Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

DNS policies (New)

When a user makes a DNS request to Gateway, Gateway matches the request against the content or security categories you have set up for your organization. If the domain does not belong to any blocked categories, or if it matches an Override policy, the user's client receives the DNS resolution and initiates an HTTP connection.

Gateway DNS flow

When creating a DNS policy, you can select as many security risk and content categories as you want to affect with the policy.

Build a DNS policy by configuring the following elements:

Actions

Just like actions in HTTP policies, actions in DNS policies allow you to choose what to do with a given set of elements. You can assign one action per policy.

These are the action types you can choose from:

Allow

Policies with Allow actions allow DNS queries you specify within the Selectors and Value fields. For example, the following configuration allows DNS queries to domains we categorize as belonging to the Education content category:

SelectorOperatorValueAction
Content CategoriesInEducationAllow

Block

Policies with Block actions block DNS queries you specify within the Selectors and Value fields. For example, the following configuration blocks DNS queries to domains we categorize as belonging to the Adult Themes content category:

SelectorOperatorValueAction
Content CategoriesInAdult ThemesBlock

Override

Policies with Override actions allow you to respond to all DNS queries for a given domain to another destination. For example, you can provide a custom response IP of 1.2.3.4 for all queries to www.example.com with the following policy:

SelectorOperatorValueAction
DNS HostnameIs1.2.3.4Override

SafeSearch

SafeSearch is a feature of search engines that can help you filter explicit or offensive content. When you enable SafeSearch, the search engine filters explicit or offensive content and returns search results that are safe for children, you or at work.

You can use Cloudflare Gateway to enable SafeSearch on search engines like Google, Bing, Yandex, YouTube and DuckDuckGo. For example, to enable SafeSearch for Google, you can create the following policy:

SelectorOperatorValueAction
DNS DomainIsgoogle.comSafeSearch

Test SafeSearch

You can test if SafeSearch is working by performing dig on the search engines. Instead of returning the regular IP address, you should see the CNAMEs returned like below:

Google

Google will return forcesafesearch.google.com.

SafeSearch Google

YouTube

YouTube will return restrict.youtube.com.

SafeSearch Youtube

Bing

Bing will return strict.bing.com.

SafeSearch Bing

DuckDuckGo

DuckDuckGo will return safe.duckduckgo.com.

SafeSearch DuckDuckGo

YouTube Restricted Mode

Similarly, you can enforce YouTube Restricted mode by choosing the Youtube Restricted Mode action. YouTube Restricted Mode is an automated filter for adult and offensive content that's built into YouTube. To enable Youtube Restricted Mode, you could set up a policy like the following:

SelectorOperatorValueAction
DNS DomainIsyoutube.comYouTube Restricted

This setup ensures users will be blocked from accessing offensive sites using DNS.

Expressions

Build expressions to determine the set of elements you want to impact with your policy. To build an expression, you need to choose a Selector and an Operator, and enter a value or range of values in the Value field.

Selectors

Gateway matches DNS traffic against the following selectors, or criteria:

SelectorDescription
DNS DomainUse this selector to match against a domain and all subdomains—for example, if you want to block example.com and all subdomains of example.com.
DNS HostUse this selector to match against only the hostname specified—for example, if you want to block only example.com but not subdomain.example.com.
DNS Query RtypeUse this selector to choose the DNS resource record type that you’d like to apply policies against—for example, you can choose to block A records for a domain but not MX records.
DNS Resolver IPUse this selector to apply policies to DNS queries that arrived to your Gateway Resolver IP address aligned with a registered location. For most Gateway customers, this is an IPv4 AnyCast address and policies created using this IPv4 address will apply to all locations. However, each location has a dedicated IPv6 address and some Gateway customers have been supplied with a dedicated IPv4 address—these both can be used to apply policies to specific registered locations.
DNS Src IPUse this selector to apply DNS policies to a specific source IP address that queries arrived to Gateway from—for example, this could be the WAN IP address of the stub resolver used by an organization to send queries upstream to Gateway
LocationUse this selector to apply DNS policies to a specific location or set of locations.

For more detailed information on DNS categories, see the DNS categories page.

Operators

Operators are the way Gateway matches traffic to a selector. Matching happens as follows:

OperatorMeaning
isexact match, equals
is notall except exact match
inin any of defined entries
not innot in defined entries
matches regexregex evaluates to true
does not match regexall except when regex evals to true

Blocking a subdomain

To block a domain and all subdomains, you can create the following policy:

SelectorOperatorValueAction
DNS DomainIsexample.comBlock

Blocking a top-level domain

Just like you can choose to block a domain and all subdomains, you can block an entire top-level domain (TLD) by creating a policy. For example, if you wish to block all domains and subdomains registered as a .net, create the following policy:

SelectorOperatorValueAction
DNS DomainMatches Regex[.]netBlock

Blocking a popular TLD like .com will prevent users from connecting to significant portions of the Internet.

Custom block page

When choosing the Block action, toggle the Display custom block page setting to respond to queries with a block page, and to specify the message you want to display to users who navigate to blocked websites. If disabled, Gateway will respond to blocked queries with 0.0.0.0.