Filter DNS on devices
You can use Cloudflare Gateway and the Cloudflare WARP client application to filter and log DNS queries from devices on any network. Cloudflare Gateway will continue to secure devices in any location by filtering all DNS queries using the WARP client on the roaming devices.
🗺️ This tutorial covers how to:
- Create a DNS filtering policy that secures devices by blocking malicious hostnames
- Apply that policy to devices on any network
- Enroll devices into a Cloudflare Gateway deployment
⏲️ Time to complete:
Before you start
Create a DNS filtering policy
First, assign the policy a name and add an optional description. Next, build an expression to determine what is blocked.
In this example, the policy will block any hostnames that Cloudflare’s data intelligence platform identifies as containing security risks like malware or phishing campaigns. You can click
All security risks to include all options or check individual types of threats in the dropdown.
The policy will now appear in your DNS policies list.
Integrate your identity provider
Navigate to the
Settings section of the Zero Trust Dashboard and select
Authentication. Cloudflare Zero Trust will automatically create a “One-time PIN” option which will rely on your user’s emails. You can begin using the one-time PIN option immediately or you can also integrate your corporate .
Determine which devices can enroll
Next, build a rule to decide which devices can enroll in your account.
Navigate to Settings > Devices > Device enrollment.
Click Add a rule.
Determine who is allowed to enroll by using criteria including Access groups, groups from your identity provider, email domain, or named users. This example allows any user with a
@cloudflare.comaccount to enroll.
Collect your Team domain
You will need this name to enroll devices. You can confirm the team name selected by visiting the
Settings section of the dashboard and selecting
Enroll a device
Your team members can run the WARP client to enroll in your Gateway account and send DNS queries to your configured policies. This section documents a self-serve user flow; you can alternatively so that users do not need to take any action.
Once installed, click the logo in the toolbar and select the gear icon in the top right of the panel.
Account tab, click Login with Cloudflare for Teams.
The user will be prompted to login with the identity provider configured or with the one-time PIN flow.
Once authenticated, the client will update to
You can click the gear to toggle between
Gateway with DoH, which only filters DNS, or
Gateway with WARP, which functions as a full forward proxy and can filter HTTP requests. In this use case, you only need DNS filtering.
Review logs and devices
As users enroll, you can review the users and associated devices by visiting the
My Team section of the dashboard. You can also in the
Logs section by selecting
Gateway. To add identity into the logs, your users will need to switch to
Gateway with WARP mode.