diff --git a/modules/01-networking/cloudflared-tunnel/main.tf b/modules/01-networking/cloudflared-tunnel/main.tf
index 99d83d8..c0c083a 100644
--- a/modules/01-networking/cloudflared-tunnel/main.tf
+++ b/modules/01-networking/cloudflared-tunnel/main.tf
@@ -26,16 +26,21 @@ resource "cloudflare_zero_trust_tunnel_cloudflared" "this" {
 }
 
 locals {
+  // Filter services to only include those that should be published via tunnel
+  tunnel_services = [
+    for service in var.service_definitions :
+    service if length(service.subdomains) > 0 && (service.publish_via == "tunnel" || service.publish_via == "both")
+  ]
+
   // Transform service definitions into ingress rules format, only for services with ingress_enabled
   service_ingress_rules = flatten([
-    for service in var.service_definitions :
-    // Only process services with subdomains AND where ingress is enabled (or default to true for backward compatibility)
-    (length(service.subdomains) > 0) ? [
+    for service in local.tunnel_services :
+    [
       for subdomain in service.subdomains : {
         hostname = "${subdomain}.${var.domain}"
         service  = service.endpoint
       }
-    ] : []
+    ]
   ])
 
   // Combine manual ingress rules and service-generated ones
@@ -67,21 +72,18 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "this" {
   }
 }
 
-// Create DNS record for each service
-resource "cloudflare_record" "service" {
-  for_each = {
-    for rule in local.all_ingress_rules : rule.hostname => rule
-    if rule.hostname != null && rule.hostname != ""
-  }
-
+module "dns_records" {
+  source = "../../10-services-generic/cloudflare-dns"
   zone_id = var.cloudflare_zone_id
-  name    = split(".", each.value.hostname)[0] // Extract subdomain
-  content = "${cloudflare_zero_trust_tunnel_cloudflared.this.id}.cfargotunnel.com"
-  type    = "CNAME"
-  proxied = true
+  hostnames = [
+    for rule in local.all_ingress_rules :
+    rule.hostname if rule.hostname != null && rule.hostname != ""
+  ]
+  target_content = "${cloudflare_zero_trust_tunnel_cloudflared.this.id}.cfargotunnel.com"
+  record_type    = "CNAME"
+  proxied        = true
 }
 
-// Set up the Docker container
 locals {
   container_name = var.container_name != "" ? var.container_name : "cloudflared-${var.tunnel_name}"
   image_tag      = var.image_tag != "" ? var.image_tag : "latest"
diff --git a/modules/01-networking/cloudflared-tunnel/outputs.tf b/modules/01-networking/cloudflared-tunnel/outputs.tf
index 307a0c4..9246905 100644
--- a/modules/01-networking/cloudflared-tunnel/outputs.tf
+++ b/modules/01-networking/cloudflared-tunnel/outputs.tf
@@ -21,11 +21,6 @@ output "cname_target" {
   value       = "${cloudflare_zero_trust_tunnel_cloudflared.this.id}.cfargotunnel.com"
 }
 
-output "dns_records" {
-  description = "Map of created DNS records"
-  value       = { for k, v in cloudflare_record.service : k => v.hostname }
-}
-
 output "container_name" {
   description = "The name of the Cloudflared tunnel container"
   value       = module.cloudflared.container_name
diff --git a/modules/01-networking/cloudflared-tunnel/variables.tf b/modules/01-networking/cloudflared-tunnel/variables.tf
index 7325f3b..e320a3e 100644
--- a/modules/01-networking/cloudflared-tunnel/variables.tf
+++ b/modules/01-networking/cloudflared-tunnel/variables.tf
@@ -53,7 +53,8 @@ variable "service_definitions" {
     name         = string
     primary_port = number
     endpoint     = string
-    subdomains    = optional(list(string), [])
+    subdomains   = optional(list(string), [])
+    publish_via  = optional(string)
   }))
   default = []
 }