DNS filtering
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
To filter DNS requests from an individual device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization's Zero Trust instance.
- (Optional) If you want to display a custom block page, install a Cloudflare root certificate on your device.
To filter DNS requests from a location such as an office or data center:
- Add the location to your Zero Trust settings.
- On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.
To verify your device is connected to Zero Trust:
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all DNS logs.
- On your device, open a browser and go to any website.
- In Zero Trust, go to Logs > Gateway > DNS.
- Make sure DNS queries from your device appear.
To create a new DNS policy:
- In Zero Trust ↗, go to Gateway > Firewall policies.
- In the DNS tab, select Add a policy.
- Name the policy.
- Under Traffic, build a logical expression that defines the traffic you want to allow or block.
- Choose an Action to take when traffic matches the logical expression. For example, we recommend adding a policy to block all security categories:
Selector Operator Value Action Security Categories in All security risks Block - Select Create policy.
-
Create an API token with the following permissions:
Type Item Permission Account Zero Trust Edit -
(Optional) Configure your API environment variables to include your account ID and API token.
-
Send a
POST
request to the Create a Zero Trust Gateway rule endpoint. For example, we recommend adding a policy to block all security categories:curl API DNS policy example curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer <API_TOKEN>" \--data '{"name": "Block security threats","description": "Block all default Cloudflare DNS security categories","precedence": 0,"enabled": true,"action": "block","filters": ["dns"],"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})","identity": ""}'{"success": true,"errors": [],"messages": []}The API will respond with a summary of the policy and the result of your request.
For more information, refer to DNS policies.
Refer to our list of common DNS policies for other policies you may want to create.