Common policies
The following policies are commonly used to secure DNS traffic.
Refer to the DNS policies page for a comprehensive list of other selectors, operators, and actions.
This policy allows users to access official corporate domains. By deploying the policy with high order of precedence, you ensure that employees can access trusted domains even if they fall under a blocked category like Newly seen domains or Login pages.
| Selector | Operator | Value | Action | Precedence |
|---|---|---|---|---|
| Domain | in list | Allowed domains | Allow | 1 |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Allow corporate domains", "description": "Allow any internal corporate domains added to a list", "precedence": 0, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $<LIST_UUID>)", "identity": ""}'To get the UUIDs of your lists, use the List Zero Trust lists endpoint.
Block security categories such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Security Categories | in | All security risks | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-SecurityCategories-Blocklist", "description": "Block security categories based on Cloudflare's threat intelligence", "precedence": 20, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"}The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to domain categories.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | Questionable Content, Security Risks, Miscellaneous | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-ContentCategories-Blocklist", "description": "Block common content categories that may pose a risk", "precedence": 30, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.account_id name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true action = "block" filters = ["dns"] traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})" identity = ""}To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Artificial Intelligence | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \--data '{ "name": "All-DNS-Application-Blocklist", "description": "Block access to unauthorized AI applications", "precedence": 40, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.type.ids[*] in {25})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.account_id name = "All-DNS-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true action = "block" filters = ["dns"] traffic = "any(app.type.ids[*] in {25})" identity = ""}You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's customers or through the implementation of regulations including EAR ↗, OFAC ↗, and ITAR ↗.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Resolved Country IP Geolocation | in | Afghanistan, Belarus, Congo (Kinshasa), Cuba, Iran, Iraq, Korea, North, Myanmar, Russian Federation, Sudan, Syria, Ukraine, Zimbabwe | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block banned countries", "description": "Block access to banned countries", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})", "identity": ""}'Blocking frequently misused ↗ top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like ITAR ↗ or OFAC ↗.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | matches regex | [.](cn|ru)$ | Or | Block |
| Domain | matches regex | [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ | Or | |
| Domain | matches regex | [.](zip|mobi)$ |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block top-level domains", "description": "Block top-level domains that are frequently used for malicious practices", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$\") or any(dns.domains[*] matches \"[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$\") or any(dns.domains[*] matches \"[.](zip|mobi)$\")", "identity": ""}'To protect against sophisticated phishing attacks ↗, you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as okta, 2fa, cloudflare or sso), while still allowing access to official corporate domains.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | not in list | Corporate Domains | And | Block |
| Domain | matches regex | .*okta.*|.*cloudflare.*|.*mfa.*|.sso.* |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block phishing attacks", "description": "Block attempts to phish specific domains targeting your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "not(any(dns.domains[*] in $<LIST_UUID>)) and any(dns.domains[*] matches \".*okta.*\\|.*cloudflare.*\\|.*mfa.*\\|.sso.*\")", "identity": ""}'To get the UUIDs of your lists, use the List Zero Trust lists endpoint.
To safeguard user privacy, some organizations will block tracking domains such as dig.whatsapp.com as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to this repository ↗ for a list of widespread tracking domains that you can add to your blocklist.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Domain | in list | Top tracking domains | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block online tracking", "description": "Block domains used for tracking at an OS level", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $<LIST_UUID>)", "identity": ""}'To get the UUIDs of your lists, use the List Zero Trust lists endpoint.
Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs).
| Selector | Operator | Value | Action |
|---|---|---|---|
| Resolved IP | in list | DShield | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block malicious IPs", "description": "Block specific IP addresses that are known to be malicious or pose a threat to your organization", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.resolved_ips[*] in $<LIST_UUID>)", "identity": ""}'To get the UUIDs of your lists, use the List Zero Trust lists endpoint.
The CIPA (Children's Internet Protection Act) Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of Project Cybersafe Schools to block access to unwanted or harmful online content. Upon creating this policy, your organization will have minimum CIPA compliance ↗.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | CIPA Filter | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Turn on CIPA filter", "description": "Block access to unwanted or harmful online content for children", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {182})", "identity": ""}'SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can force SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | Search Engines | Safe Search |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Hide explicit search results", "description": "Force SafeSearch on search engines to filter explicit or offensive content", "enabled": true, "action": "safesearch", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {145})", "identity": ""}'Configure access on a per user or group basis by adding identity-based conditions to your policies.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Application | in | Salesforce | And | Block |
| User Group Names | in | Contractors |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Check user identity", "description": "Filter traffic based on a user identity group name", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.ids[*] in {606})", "identity": "any(identity.groups.name[*] in {\"Contractors\"})",}'Filter DNS queries to allow only specific users access.
The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the order of precedence.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Content Categories | in | Social Networks | And | Allow |
| User Group Names | in | Marketing |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Allow social media for Marketing", "description": "Allow access to social media sites for users in the Marketing group", "precedence": 1, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": "any(identity.groups.name[*] in {\"Marketing\"})",}'| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | Social Networks | Block |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Block social media", "description": "Block social media for all other users", "precedence": 2, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {149})", "identity": ""}'Enterprise users can pair these policies with an egress policy to control which IP address is used to egress to the origin server.
Force users to connect with IPv4 by blocking IPv6 resolution.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Query Record Type | is | AAAA | And | Block |
| Domain | is | example.com |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Force IPv4", "description": "Force users to connect with IPv4 by blocking IPv6 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"AAAA\" and any(dns.domains[*] == \"example.com\")", "identity": ""}'Force users to connect with IPv6 by blocking IPv4 resolution.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Query Record Type | is | A | And | Block |
| Domain | is | example.com |
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{ "name": "Force IPv6", "description": "Force users to connect with IPv6 by blocking IPv4 resolution", "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "dns.query_rtype == \"A\" and any(dns.domains[*] == \"example.com\")", "identity": ""}'