Skip to content
Cloudflare API
Start here
API Reference
DNS Firewall

Update DNS Firewall Cluster

client.DNSFirewall.Edit(ctx, dnsFirewallID, params) (*DNSFirewallEditResponse, error)
PATCH/accounts/{account_id}/dns_firewall/{dns_firewall_id}

Modify the configuration of a DNS Firewall cluster

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
DNS Firewall Write
ParametersExpand Collapse
dnsFirewallID string

Identifier.

maxLength32
params DNSFirewallEditParams
AccountID param.Field[string]

Path param: Identifier.

maxLength32
AttackMitigation param.Field[AttackMitigation]optional

Body param: Attack mitigation settings

DeprecateAnyRequests param.Field[bool]optional

Body param: Whether to refuse to answer queries for the ANY type

ECSFallback param.Field[bool]optional

Body param: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

MaximumCacheTTL param.Field[float64]optional

Body param: By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000
minimum30
MinimumCacheTTL param.Field[float64]optional

Body param: By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000
minimum30
Name param.Field[string]optional

Body param: DNS Firewall cluster name

maxLength160
minLength1
NegativeCacheTTL param.Field[float64]optional

Body param: This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000
minimum30
Ratelimit param.Field[float64]optional

Body param: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000
minimum100
Retries param.Field[float64]optional

Body param: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2
minimum0
UpstreamIPs param.Field[[]UpstreamIPs]optional

Body param

minLength1
ReturnsExpand Collapse
type DNSFirewallEditResponse struct{…}
ID string

Identifier.

maxLength32
DeprecateAnyRequests bool

Whether to refuse to answer queries for the ANY type

DNSFirewallIPs []FirewallIPs
ECSFallback bool

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

MaximumCacheTTL float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000
minimum30
MinimumCacheTTL float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000
minimum30
ModifiedOn Time

Last modification of DNS Firewall cluster

formatdate-time
Name string

DNS Firewall cluster name

maxLength160
minLength1
NegativeCacheTTL float64

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000
minimum30
Ratelimit float64

Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000
minimum100
Retries float64

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2
minimum0
UpstreamIPs []UpstreamIPs
minLength1
AttackMitigation AttackMitigationoptional

Attack mitigation settings

Enabled booloptional

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

OnlyWhenUpstreamUnhealthy booloptional

Only mitigate attacks when upstream servers seem unhealthy

Update DNS Firewall Cluster

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/dns_firewall"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  response, err := client.DNSFirewall.Edit(
    context.TODO(),
    "023e105f4ecef8ad9ca31a8372d0c353",
    dns_firewall.DNSFirewallEditParams{
      AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", response.ID)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "deprecate_any_requests": true,
    "dns_firewall_ips": [
      "203.0.113.1",
      "203.0.113.254",
      "2001:DB8:AB::CF",
      "2001:DB8:CD::CF"
    ],
    "ecs_fallback": false,
    "maximum_cache_ttl": 900,
    "minimum_cache_ttl": 60,
    "modified_on": "2014-01-01T05:20:00.12345Z",
    "name": "My Awesome DNS Firewall cluster",
    "negative_cache_ttl": 900,
    "ratelimit": 600,
    "retries": 2,
    "upstream_ips": [
      "192.0.2.1",
      "198.51.100.1",
      "2001:DB8:100::CF"
    ],
    "attack_mitigation": {
      "enabled": true,
      "only_when_upstream_unhealthy": false
    }
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "deprecate_any_requests": true,
    "dns_firewall_ips": [
      "203.0.113.1",
      "203.0.113.254",
      "2001:DB8:AB::CF",
      "2001:DB8:CD::CF"
    ],
    "ecs_fallback": false,
    "maximum_cache_ttl": 900,
    "minimum_cache_ttl": 60,
    "modified_on": "2014-01-01T05:20:00.12345Z",
    "name": "My Awesome DNS Firewall cluster",
    "negative_cache_ttl": 900,
    "ratelimit": 600,
    "retries": 2,
    "upstream_ips": [
      "192.0.2.1",
      "198.51.100.1",
      "2001:DB8:100::CF"
    ],
    "attack_mitigation": {
      "enabled": true,
      "only_when_upstream_unhealthy": false
    }
  }
}