Locations are usually physical entities like offices, homes, retail stores, movie theatres, or data centers. The fastest way to start sending DNS queries from a location and protect it from security threats is by changing the DNS resolvers at the router.
If you have an IPv6 network, you can change your DNS resolvers to the dedicated IPv6 address for your location.
If you don’t have an IPv6 network, you can set up a location by changing the DNS resolvers to:
If you want to send your DNS queries over an encrypted connection, you can use the hostname that we provide in the dashboard to send queries using DNS over HTTPS.
How Gateway matches queries to locations
Gateway uses different ways to match a DNS query to locations depending on the type of request and network. This is how Gateway determines the location of a DNS query:
Step 1: Gateway checks whether the query was sent using DNS over HTTPS. If yes, Gateway looks up the location by its unique hostname.
Step 2: if the query wasn't sent with DNS over HTTPS, Gateway checks whether it was sent over IPv4. If yes, it looks up the location by the source IPv4 address.
Step 3: If the query wasn't sent over IPv4, it means it was sent over IPv6. Gateway will look up the location associated with the DNS query based on the destination IPv6 address.
The only requirement for a location is its name. All other fields are optional if the location you are sending requests from is only using IPv6 or sending all DNS requests using DNS over HTTPS.
Source IPv4 address
Gateway uses the public source IPv4 address of your network to identify your location, apply policies and log DNS requests. When creating a location, the Teams dashboard automatically identifies the public source IP address.
Users on the Enterprise plan have the option of manually entering one or more IP addresses of their choice. This enables them to protect networks even if they're not connecting from any of those networks' IP addresses when creating the location on the Teams dashboard.
When you create a location, your location will receive a unique IPv6 address. Cloudflare Gateway will identify your location based on this unique IPv6 address.
On your router/device/forwarder/daemon forward DNS queries to the corresponding IPv6 address for the location.
DNS over TLS
Each location has a unique hostname for DNS over TLS.
Cloudflare Gateway will identify your location based on the DNS over TLS hostname.
DNS over HTTPS
Each location has a unique hostname for DNS over HTTPS.
Cloudflare Gateway will identify your location based on the DNS over HTTPS hostname.
Each location in Teams has a unique DoH subdomain (previously known as a unique id). If your organization uses DNS policies, you will need to enter your location's DoH subdomain as part of the WARP client settings.
In the example below, the DoH subdomain is:
|DNS over HTTPS hostname||DoH subdomain|