Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Set up DNS filtering

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

​​ 1. Connect to Gateway

​​ Connect devices

To filter DNS requests from an individual device such as a laptop or phone:

  1. Install the WARP client on your device.
  2. In the WARP client Settings, log in to your organization’s Zero Trust instance.
  3. (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .

​​ Connect DNS locations

To filter DNS requests from a location such as an office or data center:

  1. Add the location to your Zero Trust settings.
  2. On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.

​​ 2. Verify device connectivity

  1. In Zero Trust, go to Settings > Network.
  2. Under Gateway logging, enable activity logging for all DNS logs.
  3. On your device, open a browser and visit any website.
  4. In Zero Trust, go to Logs > Gateway > DNS.
  5. Make sure you see DNS queries from your device.

To create a new DNS policy, go to Gateway > Firewall Policies > DNS in Zero Trust. We recommend adding the following policy:

​​ Block all security categories

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security categoriesinAll security risksBlock

​​ 4. Add optional policies

Refer to our list of common DNS policies for other policies you may want to create.