API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

DNS Firewall

List DNS Firewall Clusters

client.dnsFirewall.list(DNSFirewallListParams { account_id, page, per_page } params, RequestOptionsoptions?): V4PagePaginationArray<DNSFirewallListResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more } >

GET/accounts/{account_id}/dns_firewall

DNS Firewall Cluster Details

client.dnsFirewall.get(stringdnsFirewallId, DNSFirewallGetParams { account_id } params, RequestOptionsoptions?): DNSFirewallGetResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

GET/accounts/{account_id}/dns_firewall/{dns_firewall_id}

Create DNS Firewall Cluster

client.dnsFirewall.create(DNSFirewallCreateParams { account_id, name, upstream_ips, 8 more } params, RequestOptionsoptions?): DNSFirewallCreateResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

POST/accounts/{account_id}/dns_firewall

Update DNS Firewall Cluster

client.dnsFirewall.edit(stringdnsFirewallId, DNSFirewallEditParams { account_id, attack_mitigation, deprecate_any_requests, 8 more } params, RequestOptionsoptions?): DNSFirewallEditResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

PATCH/accounts/{account_id}/dns_firewall/{dns_firewall_id}

Delete DNS Firewall Cluster

client.dnsFirewall.delete(stringdnsFirewallId, DNSFirewallDeleteParams { account_id } params, RequestOptionsoptions?): DNSFirewallDeleteResponse { id }

DELETE/accounts/{account_id}/dns_firewall/{dns_firewall_id}

ModelsExpand Collapse

AttackMitigation { enabled, only_when_upstream_unhealthy }

Attack mitigation settings

enabled?: boolean

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy?: boolean

Only mitigate attacks when upstream servers seem unhealthy

FirewallIPs = string

Cloudflare-assigned DNS IPv4 address

UpstreamIPs = string

Upstream DNS Server IPv4 address

DNSFirewallListResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

id: string

Identifier.

maxLength32

deprecate_any_requests: boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: Array<FirewallIPs>

ecs_fallback: boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000

minimum30

modified_on: string

Last modification of DNS Firewall cluster

formatdate-time

name: string

DNS Firewall cluster name

maxLength160

minLength1

negative_cache_ttl: number | null

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: number | null

Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000

minimum100

retries: number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

upstream_ips: Array<UpstreamIPs>

minLength1

attack_mitigation?: AttackMitigation { enabled, only_when_upstream_unhealthy } | null

Attack mitigation settings

DNSFirewallGetResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

id: string

Identifier.

maxLength32

deprecate_any_requests: boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: Array<FirewallIPs>

ecs_fallback: boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000

minimum30

modified_on: string

Last modification of DNS Firewall cluster

formatdate-time

name: string

DNS Firewall cluster name

maxLength160

minLength1

negative_cache_ttl: number | null

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: number | null

Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000

minimum100

retries: number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

upstream_ips: Array<UpstreamIPs>

minLength1

attack_mitigation?: AttackMitigation { enabled, only_when_upstream_unhealthy } | null

Attack mitigation settings

DNSFirewallCreateResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

id: string

Identifier.

maxLength32

deprecate_any_requests: boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: Array<FirewallIPs>

ecs_fallback: boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000

minimum30

modified_on: string

Last modification of DNS Firewall cluster

formatdate-time

name: string

DNS Firewall cluster name

maxLength160

minLength1

negative_cache_ttl: number | null

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: number | null

Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000

minimum100

retries: number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

upstream_ips: Array<UpstreamIPs>

minLength1

attack_mitigation?: AttackMitigation { enabled, only_when_upstream_unhealthy } | null

Attack mitigation settings

DNSFirewallEditResponse { id, deprecate_any_requests, dns_firewall_ips, 10 more }

id: string

Identifier.

maxLength32

deprecate_any_requests: boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: Array<FirewallIPs>

ecs_fallback: boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000

minimum30

modified_on: string

Last modification of DNS Firewall cluster

formatdate-time

name: string

DNS Firewall cluster name

maxLength160

minLength1

negative_cache_ttl: number | null

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: number | null

Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)

maximum1000000000

minimum100

retries: number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

upstream_ips: Array<UpstreamIPs>

minLength1

attack_mitigation?: AttackMitigation { enabled, only_when_upstream_unhealthy } | null

Attack mitigation settings

DNSFirewallDeleteResponse { id }

id?: string

Identifier.

maxLength32

DNS FirewallAnalytics

DNS FirewallAnalyticsReports

Table

client.dnsFirewall.analytics.reports.get(stringdnsFirewallId, ReportGetParams { account_id, dimensions, filters, 5 more } params, RequestOptionsoptions?): Report { data, data_lag, max, 4 more }

GET/accounts/{account_id}/dns_firewall/{dns_firewall_id}/dns_analytics/report

DNS FirewallAnalyticsReportsBytimes

By Time

client.dnsFirewall.analytics.reports.bytimes.get(stringdnsFirewallId, BytimeGetParams { account_id, dimensions, filters, 6 more } params, RequestOptionsoptions?): ByTime { data, data_lag, max, 5 more }

GET/accounts/{account_id}/dns_firewall/{dns_firewall_id}/dns_analytics/report/bytime

DNS FirewallReverse DNS

Show DNS Firewall Cluster Reverse DNS

client.dnsFirewall.reverseDNS.get(stringdnsFirewallId, ReverseDNSGetParams { account_id } params, RequestOptionsoptions?): ReverseDNSGetResponse { ptr }

GET/accounts/{account_id}/dns_firewall/{dns_firewall_id}/reverse_dns

Update DNS Firewall Cluster Reverse DNS

client.dnsFirewall.reverseDNS.edit(stringdnsFirewallId, ReverseDNSEditParams { account_id, ptr } params, RequestOptionsoptions?): ReverseDNSEditResponse { ptr }

PATCH/accounts/{account_id}/dns_firewall/{dns_firewall_id}/reverse_dns

ModelsExpand Collapse

ReverseDNSGetResponse { ptr }

ptr: Record<string, string>

Map of cluster IP addresses to PTR record contents

ReverseDNSEditResponse { ptr }

ptr: Record<string, string>

Map of cluster IP addresses to PTR record contents