Skip to content

DNS filtering

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

1. Connect to Gateway

Connect devices

To filter DNS requests from an individual device such as a laptop or phone:

  1. Install the WARP client on your device.
  2. In the WARP client Settings, log in to your organization’s Zero Trust instance.
  3. (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device.

Connect DNS locations

To filter DNS requests from a location such as an office or data center:

  1. Add the location to your Zero Trust settings.
  2. On your router, browser, or OS, forward DNS queries to the address shown in the location setup UI.

2. Verify device connectivity

  1. In Zero Trust, go to Settings > Network.
  2. Under Gateway logging, enable activity logging for all DNS logs.
  3. On your device, open a browser and go to any website.
  4. In Zero Trust, go to Logs > Gateway > DNS.
  5. Make sure DNS queries from your device appear.

To create a new DNS policy, go to Gateway > Firewall Policies > DNS in Zero Trust. We recommend adding the following policy:

Block all security categories

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security CategoriesinAll security risksBlock

4. Add optional policies

Refer to our list of common DNS policies for other policies you may want to create.