DNS filtering
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
1. Connect to Gateway
Connect devices
To filter DNS requests from an individual device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device.
Connect DNS locations
To filter DNS requests from a location such as an office or data center:
- Add the location to your Zero Trust settings.
- On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.
2. Verify device connectivity
- In Zero Trust ↗, go to Settings > Network.
- Under Gateway logging, enable activity logging for all DNS logs.
- On your device, open a browser and go to any website.
- In Zero Trust, go to Logs > Gateway > DNS.
- Make sure DNS queries from your device appear.
3. Add recommended policies
To create a new DNS policy, go to Gateway > Firewall policies > DNS in Zero Trust. We recommend adding the following policy:
Block all security categories
Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.
Selector | Operator | Value | Action |
---|---|---|---|
Security Categories | in | All security risks | Block |
4. Add optional policies
Refer to our list of common DNS policies for other policies you may want to create.