Timed DNS policies
By default, Cloudflare Gateway policies apply at all times when turned on. Gateway allows you to configure any DNS policy to activate for a specific amount of time, until an end time, or on a regular time interval.
You can use a time-based policy duration to set a specific time frame for the policy to turn on or configure an exact time for the policy to turn off.
To set a duration for a DNS policy:
- In Zero Trust ↗, go to Gateway > Firewall policies > DNS.
- Create a new DNS policy or choose an existing policy and select Edit.
- In Configure policy settings, turn on Set a policy duration.
- In Input method, choose Duration and enter a specific amount of time until the policy turns off or choose Exact end date and enter a specific date and time in your account’s time zone for the policy to turn off.
- Select Save policy.
When a policy turns off, it will remain off until you turn it back on.
Policies with a set duration will retain their duration when turned off or on. For example, you can create a policy at 12:00 PM and set it to turn off after six hours. If you turn the policy off at 3:00 PM and turn it back on 4:00 PM, the policy will still turn off at 6:00 PM, six hours after the original time.
When a policy’s time duration expires, you can turn the policy back on for the duration you originally configured. To reset a policy’s duration, select the policy and choose Reset policy duration.
For policies with an exact end time, you can change the time before the policy turns off. Once the policy reaches its exact end time, you will need to edit the policy and set a new end time. To set a new exact end time:
- Select the policy.
- Choose Edit.
- Turn on Set a policy duration.
- In Input method, choose Exact end date. In Date and time, enter a new date and time for the policy to turn off.
- Select Save policy.
You can use the Gateway API to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, use the Create a Zero Trust Gateway rule endpoint or Update a Zero Trust Gateway rule endpoint with the schedule parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under Gateway > Firewall policies > DNS when you select the policy.
If you assign a time zone to your schedule, Gateway will always use the current time at that time zone regardless of the user’s location. This allows you to enable a policy during a certain fixed time period.
If you do not specify a time zone, Gateway will enable the DNS policy based on the user’s local time zone. The user’s time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received.
The following command creates a DNS policy to block facebook.com only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "name": "office-no-facebook-policy", "action": "block", "traffic": "dns.fqdn == \"facebook.com\"", "enabled": true, "schedule": { "time_zone": "America/Chicago", "mon": "08:00-12:30,13:30-17:00", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "fri": "08:00-12:30,13:30-17:00" }}'Refer to this table ↗ for a list of all time zone identifiers.
The following command creates a DNS policy to block clockin.com only on weekends in the time zone where the user is currently located.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "name": "clock-in-policy", "action": "block", "traffic": "dns.fqdn == \"clockin.com\"", "enabled": true, "schedule": { "sat": "00:00-24:00", "sun": "00:00-24:00" }}'