Recommended DNS policies
We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization.
Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as Newly Seen Domains or Login Screens.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | in list | Known Domains | Or | Allow |
| Host | in list | Known Domains |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-Domain-Allowlist", "description": "Allowlist any known domains and hostnames", "precedence": 0, "enabled": true, "action": "allow", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $<KNOWN_DOMAINS_LIST_UUID>) or dns.fqdn in $<KNOWN_DOMAINS_LIST_UUID>"}'resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { account_id = var.account_id name = "All-DNS-Domain-Allowlist" description = "Allowlist any known domains and hostnames" precedence = 0 enabled = true action = "allow" filters = ["dns"] traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}"}Restrict access for users included in an identity provider (IdP) user group for risky users. This policy ensures your security team can restrict traffic for users of whom malicious or suspicious activity was detected.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | not in list | Allowed Remediation Domains | Or | Block |
| Host | not in list | Allowed Remediation Domains | And | |
| User Group Names | in | Quarantined Users |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "Quarantined-Users-DNS-Restricted-Access", "description": "Restrict access for users included in an identity provider (IdP) user group for risky users", "precedence": 10, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "not(any(dns.domains[*] in $<ALLOWED_REMEDIATION_DOMAINS_LIST_UUID>)) or not(any(dns.domains[*] in $<ALLOWED_REMEDIATION_DOMAINS_LIST_UUID>))", "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})"}'resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" { account_id = var.account_id name = "Quarantined-Users-DNS-Restricted-Access" description = "Restrict access for users included in an identity provider (IdP) user group for risky users" precedence = 10 enabled = true action = "block" filters = ["dns"] traffic = "not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id})) or not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.allowed_remediation_domains.id}))" identity = "any(identity.groups.name[*] in {\"Quarantined Users\"})"}Block security categories, such as Command and Control & Botnet and Malware, based on Cloudflare's threat intelligence.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Security Categories | in | All security risks | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-SecurityCategories-Blocklist", "description": "Block security categories based on Cloudflare's threat intelligence", "precedence": 20, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" { account_id = var.account_id name = "All-DNS-SecurityCategories-Blocklist" description = "Block security categories based on Cloudflare's threat intelligence" precedence = 20 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"}Entries in the security risk content subcategory, such as New Domains, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your Trusted Domains list used in All-DNS-Domain-Allowlist.
After your test is complete, we recommend you change the action to Block to minimize risk to your organization.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Content Categories | in | Questionable Content, Security Risks, Miscellaneous | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-ContentCategories-Blocklist", "description": "Block common content categories that may pose a risk", "precedence": 30, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" { account_id = var.account_id name = "All-DNS-ContentCategories-Blocklist" description = "Block common content categories that may pose a risk" enabled = true action = "block" filters = ["dns"] traffic = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})" identity = ""}Block unauthorized applications to limit your users' access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks known AI tools:
| Selector | Operator | Value | Action |
|---|---|---|---|
| Application | in | Artificial Intelligence | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \--data '{ "name": "All-DNS-Application-Blocklist", "description": "Block access to unauthorized AI applications", "precedence": 40, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(app.type.ids[*] in {25})", "identity": ""}'resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" { account_id = var.account_id name = "All-DNS-Application-Blocklist" description = "Block access to unauthorized AI applications" enabled = true action = "block" filters = ["dns"] traffic = "any(app.type.ids[*] in {25})" identity = ""}Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization's users or through the implementation of regulations including EAR ↗, OFAC ↗, and ITAR ↗.