Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

DNS policies

When a user makes a DNS request to Gateway, Gateway matches the request against the DNS policies you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user’s client receives the DNS resolution and initiates an HTTP connection.

A DNS policy consists of an Action as well as a logical expression that determines the scope of the action. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field. You can use And and Or logical operators to evaluate multiple conditions.

When creating a DNS policy, you can select as many security risk categories and content categories as needed to fully secure your network. Unless a more specific selector is configured in a policy (for example, User Email or Source IP), then the policy will be evaluated against all DNS queries that reach Gateway from your organization.

If a condition in an expression joins a query attribute (such as Source IP) and a response attribute (such as Resolved IP), then the condition will be evaluated when the response is received.

​​ Actions

Just like actions in HTTP policies, actions in DNS policies allow you to choose what to do with a given set of elements. You can assign one action per policy.

These are the action types you can choose from:

​​ Allow

API value: allow

Policies with Allow actions allow DNS queries to reach destinations you specify within the Selector and Value fields. For example, the following configuration allows DNS queries to reach domains we categorize as belonging to the Education content category:

Selector Operator Value Action
Content Categories In Education Allow

​​ Disable DNSSEC validation

When you select Disable DNSSEC validation, Gateway will resolve DNS queries even if the cryptographic signature for the DNS record cannot be validated. We do not recommend disabling DNSSEC validation unless you know that the validation failure is due to DNSSEC configuration issues and not malicious attacks.

​​ Block

API value: block

Policies with Block actions block DNS queries to reach destinations you specify within the Selector and Value fields. For example, the following configuration blocks DNS queries from reaching domains we categorize as belonging to the Adult Themes content category:

Selector Operator Value Action
Content Categories In Adult Themes Block

​​ Custom block page

When choosing the Block action, toggle the Display custom block page setting to respond to queries with a block page and to specify the message you want to display to users who go to blocked websites. If disabled, Gateway will respond to blocked queries with 0.0.0.0. For more information, refer to the dedicated documentation on customizing the block page.

​​ Override

API value: override

Policies with Override actions allow you to respond to all DNS queries for a given domain to another destination. For example, you can provide a custom response IP of 1.2.3.4 for all queries to www.example.com with the following policy:

Selector Operator Value Action Override Hostname
Hostname Is www.example.com Override 1.2.3.4

API value: safesearch

SafeSearch is a feature of search engines that helps you filter explicit or offensive content. When you enable SafeSearch, the search engine filters explicit or offensive content and returns search results that are safe for children or at work.

You can use Cloudflare Gateway to enable SafeSearch on search engines like Google, Bing, Yandex, YouTube and DuckDuckGo. For example, to enable SafeSearch for Google, you can create the following policy:

Selector Operator Value Action
Domain Is google.com Safe Search

​​ YouTube Restricted Mode

API value: ytrestricted

Similarly, you can enforce YouTube Restricted mode by choosing the YouTube Restricted action. YouTube Restricted Mode is an automated filter for adult and offensive content built into YouTube. To enable YouTube Restricted Mode, you could set up a policy like the following:

Selector Operator Value Action
DNS Domain Is youtube.com YouTube Restricted

This setup ensures users will be blocked from accessing offensive sites using DNS.

​​ Selectors

Gateway matches DNS traffic against the following selectors, or criteria:

​​ Application

You can apply DNS policies to a growing list of popular web applications. Refer to Application and app types for more information.

UI name API example Evaluation phase
Application any(app.ids[*] in {505}) Before DNS resolution

​​ Authoritative Nameserver IP

Use this selector to match against the IP address of the authoritative nameserver IP address.

UI name API example Evaluation phase
Authoritative Nameserver IP dns.authoritative_ns_ips == 198.51.100.0 During DNS resolution

​​ Content Categories

Use this selector to block domains belonging to specific content categories. When using an Allow or Block action, you can optionally block IP addresses.

UI name API example Evaluation phase
Content Categories any(dns.content_category[*] in {1}) Before DNS resolution

​​ DNS CNAME Record

Use this selector to filter DNS responses by their CNAME records.

UI name API example Evaluation phase
DNS CNAME Response Value any(dns.response.cname[*] in {"www.apple.com.edgekey.net"}) After DNS resolution

​​ DNS MX Record

Use this selector to filter DNS responses by their MX records.

UI name API example Evaluation phase
DNS MX Response Value any(dns.response.mx[*] in {"gmail-smtp-in.l.google.com"}) After DNS resolution

​​ DNS PTR Record

Use this selector to filter DNS responses by their PTR records.

UI name API example Evaluation phase
DNS PTR Response Value any(dns.response.ptr[*] in {"255.2.0.192.in-addr.arpa"}) After DNS resolution

​​ DNS Resolver IP

Use this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered DNS location. For most Gateway customers, this is an IPv4 AnyCast address and policies created using this IPv4 address will apply to all DNS locations. However, each DNS location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address — these both can be used to apply policies to specific registered DNS locations.

UI name API example Evaluation phase
DNS Resolver IP any(dns.resolved_ip[*] == 198.51.100.0) Before DNS resolution

​​ DNS TXT Record

Use this selector to filter DNS responses by their TXT records.

