FAQs — DNS Firewall
How does DNS Firewall choose a backend nameserver to query upstream?
How long does DNS Firewall cache a stale object?
DNS Firewall sets cache longevity according to allocated memory.
As long as there is enough allocated memory, Cloudflare does not clear items from the cache forcefully, even when the TTL expires. This feature allows Cloudflare to serve stale objects from cache if your nameservers are offline.
Does the DNS Firewall cache SERVFAIL?
Does DNS Firewall support EDNS-Client-Subnet?
Yes. Often, DNS providers want to see a client’s IP via -Client-Subnet because they serve geographically specific DNS answers based on the client’s IP. With EDNS-Client-Subnet enabled, the DNS Firewall will forward the client’s IP subnet along with the DNS query to the upstream nameserver.
When EDNS is enabled, the DNS Firewall gives out the geographically correct answer in cache based on the client IP subnet. To do this, the DNS Firewall segments its cache. For example:
- A resolver says it is looking for an answer for client
- The DNS Firewall will proxy the request to the upstream nameserver for the answer.
- The DNS Firewall will cache the answer from the upstream nameserver, but only for that
203.0.113.0/24now asks the same DNS question and the answer is again returned from the upstream nameserver instead of the cache.
Some resolvers might not be sending any EDNS data. When you set the
ecs_fallback parameter to
true via the , DNS Firewall will forward the IP subnet of the resolver instead only if there is no EDNS data present in incoming the DNS query.