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Resolved Country IP Geolocation | in | Afghanistan, Belarus, Congo (Kinshasa), Cuba, Iran, Iraq, Korea (North), Myanmar, Russian Federation, Sudan, Syria, Ukraine, Zimbabwe | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-GeoCountryIP-Blocklist", "description": "Block traffic hosted in countries categorized as high security risks", "precedence": 50, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})"}'resource "cloudflare_zero_trust_gateway_policy" "dns_geolocation_block_policy" { account_id = var.account_id name = "All-DNS-GeoCountryIP-Blocklist" description = "Block traffic hosted in countries categorized as high security risks" precedence = 50 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.dst.geo.country[*] in {\"AF\" \"BY\" \"CD\" \"CU\" \"IR\" \"IQ\" \"KP\" \"MM\" \"RU\" \"SD\" \"SY\" \"UA\" \"ZW\"})"}Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as OFAC ↗ and ITAR ↗.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Domain | matches regex | [.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$ | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-DomainTopLevel-Blocklist", "description": "Block DNS queries of known risky TLDs", "precedence": 60, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")"}'resource "cloudflare_zero_trust_gateway_policy" "dns_blacklist_policy" { account_id = var.account_id name = "All-DNS-DomainTopLevel-Blocklist" description = "Block DNS queries of known risky TLDs" precedence = 60 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \"[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$\")"}Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as okta, 2fa, cloudflare and sso) while still allowing access to known domains.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | not in list | Known Domains | And | Block |
| Domain | matches regex | .*okta.*|.*cloudflare.*|.*mfa.*|.sso.* |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-DomainPhishing-Blocklist", "description": "Block misused domains used in phishing campaigns", "precedence": 70, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in $<KNOWN_DOMAINS_LIST_UUID>))"}'resource "cloudflare_zero_trust_gateway_policy" "dns_phishing_domains_block" { account_id = var.account_id name = "All-DNS-DomainPhishing-Blocklist" description = "Block misused domains used in phishing campaigns" precedence = 70 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] matches \".*okta.*|.*cloudflare.*|.*mfa.*|.sso.*\") and not(any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.known_phishing_domains_list.id}))"}Block specific IP addresses that are malicious or pose a threat to your organization.
You can implement this policy by either creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). Ideally, your CERTs can update the blocklist with an API automation to provide real-time threat protection.
| Selector | Operator | Value | Action |
|---|---|---|---|
| Resolved IP | in list | IP Blocklist | Block |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{ "name": "All-DNS-ResolvedIP-Blocklist", "description": "Block specific IP addresses deemed to be a risk to the Organization", "precedence": 80, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.resolved_ips[*] in $<IP_BLOCKLIST_UUID>)"}'resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" { account_id = var.account_id name = "All-DNS-ResolvedIP-Blocklist" description = "Block specific IP addresses deemed to be a risk to the Organization" precedence = 80 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.resolved_ips[*] in ${"$"}${cloudflare_zero_trust_list.ip_blocklist.id}"}Block specific domains or hosts that are malicious or pose a threat to your organization. Like All-DNS-ResolvedIP-Blocklist, this blocklist can be updated manually or via API automation.
| Selector | Operator | Value | Logic | Action |
|---|---|---|---|---|
| Domain | in list | Domain Blocklist | Or | Block |
| Host | in list | Host Blocklist | Or | |
| Host | matches regex | .*example\.com |
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \--header "Content-Type: application/json" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN>" \--data '{ "name": "All-DNS-DomainHost-Blocklist", "description": "Block specific domains or hosts that are malicious or pose a threat to your organization.", "precedence": 90, "enabled": true, "action": "block", "filters": [ "dns" ], "traffic": "any(dns.domains[*] in $<DOMAIN_BLOCKLIST_UUID>) and dns.fqdn in $<HOST_BLOCKLIST_UUID> and dns.fqdn matches \".*example\\.com\""}'resource "cloudflare_zero_trust_gateway_policy" "block_dns_domain_host" { account_id = var.account_id name = "All-DNS-DomainHost-Blocklist" description = "Block specific domains or hosts that are malicious or pose a threat to your organization." precedence = 90 enabled = true action = "block" filters = ["dns"] traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_blocklist.id}) and dns.fqdn in ${"$"}${cloudflare_zero_trust_list.host_blocklist.id} and dns.fqdn matches \".*example\\.com\""}