Locations
DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers.
The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router.
To add a DNS location to Gateway:
- In Zero Trust ↗, go to Gateway > DNS Locations.
- Select Add a location.
- Choose a name for your DNS location.
- Choose at least one DNS endpoint to resolve your organization’s DNS queries.
- (Optional) Toggle the following settings:
- Enable EDNS client subnet sends a user’s IP geolocation to authoritative DNS nameservers. EDNS Client Subnet (ECS) helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user’s exact IP address but rather a
/24
range which contains their IP address. - Set as Default DNS Location sets this location as the default DoH endpoint for DNS queries.
- Enable EDNS client subnet sends a user’s IP geolocation to authoritative DNS nameservers. EDNS Client Subnet (ECS) helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user’s exact IP address but rather a
- Select Continue.
- (Optional) Turn on source IP filtering for your configured endpoints, then add any source IPv4/IPv6 addresses to validate.
- Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses.
- DoH endpoint filtering & authentication lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses.
- Select Continue.
- Review the settings for your DNS location, then choose Done.
- Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI.
- Select Go to DNS Location. Your location will appear in your list of locations.
You can now apply DNS policies to your location using the Location selector.
DNS endpoints
IPv4 and IPv6 DNS
Cloudflare will prefill the Source IPv4 Address based on the network you are on. Enterprise users have the option of using dedicated DNS resolver IP addresses assigned to their account.
You do not need to configure the IPv4 DNS endpoint if:
- Your network only uses IPv6.
- Your users will send all DNS requests from this location using DNS over HTTPS via a browser.
- You will deploy the WARP client.
DNS over TLS (DoT)
DNS over TLS (DoT) is a standard for encrypting DNS traffic using its own port (853
) and TLS encryption.
For more information, refer to DNS over TLS.
DNS over HTTPS (DoH)
DNS over HTTPS (DoH) is a standard for encrypting DNS traffic via the HTTPS protocol, preventing tracking and spoofing of DNS queries.
Gateway requires a DoH endpoint for default DNS locations. For more information, refer to DNS over HTTPS.
Limitations
Captive portals
Deploying Gateway DNS filtering using static IP addresses may prevent users from connecting to public Wi-Fi networks through captive portals. If users are experiencing connectivity issues related to captive portals, they should:
- Remove the static IP addresses from the device.
- Connect to the Wi-Fi network.
- Once the connection has been established, add the static IP addresses back.
To avoid this issue, use the WARP client to connect your devices to Cloudflare Zero Trust.
Third-party filtering
Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as iCloud Private Relay ↗. To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway.
To turn off iCloud Private Relay, refer to the Apple user guides for macOS ↗ or iOS ↗.