Cloudflare Docs
Visit DNS on GitHub
Set theme to dark (⇧+D)

DNS Firewall

Cloudflare DNS Firewall proxies all DNS queries to your nameservers through Cloudflare’s global edge network. This action protects upstream nameservers from DDoS attacks and reduces load by caching DNS responses.

DNS Firewall is for customers who need to speed up and protect entire authoritative nameservers, while full or partial authoritative DNS is for customers who need to speed up and protect individual zones.

Diagram showing protection provided by DNS Firewall. For more details, read further.

​​ How it works

When a DNS query goes to your nameservers:

  1. Queries go to the closest Cloudflare data center to the website visitor (determined by the location of the used DNS resolver).
  2. Cloudflare tries to return a DNS response from cache.
  3. If the response is not available in cache, Cloudflare queries the upstream authoritative nameservers.
  4. Cloudflare temporarily caches the response for subsequent DNS queries.

​​ Benefits

DNS Firewall provides the following benefits while allowing organizations total control over their authoritative nameservers:

  • DDoS mitigation
  • High availability
  • Global distribution
  • Enhanced performance
  • Bandwidth savings
  • DNS caching
  • Rate limiting per data center
  • Specify minimum and maximum TTL
  • Block ANY queries

​​ Availability



NoNoNoPaid add-on

​​ Resources