Create DNS Firewall Cluster

POST/accounts/{account_id}/dns_firewall

Create a DNS Firewall cluster

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

DNS Firewall Write

Path ParametersExpand Collapse

account_id: string

Identifier.

maxLength32

Body ParametersJSONExpand Collapse

name: string

DNS Firewall cluster name

maxLength160

minLength1

upstream_ips: array of UpstreamIPs

minLength1

attack_mitigation: optional AttackMitigation { enabled, only_when_upstream_unhealthy }

Attack mitigation settings

enabled: optional boolean

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy: optional boolean

Only mitigate attacks when upstream servers seem unhealthy

deprecate_any_requests: optional boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ip_count: optional number

Number of IPv4 addresses to assign to the DNS Firewall cluster. Only used during cluster creation and cannot be changed later.

maximum10

minimum1

ecs_fallback: optional boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: optional number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: optional number

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

maximum36000

minimum30

negative_cache_ttl: optional number

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: optional number

Maximum number of DNS queries per second that will be forwarded to your upstream nameservers. The limit is enforced per server, where each server receives a fraction of the configured value. The actual aggregate rate for a data center may vary depending on how many servers are present. Responses served from cache do not count toward this limit. Set to null to disable rate limiting.

maximum1000000000

minimum100

retries: optional number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

ReturnsExpand Collapse

errors: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

success: true

Whether the API call was successful.

result: optional object { id, deprecate_any_requests, dns_firewall_ips, 10 more }

id: string

Identifier.

maxLength32

deprecate_any_requests: boolean

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: array of FirewallIPs

ecs_fallback: boolean

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: number

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

minimum_cache_ttl: number

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

modified_on: string

Last modification of DNS Firewall cluster

formatdate-time

name: string

DNS Firewall cluster name

maxLength160

minLength1

negative_cache_ttl: number

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

maximum36000

minimum30

ratelimit: number

maximum1000000000

minimum100

retries: number

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

maximum2

minimum0

upstream_ips: array of UpstreamIPs

minLength1

attack_mitigation: optional AttackMitigation { enabled, only_when_upstream_unhealthy }

Attack mitigation settings

enabled: optional boolean

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy: optional boolean

Only mitigate attacks when upstream servers seem unhealthy

Create DNS Firewall Cluster

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dns_firewall \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "name": "My Awesome DNS Firewall cluster",
          "upstream_ips": [
            "192.0.2.1",
            "198.51.100.1",
            "2001:DB8:100::CF"
          ],
          "deprecate_any_requests": true,
          "dns_firewall_ip_count": 2,
          "maximum_cache_ttl": 900,
          "minimum_cache_ttl": 60,
          "negative_cache_ttl": 900,
          "ratelimit": 600,
          "retries": 2
        }'

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "deprecate_any_requests": true,
    "dns_firewall_ips": [
      "203.0.113.1",
      "203.0.113.254",
      "2001:DB8:AB::CF",
      "2001:DB8:CD::CF"
    ],
    "ecs_fallback": false,
    "maximum_cache_ttl": 900,
    "minimum_cache_ttl": 60,
    "modified_on": "2014-01-01T05:20:00.12345Z",
    "name": "My Awesome DNS Firewall cluster",
    "negative_cache_ttl": 900,
    "ratelimit": 600,
    "retries": 2,
    "upstream_ips": [
      "192.0.2.1",
      "198.51.100.1",
      "2001:DB8:100::CF"
    ],
    "attack_mitigation": {
      "enabled": true,
      "only_when_upstream_unhealthy": false
    }
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "deprecate_any_requests": true,
    "dns_firewall_ips": [
      "203.0.113.1",
      "203.0.113.254",
      "2001:DB8:AB::CF",
      "2001:DB8:CD::CF"
    ],
    "ecs_fallback": false,
    "maximum_cache_ttl": 900,
    "minimum_cache_ttl": 60,
    "modified_on": "2014-01-01T05:20:00.12345Z",
    "name": "My Awesome DNS Firewall cluster",
    "negative_cache_ttl": 900,
    "ratelimit": 600,
    "retries": 2,
    "upstream_ips": [
      "192.0.2.1",
      "198.51.100.1",
      "2001:DB8:100::CF"
    ],
    "attack_mitigation": {
      "enabled": true,
      "only_when_upstream_unhealthy": false
    }
  }
}