Resolver policies
By default, Gateway sends DNS requests to 1.1.1.1, Cloudflare’s public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS requests to custom resolvers.
You may use resolver policies if you require access to non-publicly routed domains, such as private network services or internal resources. You may also use resolver policies if you need to access a protected DNS service or want to simplify DNS management for multiple locations.
Resolver connections
Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a Magic tunnel. Policies default to port 53
. You can change which port your resolver uses by customizing it in your policy.
You can protect your authoritative nameservers from DDoS attacks by enabling DNS Firewall.
Create a resolver policy
In Zero Trust, go to Gateway > Resolver policies.
Select Add a policy.
Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service:
Selector Operator Value Host in internal.example.com
In Select DNS resolver, choose Configure custom DNS resolvers.
Enter the IP addresses of your custom DNS resolver.
In Network, choose whether to route queries publicly (to the Internet) or privately (to a private network service).
(Optional) Enter a custom port for each IP address.
Select Create policy.
Gateway will send a query to all resolvers listed, returning the first response. Custom resolvers are saved to your account for future use.
For more information on creating a DNS policy, refer to DNS policies.