DNS filtering
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
To filter DNS requests from an individual device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device.
To filter DNS requests from a location such as an office or data center:
- Add the location to your Zero Trust settings.
- On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all DNS logs.
- On your device, open a browser and go to any website.
- In Zero Trust, go to Logs > Gateway > DNS.
- Make sure DNS queries from your device appear.
To create a new DNS policy, go to Gateway > Firewall policies > DNS in Zero Trust. We recommend adding the following policy:
Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Security Categories | in | All security risks | Block |
Refer to our list of common DNS policies for other policies you may want to create.