DNS filtering
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
To filter DNS requests from an individual device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization's Zero Trust instance.
- (Optional) If you want to display a custom block page, install a Cloudflare root certificate on your device.
To filter DNS requests from a location such as an office or data center:
- Add the location to your Zero Trust settings.
- On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.
To verify your device is connected to Zero Trust:
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all DNS logs.
- On your device, open a browser and go to any website.
- In Zero Trust, go to Logs > Gateway > DNS.
- Make sure DNS queries from your device appear.
To create a new DNS policy:
- In Zero Trust ↗, go to Gateway > Firewall policies.
- In the DNS tab, select Add a policy.
- Name the policy.
- Under Traffic, build a logical expression that defines the traffic you want to allow or block.
- Choose an Action to take when traffic matches the logical expression. For example, we recommend adding a policy to block all security categories:
Selector Operator Value Action Security Categories in All security risks Block - Select Create policy.
For more information, refer to DNS policies.
Refer to our list of common DNS policies for other policies you may want to create.