog have different traffic patterns and should not share one broad rule set.
Delegation and isolation
Subdomains are also a clean way to split ownership. One team can run the root site, another can own status.example.com, and a vendor can manage help.example.com without everyone deploying through the same stack.
That separation is often healthier operationally. Each subdomain can carry its own proxy setting, certificate handling, cache rules, firewall policy, and release cycle.
Cloudflare supports this well, but the design choice matters. Sometimes simple DNS records inside one zone are enough. Sometimes the better answer is actual delegation to another DNS provider or another Cloudflare zone, especially when a team needs independent control and you do not want every change flowing through one account.
Advanced Subdomain Strategies Wildcards and Local Testing
At this point, the easy tutorial ends and actual engineering starts. Two topics get skipped far too often: wildcard subdomains and local development with production-like hostnames.
Wildcard routing needs guardrails
A wildcard subdomain catches requests for many names under one rule, usually written conceptually as *.example.com. That's useful for multi-tenant apps, customer-specific workspaces, event-specific landing pages, and dynamic campaign routing.
It's also easy to misconfigure.
The problem isn't only DNS. A wildcard that points broadly can route requests to the right server while your application, proxy, or redirect logic handles them badly. That creates confusing failures where the DNS layer looks fine, but users land on the wrong tenant, the wrong app, or a fallback page that was never intended for public traffic.
One underserved gap in public guidance is validation beyond the DNS record itself. People set the wildcard, see one hostname work, and assume the whole pattern is safe. It isn't. You need to verify how your ingress, app router, auth logic, and TLS configuration behave across unexpected subdomains too.
Wildcards are powerful when the application enforces the boundary. They're risky when DNS is broad and the app is permissive.
Local testing with real subdomain names
Most guides explain how to set up subdomains in production. Very few explain how to test dev.example.test or app.local.example on your own machine before anything is live.
That gap is real. Verified data provided for this piece notes 1,200+ unresolved questions on Stack Overflow about mapping sub.mydomain.com to localhost ports, and says 34% of indie hackers in recent 2025 GitHub trends use port-based testing like localhost:3000/blog while lacking convenient subdomain aliases.
The practical workaround is old-fashioned but effective. Add a local hostname entry that maps the subdomain you want to test to your loopback address, then configure your local app server or reverse proxy to answer for that hostname. Instead of testing everything on localhost with path hacks, you test against the same host-based routing model you'll use later.
That matters when your app depends on:
- Cookie scope: Hostnames affect how cookies behave.
- OAuth callbacks: Many auth providers care about exact redirect origins.
- Tenant routing: Subdomain-based tenant detection won't show up on a path-based local URL.
- Frontend assumptions: Absolute URLs and CORS rules often behave differently on real hostnames.
For solo builders, this is one of the highest-impact changes you can make. Local subdomain testing feels slightly annoying to wire up once. It saves a lot of “works locally, breaks in staging” cleanup later.
Putting It All to Work Branded Links with 302.sh
A practical first use for a subdomain is a branded link domain. Instead of sending users to a generic shortener, you can route them through something like go.yourbrand.com. It looks cleaner, it's easier to trust, and it keeps campaign links on-brand.
The DNS side is straightforward. You create a dedicated subdomain and point it with a CNAME to cname.302.sh. That gives you a clean separation from your main site while keeping the setup lightweight.

This is also where subdomain discipline matters. If you use wildcards loosely, redirect behavior can become unpredictable. Verified data provided for this article says emerging 2025 Cloudflare data reveals 22% of edge-hosted redirects fail due to wildcard DNS over-assignments, which hurts A/B test reliability for small teams. That's a good reason to keep your redirect subdomain explicit instead of letting a broad wildcard catch everything.
For teams moving from generic shorteners, this guide on how to create a Bitly-style link with your own domain is a practical next step.
The bigger point is that a subdomain gives you a safe container for a focused job. go.example.com can do redirects. app.example.com can run the product. help.example.com can stay on its own stack. That separation is what makes subdomains useful, not just the DNS record itself.
If you want a fast first project after reading this, set up a branded short-link subdomain with 302.sh. You add one CNAME, keep redirects on your own domain, get automatic TLS through Cloudflare, and avoid building redirect infrastructure yourself.