Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Set up DNS filtering

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

1. Connect to Gateway

Connect devices

To filter DNS requests from an individual device such as a laptop or phone:

  1. Install the WARP client on your device.
  2. In the WARP client Settings, log in to your organization’s Zero Trust instance .
  3. (Optional) If you want to display a custom block page , install the Cloudflare root certificate on your device .

Connect locations

To filter DNS requests from a location such as an office or data center:

  1. Add the location to your Zero Trust dashboard.
  2. On your router, browser, or OS, forward DNS queries to the address shown in the location setup flow.

2. Verify device connectivity

  1. In the Zero Trust dashboard, navigate to Settings > Network.
  2. Under Gateway logging, enable activity logging for all DNS logs.
  3. On your WARP-enabled device, open a browser and visit any website.
  4. In the Zero Trust dashboard, navigate to Logs > Gateway > DNS. Before building DNS policies, make sure you see DNS queries from the email associated with your device.

To create a new DNS policy, navigate to Gateway > Policies > DNS in the Zero Trust dashboard. We recommend adding the following policy:

Block all security risks

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

Security categoriesinAll security risksBlock

4. Add optional policies

Refer to our list of common DNS policies for other policies you may want to create.