Skip to content
Cloudflare API
Start here
API Reference

DNS Firewall

resource cloudflare_dns_firewall

required Expand Collapse
account_id: String

Identifier.

name: String

DNS Firewall cluster name

upstream_ips: Set[String]
optional Expand Collapse
dns_firewall_ip_count?: Int64

Number of IPv4 addresses to assign to the DNS Firewall cluster. Only used during cluster creation and cannot be changed later.

deprecate_any_requests?: Bool

Whether to refuse to answer queries for the ANY type

ecs_fallback?: Bool

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

negative_cache_ttl?: Float64

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

ratelimit?: Float64

Maximum number of DNS queries per second that will be forwarded to your upstream nameservers. The limit is enforced per server, where each server receives a fraction of the configured value. The actual aggregate rate for a data center may vary depending on how many servers are present. Responses served from cache do not count toward this limit. Set to null to disable rate limiting.

maximum_cache_ttl?: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

minimum_cache_ttl?: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

retries?: Float64

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

attack_mitigation?: Attributes

Attack mitigation settings

enabled?: Bool

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy?: Bool

Only mitigate attacks when upstream servers seem unhealthy

computed Expand Collapse
id: String

Identifier.

modified_on: Time

Last modification of DNS Firewall cluster

dns_firewall_ips: Set[String]

cloudflare_dns_firewall

resource "cloudflare_dns_firewall" "example_dns_firewall" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "My Awesome DNS Firewall cluster"
  upstream_ips = ["192.0.2.1", "198.51.100.1", "2001:DB8:100::CF"]
  attack_mitigation = {
    enabled = true
    only_when_upstream_unhealthy = false
  }
  deprecate_any_requests = true
  dns_firewall_ip_count = 2
  ecs_fallback = false
  maximum_cache_ttl = 900
  minimum_cache_ttl = 60
  negative_cache_ttl = 900
  ratelimit = 600
  retries = 2
}

data cloudflare_dns_firewall

required Expand Collapse
dns_firewall_id: String

Identifier.

account_id: String

Identifier.

computed Expand Collapse
id: String

Identifier.

deprecate_any_requests: Bool

Whether to refuse to answer queries for the ANY type

ecs_fallback: Bool

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

minimum_cache_ttl: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

modified_on: Time

Last modification of DNS Firewall cluster

name: String

DNS Firewall cluster name

negative_cache_ttl: Float64

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

ratelimit: Float64

Maximum number of DNS queries per second that will be forwarded to your upstream nameservers. The limit is enforced per server, where each server receives a fraction of the configured value. The actual aggregate rate for a data center may vary depending on how many servers are present. Responses served from cache do not count toward this limit. Set to null to disable rate limiting.

retries: Float64

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

dns_firewall_ips: Set[String]
upstream_ips: Set[String]
attack_mitigation: Attributes

Attack mitigation settings

enabled: Bool

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy: Bool

Only mitigate attacks when upstream servers seem unhealthy

cloudflare_dns_firewall

data "cloudflare_dns_firewall" "example_dns_firewall" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  dns_firewall_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_dns_firewalls

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Identifier.

deprecate_any_requests: Bool

Whether to refuse to answer queries for the ANY type

dns_firewall_ips: Set[String]
ecs_fallback: Bool

Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent

maximum_cache_ttl: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets an upper bound on this duration. For caching purposes, higher TTLs will be decreased to the maximum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

minimum_cache_ttl: Float64

By default, Cloudflare attempts to cache responses for as long as indicated by the TTL received from upstream nameservers. This setting sets a lower bound on this duration. For caching purposes, lower TTLs will be increased to the minimum value defined by this setting.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

Note that, even with this setting, there is no guarantee that a response will be cached for at least the specified duration. Cached responses may be removed earlier for capacity or other operational reasons.

modified_on: Time

Last modification of DNS Firewall cluster

name: String

DNS Firewall cluster name

negative_cache_ttl: Float64

This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.

This setting does not affect the TTL value in the DNS response Cloudflare returns to clients. Cloudflare will always forward the TTL value received from upstream nameservers.

ratelimit: Float64

Maximum number of DNS queries per second that will be forwarded to your upstream nameservers. The limit is enforced per server, where each server receives a fraction of the configured value. The actual aggregate rate for a data center may vary depending on how many servers are present. Responses served from cache do not count toward this limit. Set to null to disable rate limiting.

retries: Float64

Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

upstream_ips: Set[String]
attack_mitigation: Attributes

Attack mitigation settings

enabled: Bool

When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers

only_when_upstream_unhealthy: Bool

Only mitigate attacks when upstream servers seem unhealthy

cloudflare_dns_firewalls

data "cloudflare_dns_firewalls" "example_dns_firewalls" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}