Setup
Prior to setting up DNS Firewall, you need:
- Account access to DNS Firewall (provided by your Enterprise account team).
- Access to DNS Administrator or Super Administrator privileges on your account.
- Newly updated IP addresses for your nameservers (protects against previously compromised IP addresses).
- Log in to the Cloudflare account ↗ with DNS Firewall.
- On the account homepage, click DNS Firewall.
- Click Add Firewall Cluster.
- Fill out the required fields, including:
- IP Addresses: The upstream IPv4 and/or IPv6 addresses of your authoritative nameservers.
- Minimum Cache TTL: Recommended setting of 30 seconds.
- Maximum Cache TTL: Recommended setting of 1 hour. Larger values increase the cache hit ratio, but also increase the time required for DNS changes to propagate.
- ANY queries: Recommended setting is Off because these are often used as part of DDoS attacks. Also refer to this blog post ↗.
- Click Continue.
- On the following screen, save the values for Your new DNS Firewall IP Addresses.
You can also create a DNS Firewall cluster by sending a POST request to the API.
Update the A/AAAA
glue records for your nameserver hostnames at your registrar with your DNS Firewall cluster IP addresses.
At your DNS servers, update the A/AAAA
records for your nameserver hostnames in your DNS zone file with your DNS Firewall cluster IP addresses.
Confirm that your nameservers are functioning correctly by running a dig
command.
Configure security policy in your DNS servers and Firewall to allow only Cloudflare IPs ↗ and TCP/UDP port 53.
When you use the API, you can also specify other parameters, such as rate limit (in queries per second per data center). You can find the parameters descriptions and examples in the API documentation.
To configure rate limiting and other options for already existing clusters, use the Update DNS Firewall Cluster endpoint.