diff --git a/automation/cloudflared-sync.sh b/automation/cloudflared-sync.sh
index 271a0f0..5e5a19b 100644
--- a/automation/cloudflared-sync.sh
+++ b/automation/cloudflared-sync.sh
@@ -95,3 +95,37 @@ if ! git diff --quiet manifests/cloudflared/values.yaml; then
 else
   echo "ℹ️  No changes to commit."
 fi
+
+# === STEP 5: Create CNAME records in Cloudflare ===
+echo "🌐 Creating CNAME records in Cloudflare..."
+CLOUDFLARE_API="https://api.cloudflare.com/client/v4"
+TARGET="b50bbf48-0a2f-47ce-b73e-336b6718318b.cfargotunnel.com"
+
+# Load required secrets
+: "${CLOUDFLARE_API_TOKEN:?CLOUDFLARE_API_TOKEN not set}"
+: "${CLOUDFLARE_ZONE_ID:?CLOUDFLARE_ZONE_ID not set}"
+
+# Check and create each CNAME
+yq eval '.ingress' "$GENERATED_FILE" | yq eval -o=json '.' - | jq -c '.[]' | while read -r record; do
+  name=$(echo "$record" | jq -r '.hostname' | sed 's/\.dvirlabs\.com//')
+
+  # Check if already exists
+  exists=$(curl -s -X GET "$CLOUDFLARE_API/zones/$CLOUDFLARE_ZONE_ID/dns_records?type=CNAME&name=$name.dvirlabs.com" \
+    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -H "Content-Type: application/json" | jq '.result | length')
+
+  if [ "$exists" -eq 0 ]; then
+    echo "➕ Creating CNAME: $name.dvirlabs.com → $TARGET"
+    curl -s -X POST "$CLOUDFLARE_API/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
+      -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+      -H "Content-Type: application/json" \
+      --data "{
+        \"type\": \"CNAME\",
+        \"name\": \"$name\",
+        \"content\": \"$TARGET\",
+        \"ttl\": 1,
+        \"proxied\": true
+      }" > /dev/null
+  else
+    echo "⚠️  CNAME for $name.dvirlabs.com already exists, skipping"
+  fi
+done