DNS resolver IPs and hostnames
When you create a DNS location, Gateway assigns IPv4/IPv6 addresses and DoT/DoH hostnames to that location. These are the IP addresses and hostnames you send your DNS queries to for Gateway to resolve.
To view the resolver endpoint IP addresses and hostnames for a DNS location:
- In Zero Trust ↗, go to Gateway > DNS locations.
- Locate the DNS location, then select Configure.
- Go to Setup instructions. The addresses and hostnames will appear in Your configuration.
Gateway uses different methods to match a DNS query to DNS locations depending on the type of request and network:
flowchart TB %% Accessibility accTitle: How Gateway matches queries to DNS locations accDescr: Flowchart describing the order of checks Cloudflare Gateway performs to determine the DNS location of a DNS query. %% Flowchart router(["Router"])-->gateway["Cloudflare Gateway"] gateway-->query{{"Is the DNS query sent over HTTPS?"}} query--"Yes"-->hostname["Look up location by<br />unique hostname"] query--"No"-->ipv4{{"Is it over IPv4?"}} ipv4--"Yes"-->source["Look up location by<br />source IPv4 address"] ipv4--"No"-->destination["Look up location by<br />destination IPv6 address"]
- First, Gateway checks whether the query was sent using DNS over HTTPS. If yes, Gateway looks up the DNS location by its unique hostname.
- Next, if the query was not sent with DNS over HTTPS, Gateway checks whether it was sent over IPv4. If yes, it looks up the DNS location by the source IPv4 address.
- Last, if the query was not sent over IPv4, it means it was sent over IPv6. Gateway will look up the DNS location associated with the query based on the unique DNS resolver IPv6 address.
When you create a DNS location, your location will receive a unique DNS resolver IPv6 address. This IPv6 address is how Gateway will match DNS queries to locations and apply the appropriate filtering rules.
Gateway uses the public source IPv4 address of your network to identify your DNS location, apply policies and log DNS requests. Unless you have purchased a dedicated IPv4 resolver IP, you must provide source IP addresses for the IPv4 traffic you want to filter with DNS policies. Otherwise, Gateway will not be able to attribute the traffic to your account.
When creating a DNS location, Zero Trust automatically identifies the source IP address of the network you are on.
If you are on the Enterprise plan, you have the option of manually entering one or more source IP addresses of your choice. This enables you to create Gateway DNS locations even if you are not connecting from any of those networks' IP addresses.
For queries over IPv4, the default DNS resolver IP addresses are anycast IP addresses, and they are shared across every Cloudflare Zero Trust account.
If you are on the Enterprise plan, you can request a dedicated DNS resolver IPv4 address to be provisioned for a DNS location in lieu of the default anycast addresses. Like IPv6, queries forwarded to that address will be identified using the dedicated DNS resolver IPv4 address.
Resolver IP addresses you will only be assigned to the Zero Trust account you request. For more information on requesting dedicated DNS resolver IPv4 addresses, contact your account team.
Each DNS location is assigned a unique hostname for DNS over TLS (DoT). Gateway will identify your location based on its DoT hostname.
Each DNS location is assigned a unique hostname for DNS over HTTPS (DoH). Gateway will identify your location based on its DoH hostname.
Each DNS location in Cloudflare Zero Trust has a unique DoH subdomain (previously known as unique ID). If your organization uses DNS policies, you can enter your location's DoH subdomain as part of the WARP client settings.
For example, for the DoH hostname https://65y9p2vm1u.cloudflare-gateway.com/dns-query
, the DoH subdomain is 65y9p2vm1u
.
By default, all queries from a configured DNS location will be sent to its DNS resolver IP address to be inspected by Gateway. You can configure Gateway to only filter queries originating from specific networks within a location:
- Create an IP list with the IPv4 and/or IPv6 addresses that your organization will source queries from.
- Add a Source IP condition to your DNS policies.
For example, to block security threats for specific networks, you could create the following policy:
Selector | Operator | Value | Logic | Action |
---|---|---|---|---|
Security Categories | in | Select all categories that apply | And | Block |
Source IP | in list | The name of the IP list containing your organization's networks |
DNS queries made from IP addresses that are not in your IP list will not be filtered or populate your organization's Gateway activity logs.