| pcx_content_type | title | sidebar | head | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
configuration |
Resolver policies |
|
|
import { Render, Badge } from "~/components";
:::note Only available on Enterprise plans. :::
By default, Gateway sends DNS requests to 1.1.1.1, Cloudflare's public DNS resolver, for resolution. Enterprise users can instead create Gateway policies to route DNS queries to custom resolvers.
flowchart TD
%% Accessibility
accTitle: How Gateway routes DNS queries
accDescr: Flowchart describing the order Cloudflare Gateway routes a DNS query from an endpoint through DNS and resolver policies back to the user.
%% Flowchart
user(["User"])-->endpoint[/"Gateway DNS endpoint"/]
endpoint-->query["DNS policy (query)"]
query-->resolver["Resolver policy"]
resolver--"Routes to </br>custom resolver"-->response["DNS policy (response)"]
response--"Returns response"-->user
Gateway will route user traffic to your configured DNS resolver based on the matching policy, even if your resolvers' IP addresses overlap.
You may use resolver policies if you require access to non-publicly routed domains, such as private network services or internal resources. You may also use resolver policies if you need to access a protected DNS service or want to simplify DNS management for multiple locations.
Cloudflare Internal DNS allows you to manage DNS records for internal resources on a private network. DNS zones configured in Internal DNS can only be queried by the Gateway resolver. With resolver policies, you can determine how Gateway resolves your organization's DNS queries to resolve to internal resources based on the context of the query, such as known source IPs for a geographic location.
To get started with resolving internal DNS queries with resolver policies, refer to Get started.
If your resolver is only reachable by a client device and not by Gateway via a Cloudflare tunnel, Magic WAN tunnel, or other public Internet connections, you should configure Local Domain Fallback for your device. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply your client-side Local Domain Fallback rules first. If you onboard DNS queries to Gateway with the WARP client and route them with resolver policies, the source IP of the queries will be the IP address assigned by the WARP client.
Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a Magic tunnel. Policies default to port 53. You can change which port your resolver uses by customizing it in your policy.
You can protect your authoritative nameservers from DDoS attacks by enabling DNS Firewall.
You can configure connections to a private resolver connected to Cloudflare with Cloudflare Tunnel. To ensure cloudflared can route UDP traffic to your resolver, connect your tunnel via QUIC.
For more information on connecting a private DNS resolver to Cloudflare with Cloudflare Tunnel, refer to Private DNS.
To enable connections to a private resolver connected to Cloudflare via Magic WAN, contact your account team.
Resolver policies can route queries for resolution from the following DNS endpoints:
- IPv4
- IPv6
- DNS over HTTPS (DoH)
- DNS over TLS (DoT)
- DNS queries generated by Cloudflare Browser Isolation and Clientless Web Isolation
- DNS queries generated by proxy endpoints
Gateway will filter, resolve, and log your queries regardless of endpoint.
For more information on creating a DNS policy, refer to DNS policies.
Use this selector to filter based on the continent where the query arrived to Gateway from. <Render file="gateway/selectors/source-continent" params={{ one: "dns.src" }} />
Use this selector to filter based on the country where the query arrived to Gateway from. <Render file="gateway/selectors/source-country" params={{ one: "dns.src" }} />
<Render file="gateway/value" params={{ one: "hostnames", two: "Host" }} />
<Render file="gateway/logical-operators" params={{ one: "Identity" }} />