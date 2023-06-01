Recommended DNS policies
3 min read
This page provides a set of standard DNS policies designed to protect an organization from common threats. Feel free to tailor these examples to the needs of your organization.
Allow corporate domains
This policy allows users to access official corporate domains. By deploying the policy with high order of precedence, you ensure that employees can access trusted domains even if they fall under a blocked category like Newly seen domains or Login pages.
|Selector
|Operator
|Value
|Action
|Precedence
|Domain
|in list
Allowed domains
|Allow
|1
Block security threats
Block security categories such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.
|Selector
|Operator
|Value
|Action
|Security categories
|in
All security risks
|Block
Block content categories
The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to domain categories.
|Selector
|Operator
|Value
|Action
|Content Categories
|in
Questionable Content,
Security Risks,
Miscellaneous
|Block
Block unauthorized applications
To minimize the risk of shadow IT, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants:
|Selector
|Operator
|Value
|Action
|Application
|in
ChatGPT,
Bard
|Block
Block banned countries
You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization’s customers or through the implementation of regulations including EAR, OFAC, and ITAR.
|Selector
|Operator
|Value
|Action
|Resolved Country IP Geolocation
|in
Afghanistan,
Belarus,
Congo (Kinshasa),
Cuba,
Iran,
Iraq,
Korean, North,
Myanmar,
Russian Federation,
Sudan,
Syria,
Ukraine,
Zimbabwe
|Block
Block top-level domains
Blocking frequently misused top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like ITAR or OFAC .
|Selector
|Operator
|Value
|Logic
|Action
|Domain
|matches regex
[.](cn|ru)$
|Or
|Block
|Domain
|matches regex
[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$
|Or
|Domain
|matches regex
[.](zip|mobi)$
Block phishing attacks
To protect against sophisticated phishing attacks, you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as
okta,
2fa,
cloudflare or
sso), while still allowing access to official corporate domains.
|Selector
|Operator
|Value
|Logic
|Action
|Domain
|not in list
Corporate Domains
|And
|Block
|Domain
|matches regex
.*okta.*|.*cloudflare.*|.*mfa.*|.sso.*
Block online tracking
To safeguard user privacy, some organizations will block tracking domains such as
dig.whatsapp.com as well as other tracking domains embedded at the OS level. Refer to this repository for a list of widespread tracking domains that you can add to your blocklist.
|Selector
|Operator
|Value
|Action
|Domain
|in list
Top tracking domains
|Block
Block malicious IPs
Block specific IP addresses that are known to be malicious or pose a threat to your organization, This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTS).
|Selector
|Operator
|Value
|Action
|Resolved IP
|in list
DShield
|Block
Hide explicit search results
SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can enable SafeSearch on search engines like Google, Bing, Yandex, YouTube and DuckDuckGo:
|Selector
|Operator
|Value
|Action
|Content Categories
|in
Search Engines
|Safe Search
