Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

DNS policies

When a user makes a DNS request to Gateway, Gateway matches the request against the content or security categories you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an override rule, the user's client receives the DNS resolution and initiates an HTTP connection.

Gateway DNS flow

DNS policies can be built by doing one or more of the following:

  1. Selecting security risk categories you want to block.
  2. Enabling SafeSearch.
  3. Enabling YouTube Restricted Mode.
  4. Selecting content categories you want to block.
  5. Adding custom domains you want to block, allow, or override.

Security risk categories

When creating a DNS policy, you can select as many security risk categories as you want to block with the policy. This allows you to block known and potential security risks on the public Internet.

Content categories

When creating a DNS policy, you can select as many content categories as you want to block with the policy.

Destinations

Setting a destination for a policy allows you to have manual control on what action to take on requests for specific domains. When setting a domain as a destination, you have the option to allow, block or override that domain.

  • Allow. This action forces resolving this destination and all its sub-destinations, and takes precedence over any blocked destinations.
  • Block. This action will block a destination and all its sub-destinations.
  • Override. This action will forward all requests to a given destination to another destination you can set.

Blocking a subdomain

When you manually block a domain, you automatically block all of its subdomains. For example, if you are blocking example.com, our policy engine will also block a.example.com, a.b.example.com.

If you only want to block a subdomain a.example.com, then instead of adding example.com to the list, you will add a.example.com. Note that once you add a.example.com to the block list, Cloudflare Gateway will also block all subdomains of a.example.com.

Blocking a top-level domain

Just like you can choose to block a domain and all subdomains, you can block an entire top-level domain (TLD) by specifying it in a custom list. For example, if you wish to block all domains and subdomains registered as a .net, you would input net in a custom list with the Block action selected.

Order of operations

When a DNS query matches with a DNS policy, Gateway follows this order of operations:

StepCheck IfIf MatchesElse
1Domain is in Child Abuse categoryBlock domain, return REFUSEDGo to step 2
2Domain in Allow listAllow domain, return NOERROR with IP address of the domainGo to step 3
3Domain in Block listBlock domain, return REFUSEDGo to step 4
4Domain in SafeSearchOverride domain, return NOERROR with safe CNAMEGo to step 5
5Domain blocked by categoryBlock domain, return REFUSEDGo to step 6
6N/AAllow domain, return NOERROR with IP address of the domainN/A