Cloudflare Gateway — DNS Filtering and Security
Cloudflare Gateway is a secure DNS filtering solution that blocks threats and unwanted content at the DNS layer, protecting users before they connect to dangerous destinations.
What You Will Learn
You will learn how to configure DNS filtering policies in Cloudflare Gateway, create allowlists and blocklists, enable threat intelligence feeds, and deploy Gateway to roaming devices.
Why It Matters
DNS filtering stops threats at the earliest possible point in the connection lifecycle. By blocking malicious domains at the DNS level, you prevent users from ever reaching phishing sites, malware download servers, and command-and-control endpoints.
Real-World Use Case
A school district deployed Cloudflare Gateway across 5,000 student devices. They created policies that block malware, adult content, and social media during class hours. Threat intelligence feeds reduced malware infections by 87% in the first month.
Gateway DNS Filtering Architecture
DNS queries pass through Cloudflare Gateway for policy evaluation before reaching the destination.
flowchart TD
A[User Device] -->|DNS Query| B[Cloudflare Gateway]
B --> C{Policy Evaluation}
C -->|Allowed| D[Legitimate Domain]
C -->|Blocked| E[Block Page]
C -->|Isolated| F[Browser Isolation]
B --> G{Threat Intelligence}
G -->|Known Malware| E
G -->|Safe| D
Enabling Gateway DNS Filtering
Configure Gateway as your DNS resolver and enable filtering policies.
# List existing DNS policies
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
-H "Authorization: Bearer $API_TOKEN" | jq '.result[].name'
Expected output:
"Default Block Policy"
Creating a Malware Block Policy
Block known malware domains using Cloudflare's threat intelligence.
# Create a DNS policy to block malware
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Block Malware",
"description": "Blocks known malware domains",
"filters": ["malware", "malware_command_and_control"],
"action": "block",
"enabled": true,
"precedence": 1
}' | jq '.result.name, .result.action'
Expected output:
"Block Malware"
"block"
Creating Category-Based Content Filtering
Block content categories like adult, gambling, and social media.
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Content Filtering",
"description": "Blocks adult content and gambling",
"filters": ["adult", "gambling", "illegal"],
"action": "block",
"enabled": true,
"precedence": 2
}' | jq '.success'
Expected output:
true
Adding Domain Allowlists and Blocklists
Override automated filtering with manual domain lists.
# Add a domain to the blocklist
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Custom Blocklist",
"type": "DOMAIN",
"description": "Manually blocked domains",
"items": [
{"value": "example-malware-site.com"},
{"value": "known-phishing-site.net"}
]
}' | jq '.result.name, .result.type'
Expected output:
"Custom Blocklist"
"DOMAIN"
Viewing Gateway DNS Logs
Monitor DNS queries and policy actions through the logs API.
# Fetch recent DNS resolution logs
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_logs" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"limit": 5}' | jq '.result[] | {domain: .query_name, action: .action, user: .user_email}'
Expected output:
{
"domain": "example.com",
"action": "allowed",
"user": "user@company.com"
}
{
"domain": "malware-site.net",
"action": "blocked",
"user": "user@company.com"
}
Common Mistakes
| Mistake | Consequence |
|---|---|
| Not enabling threat intelligence feeds | Gateway misses known malware domains that are not in category filters |
| Setting precedence values incorrectly | More restrictive policies are bypassed by lower-precedence allow rules |
| Forgetting to configure fallback DNS | Gateway outage causes complete DNS resolution failure |
| Not deploying WARP alongside Gateway | Roaming devices bypass Gateway filtering when off-network |
| Using overly broad category blocks | Legitimate business tools get blocked by aggressive filtering |
Practice Questions
- How does DNS filtering stop threats earlier than web proxy-based filtering?
- What is the difference between category-based filters and custom domain blocklists?
- Why must Gateway DNS policies be combined with WARP deployment for roaming devices?
Challenge
Configure three Gateway DNS policies: one that blocks malware and phishing, one that blocks adult content and gambling, and one that allowslist a specific test domain. Verify each policy by attempting DNS resolution against blocked and allowed domains. Check the logs to confirm each action.
Real-World Task
Your organisation wants to deploy DNS filtering for 500 remote employees. Configure Cloudflare Gateway with threat intelligence feeds for malware and command-and-control domains. Block social media and streaming video categories during business hours. Add a custom allowlist for a specific CRM domain that was incorrectly categorised. Deploy WARP to all devices and verify that a blocked domain returns a block page while an allowed domain resolves normally.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro