Skip to content

Cloudflare Gateway — DNS Filtering and Security

DodaTech 4 min read

Cloudflare Gateway is a secure DNS filtering solution that blocks threats and unwanted content at the DNS layer, protecting users before they connect to dangerous destinations.

What You Will Learn

You will learn how to configure DNS filtering policies in Cloudflare Gateway, create allowlists and blocklists, enable threat intelligence feeds, and deploy Gateway to roaming devices.

Why It Matters

DNS filtering stops threats at the earliest possible point in the connection lifecycle. By blocking malicious domains at the DNS level, you prevent users from ever reaching phishing sites, malware download servers, and command-and-control endpoints.

Real-World Use Case

A school district deployed Cloudflare Gateway across 5,000 student devices. They created policies that block malware, adult content, and social media during class hours. Threat intelligence feeds reduced malware infections by 87% in the first month.

Gateway DNS Filtering Architecture

DNS queries pass through Cloudflare Gateway for policy evaluation before reaching the destination.

flowchart TD
    A[User Device] -->|DNS Query| B[Cloudflare Gateway]
    B --> C{Policy Evaluation}
    C -->|Allowed| D[Legitimate Domain]
    C -->|Blocked| E[Block Page]
    C -->|Isolated| F[Browser Isolation]
    B --> G{Threat Intelligence}
    G -->|Known Malware| E
    G -->|Safe| D

Enabling Gateway DNS Filtering

Configure Gateway as your DNS resolver and enable filtering policies.

# List existing DNS policies
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
  -H "Authorization: Bearer $API_TOKEN" | jq '.result[].name'

Expected output:

"Default Block Policy"

Creating a Malware Block Policy

Block known malware domains using Cloudflare's threat intelligence.

# Create a DNS policy to block malware
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block Malware",
    "description": "Blocks known malware domains",
    "filters": ["malware", "malware_command_and_control"],
    "action": "block",
    "enabled": true,
    "precedence": 1
  }' | jq '.result.name, .result.action'

Expected output:

"Block Malware"
"block"

Creating Category-Based Content Filtering

Block content categories like adult, gambling, and social media.

curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Content Filtering",
    "description": "Blocks adult content and gambling",
    "filters": ["adult", "gambling", "illegal"],
    "action": "block",
    "enabled": true,
    "precedence": 2
  }' | jq '.success'

Expected output:

true

Adding Domain Allowlists and Blocklists

Override automated filtering with manual domain lists.

# Add a domain to the blocklist
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Custom Blocklist",
    "type": "DOMAIN",
    "description": "Manually blocked domains",
    "items": [
      {"value": "example-malware-site.com"},
      {"value": "known-phishing-site.net"}
    ]
  }' | jq '.result.name, .result.type'

Expected output:

"Custom Blocklist"
"DOMAIN"

Viewing Gateway DNS Logs

Monitor DNS queries and policy actions through the logs API.

# Fetch recent DNS resolution logs
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/dns_logs" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"limit": 5}' | jq '.result[] | {domain: .query_name, action: .action, user: .user_email}'

Expected output:

{
  "domain": "example.com",
  "action": "allowed",
  "user": "user@company.com"
}
{
  "domain": "malware-site.net",
  "action": "blocked",
  "user": "user@company.com"
}

Common Mistakes

Mistake Consequence
Not enabling threat intelligence feeds Gateway misses known malware domains that are not in category filters
Setting precedence values incorrectly More restrictive policies are bypassed by lower-precedence allow rules
Forgetting to configure fallback DNS Gateway outage causes complete DNS resolution failure
Not deploying WARP alongside Gateway Roaming devices bypass Gateway filtering when off-network
Using overly broad category blocks Legitimate business tools get blocked by aggressive filtering

Practice Questions

  1. How does DNS filtering stop threats earlier than web proxy-based filtering?
  2. What is the difference between category-based filters and custom domain blocklists?
  3. Why must Gateway DNS policies be combined with WARP deployment for roaming devices?

Challenge

Configure three Gateway DNS policies: one that blocks malware and phishing, one that blocks adult content and gambling, and one that allowslist a specific test domain. Verify each policy by attempting DNS resolution against blocked and allowed domains. Check the logs to confirm each action.

Real-World Task

Your organisation wants to deploy DNS filtering for 500 remote employees. Configure Cloudflare Gateway with threat intelligence feeds for malware and command-and-control domains. Block social media and streaming video categories during business hours. Add a custom allowlist for a specific CRM domain that was incorrectly categorised. Deploy WARP to all devices and verify that a blocked domain returns a block page while an allowed domain resolves normally.

FAQ

Does Gateway DNS filtering work for encrypted DNS queries?

Yes. Gateway supports DNS over HTTPS and DNS over TLS. When you configure a device to use Gateway's DoH or DoT endpoints, DNS queries are encrypted between the device and Cloudflare. Gateway still inspects and filters the decrypted DNS queries at its edge before forwarding them.

Can Gateway block domains that use a CDN or shared hosting?

Yes. Gateway blocks DNS resolution at the domain level, regardless of where the domain is hosted. If example.com hosts content on a shared CDN, Gateway blocks the DNS query for example.com before any connection is made. The shared IP address of the CDN is never reached by the blocked user.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro