Prerequisites   

  • Your CloudFlare account team must enable DNS Firewall for your account.
  • Change the IP addresses of your nameservers.

Changing nameserver IP addresses prior to implementing DNS Firewall will prevent attacks from circumventing the DNS Firewall.


Configuring the DNS Firewall

1. Log in to the Cloudflare dashboard.


2. Click the appropriate Cloudflare account where DNS Firewall is enabled.


3. Click Configurations in the second navigation bar from the top.


4. Click DNS Firewall from the navigation bar on the left side of the UI.


5. Click Add DNS Firewall Cluster.

    *A DNS Firewall Cluster is a group of nameservers that all store the same DNS zone data.


6. In the Setup a DNS Firewall Cluster popup, enter the DNS Cluster Name


7. Enter your nameserver IP addresses.

    *Cloudflare recommends supplying at least two IPv4 and two IPv6 nameserver IP addresses.


8. Set the Minimum Cache TTL and Maximum Cache TTL that should be respected on any DNS record proxied from your nameservers.

    *Cloudflare recommends a minimum TTL of 30 seconds and a maximum TTL of 1 hour.


9. Choose whether the DNS Firewall should answer ANY Queries.


The DNS Firewall responds to ANY with the following example HINFO record if the ANY Queries toggle is set to Off:

cloudflare.com.  3788  IN  HINFO  "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any"


10. Click Continue.


11. Denote the Cloudflare designated IPv4 and IPv6 nameserver addresses within the Your new DNS Firewall IP Addresses window.

    *Cloudflare's designated nameserver addresses become effective worldwide after one hour.


12. After waiting one hour: 

  • Verify that the Cloudflare nameservers respond to DNS queries.
  • Confirm the Cloudflare nameservers provide correct DNS responses.
  • Switch your nameservers to the new Cloudflare nameserver IP addresses. 

How can I add multiple members to manage the DNS Firewall?

The DNS Firewall supports multi-user access. Contact your Cloudflare account team to enable multi-user access.


DNS Administrator or Super Administrator permissions are required to view and manage the DNS Firewall.


Related resources

IETF Internet Draft