UI name API example Evaluation phase
DNS TXT Response Value any(dns.response.txt[*] in {"your_text"}) After DNS resolution

​​ DNS Location

Use this selector to apply DNS policies to a specific Gateway DNS location or set of locations.

UI name API example Evaluation phase
DNS Location dns.location in {"location_uuid_1" "location_uuid_2"} Before DNS resolution

​​ DOH Subdomain

Use this selector to match against DNS queries that arrive via DNS-over-HTTPS (DoH) destined for the DoH endpoint configured for each DNS location. For example, a DNS location with a DoH endpoint of abcdefg.cloudflare-gateway.com could be used in a DNS rule by choosing the DoH Subdomain selector and inputting a value of abcdefg.

UI name API example Evaluation phase
DOH Subdomain dns.doh_subdomain == "abcdefg" Before DNS resolution

​​ Domain

Use this selector to match against a domain and all subdomains — for example, if you want to block example.com and subdomains such as www.example.com.

UI name API example Evaluation phase
Domain any(dns.domains[*] == "example.com") Before DNS resolution

​​ Host

Use this selector to match against only the hostname specified — for example, if you want to block test.example.com but not example.com or www.test.example.com.

UI name API example Evaluation phase
Host dns.fqdn == "test.example.com" Before DNS resolution

​​ Indicator Feed

Use this selector to match against custom indicator feeds supplied by designated third-party vendors.

UI name API example Evaluation phase
Indicator Feed dns.indicator_feed Before DNS resolution

​​ Query Record Type

Use this selector to choose the DNS resource record type that you would like to apply policies against — for example, you can choose to block A records for a domain but not MX records.

UI name API example Evaluation phase
Query Record Type dns.query_rtype == "TXT" Before DNS resolution

​​ Resolved Continent

Use this selector to filter based on the continent that the query resolves to. Geolocation is determined from the IP address in the response. To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example Evaluation phase
Resolved Continent IP Geolocation dns.dst.geo.continent == "EU" After DNS resolution

​​ Resolved Country

Use this selector to filter based on the country that the query resolves to. Geolocation is determined from the IP address in the response. To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example Evaluation phase
Resolved Country IP Geolocation dns.dst.geo.country == "RU" After DNS resolution

​​ Resolved IP

Use this selector to filter based on the IP addresses that the query resolves to.

UI name API example Evaluation phase
Resolved IP any(dns.resolved_ips[*] == 198.51.100.0) After DNS resolution

​​ Security Categories

Use this selector to block domains (and optionally, IP addresses) belonging to specific security categories.

UI name API example Evaluation phase
Security Categories any(dns.security_category[*] in {1}) Before DNS resolution

​​ Source Continent

Use this selector to filter based on the continent where the query arrived to Gateway from.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a continent, enter its two-letter code into the Value field:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
UI name API example Evaluation phase
Source Continent IP Geolocation dns.src.geo.continent == "North America" Before DNS resolution

​​ Source Country

Use this selector to filter based on the country where the query arrived to Gateway from.

Geolocation is determined from the device’s public IP address (typically assigned by the user’s ISP). To specify a country, enter its ISO 3166-1 Alpha 2 code in the Value field.

UI name API example Evaluation phase
Source Country IP Geolocation dns.src.geo.country == "RU" Before DNS resolution

​​ Source IP

Use this selector to apply DNS policies to a specific source IP address that queries arrive to Gateway from — for example, this could be the WAN IP address of the stub resolver used by an organization to send queries upstream to Gateway.

UI name API example Evaluation phase
Source IP dns.src_ip == 198.51.100.0 Before DNS resolution

​​ Users

The User, User Group, and SAML Attributes selectors require Gateway with WARP mode to be enabled in the Zero Trust WARP client, and the user to be enrolled in the organization via the WARP client. For more information on identity-based selectors, refer to the Identity-based policies page.

​​ Comparison operators

Comparison operators are the way Gateway matches traffic to a selector. When you choose a Selector in the dashboard policy builder, the Operator dropdown menu will display the available options for that selector.

Operator Meaning
is equals the defined value
is not does not equal the defined value
in matches at least one of the defined values
not in does not match any of the defined values
in list in a pre-defined list of values
not in list not in a pre-defined list of values
matches regex regex evaluates to true
does not match regex regex evaluates to false
greater than exceeds the defined number
greater than or equal to exceeds or equals the defined number
less than below the defined number
less than or equal to below or equals the defined number

​​ Value

You can input a single value or use regular expressions to specify a range of values.

Gateway uses Rust to evaluate regular expressions. The Rust implementation is slightly different than regex libraries used elsewhere. For more information, refer to our guide for Wildcards.

For example, if you want to match multiple domains, you could use the pipe symbol (|) as an OR operator. In Gateway, you do not need to use an escape character (\) before the pipe symbol. The following configuration blocks requests to two hosts if either appears in a request header:

Selector Operator Value Action
Host Matches regex .\*whispersystems.org|.\*signal.org Block

To evaluate if your regex matches, you can use Rustexp.

​​ Logical operators

To evaluate multiple conditions in an expression, select the Add logical operator. These expressions can be compared further with the Or logical operator.

Operator Meaning
And match all of the conditions in the expression
Or match any of the conditions in the expression

The Or operator will only work with conditions in the same expression group. For example, you cannot compare conditions in Traffic with conditions in Identity.