Set up DNS Firewall
Prerequisites
Prior to setting up DNS Firewall, you need:
- Account access to DNS Firewall (provided by your Enterprise account team).
- Access to DNS Administrator or Super Administrator privileges on your account.
- Newly updated IP addresses for your nameservers (protects against previously compromised IP addresses).
Configure DNS Firewall
Create a DNS Firewall cluster
- Log in to the Cloudflare account with DNS Firewall.
- On the account homepage, click DNS Firewall.
- Click Add Firewall Cluster.
- Fill out the required fields, including:
- IP Addresses: The upstream IPv4 and/or IPv6 addresses of your authoritative nameservers.
- Minimum Cache TTL: Recommended setting of 30 seconds.
- Maximum Cache TTL: Recommended setting of 1 hour. Larger values increase the cache hit ratio, but also increase the time required for DNS changes to propagate.
- ANY queries: Recommended setting is Off because these are often used as part of DDoS attacks. Also refer to this blog post.
- Click Continue.
- On the following screen, save the values for Your new DNS Firewall IP Addresses.
Update registrar settings
Update the A/AAAA glue records for your nameserver hostnames at your registrar with your DNS Firewall cluster IP addresses.
Update DNS servers
At your DNS servers, update the A/AAAA records for your nameserver hostnames in your DNS zone file with your DNS Firewall cluster IP addresses.
Test DNS resolution
Confirm that your nameservers are functioning correctly by running a dig command.
Update security policies
Configure security policy in your DNS servers and Firewall to allow only Cloudflare IPs and TCP/UDP port 53.
Additional options
When you use the API, you can also specify other parameters, such as rate limit (in queries per second per data center). You can find the parameters descriptions and examples in the API documentation.
To configure rate limiting and other options for already existing clusters, use the Update DNS Firewall Cluster endpoint.