Common policies

The following policies are commonly used to secure DNS traffic.

Refer to the DNS policies page for a comprehensive list of other selectors, operators, and actions.

Allow corporate domains

This policy allows users to access official corporate domains. By deploying the policy with high order of precedence, you ensure that employees can access trusted domains even if they fall under a blocked category like Newly seen domains or Login pages.

Dashboard

Selector	Operator	Value	Action	Precedence
Domain	in list	Allowed domains	Allow	1

API

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a Zero Trust Gateway rule

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "Allow corporate domains",
    "description": "Allow any internal corporate domains added to a list",
    "precedence": 0,
    "enabled": true,
    "action": "allow",
    "filters": [
        "dns"
    ],
    "traffic": "any(dns.domains[*] in $<LIST_UUID>)",
    "identity": ""
  }'

To get the UUIDs of your lists, use the List Zero Trust lists endpoint.

Block security threats

Block security categories such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence.

Dashboard

Selector	Operator	Value	Action
Security Categories	in	All security risks	Block

API

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a Zero Trust Gateway rule

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "All-DNS-SecurityCategories-Blocklist",
    "description": "Block security categories based on Cloudflare'\''s threat intelligence",
    "precedence": 20,
    "enabled": true,
    "action": "block",
    "filters": [
        "dns"
    ],
    "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
    "identity": ""
  }'

Terraform

resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" {
  account_id  = var.cloudflare_account_id
  name        = "All-DNS-SecurityCategories-Blocklist"
  description = "Block security categories based on Cloudflare's threat intelligence"
  precedence  = 20
  enabled     = true
  action      = "block"
  filters     = ["dns"]
  traffic     = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
}

Block content categories

The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to domain categories.

Dashboard

Selector	Operator	Value	Action
Content Categories	in	Questionable Content, Security Risks, Miscellaneous	Block

API

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a Zero Trust Gateway rule

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "All-DNS-ContentCategories-Blocklist",
    "description": "Block common content categories that may pose a risk",
    "precedence": 30,
    "enabled": true,
    "action": "block",
    "filters": [
        "dns"
    ],
    "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})",
    "identity": ""
  }'

Terraform

resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
  account_id  = var.cloudflare_account_id
  name        = "All-DNS-ContentCategories-Blocklist"
  description = "Block common content categories that may pose a risk"
  enabled     = true
  action      = "block"
  filters     = ["dns"]
  traffic     = "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})"
  identity    = ""
}

Block a dynamic list of categories

You can add a list of category IDs to the EDNS header ↗ of a request sent to Gateway as a JSON object using OPT code 65050. For example:

{
  "categories": [2, 67, 125, 133]
}

With the Request Context Categories selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories.

Dashboard

Selector	Operator	Value	Action
Request Context Category	is	Present	Block

API

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a Zero Trust Gateway rule

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "All-DNS-Bock-Category-Matches-In-Request",
    "description": "Block all category matches in the request EDNS context",
    "enabled": true,
    "action": "block",
    "filters": [
        "dns"
    ],
    "traffic": "dns.categories_in_request_context_matches",
    "identity": ""
  }'

Terraform

resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
  account_id  = var.cloudflare_account_id
  name        = "All-DNS-Bock-Category-Matches-In-Request"
  description = "Block all category matches in the request EDNS context"
  enabled     = true
  action      = "block"
  filters     = ["dns"]
  traffic     = "dns.categories_in_request_context_matches"
  identity    = ""
}

Block unauthorized applications

Note

After seven days, view your Shadow IT SaaS Analytics and block additional applications based on what your users are accessing.

To minimize the risk of shadow IT, some organizations choose to limit their users' access to certain web-based tools and applications. For example, the following policy blocks known AI tools:

Dashboard

Selector	Operator	Value	Action
Application	in	Artificial Intelligence	Block

API

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a Zero Trust Gateway rule

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "name": "All-DNS-Application-Blocklist",
    "description": "Block access to unauthorized AI applications",
    "precedence": 40,
    "enabled": true,
    "action": "block",
    "filters": [
        "dns"
    ],
    "traffic": "any(app.type.ids[*] in {25})",
    "identity": ""
  }'

Terraform

resource "cloudflare_zero_trust_gateway_policy" "block_unauthorized_apps" {
  account_id  = var.cloudflare_account_id
  name        = "All-DNS-Application-Blocklist"
  description = "Block access to unauthorized AI applications"
  enabled     = true
  action      = "block"
  filters     = ["dns"]
  traffic     = "any(app.type.ids[*] in {25})"
  identity    = ""
}

Block banned countries