Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Common DNS policies

The following policies are commonly used to secure DNS traffic.

Refer to the DNS policies page for a comprehensive list of other selectors, operators, and actions.

​​ Allow corporate domains

This policy allows users to access official corporate domains. By deploying the policy with high order of precedence, you ensure that employees can access trusted domains even if they fall under a blocked category like Newly seen domains or Login pages.

SelectorOperatorValueActionPrecedence
Domainin listAllowed domainsAllow1

​​ Block security threats

Block security categories such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security categoriesinAll security risksBlock

​​ Block content categories

The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to domain categories.

SelectorOperatorValueAction
Content CategoriesinQuestionable Content, Security Risks, MiscellaneousBlock

​​ Block unauthorized applications

To minimize the risk of shadow IT, some organizations choose to limit their users’ access to certain web-based tools and applications. For example, the following policy blocks AI assistants:

SelectorOperatorValueAction
ApplicationinChatGPT, BardBlock

​​ Block banned countries

You can implement policies to block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization’s customers or through the implementation of regulations including EAR, OFAC, and ITAR.

SelectorOperatorValueAction
Resolved Country IP GeolocationinAfghanistan, Belarus, Congo (Kinshasa), Cuba, Iran, Iraq, Korea, North, Myanmar, Russian Federation, Sudan, Syria, Ukraine, ZimbabweBlock

​​ Block top-level domains

Blocking frequently misused top-level domains (TLDs) can reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations like ITAR or OFAC.

SelectorOperatorValueLogicAction
Domainmatches regex[.](cn|ru)$OrBlock
Domainmatches regex[.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$Or
Domainmatches regex[.](zip|mobi)$

​​ Block phishing attacks

To protect against sophisticated phishing attacks, you could prevent users from accessing phishing domains that are specifically targeting your organization. The following policy blocks specific keywords associated with an organization or its authentication services (such as okta, 2fa, cloudflare or sso), while still allowing access to official corporate domains.

SelectorOperatorValueLogicAction
Domainnot in listCorporate DomainsAndBlock
Domainmatches regex.*okta.*|.*cloudflare.*|.*mfa.*|.sso.*

​​ Block online tracking

To safeguard user privacy, some organizations will block tracking domains such as dig.whatsapp.com as well as other tracking domains embedded at the OS level. This policy is implemented by creating a custom blocklist. Refer to this repository for a list of widespread tracking domains that you can add to your blocklist.

SelectorOperatorValueAction
Domainin listTop tracking domainsBlock

​​ Block malicious IPs

Block specific IP addresses that are known to be malicious or pose a threat to your organization. This policy is usually implemented by creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs).

SelectorOperatorValueAction
Resolved IPin listDShieldBlock

​​ CIPA Filter

The CIPA Filter is a collection of subcategories that encompass a wide range of topics that could be harmful or inappropriate for minors. It is used as a part of Project Cybersafe Schools to block access to unwanted or harmful online content.

SelectorOperatorValueAction
Content CategoriesinCIPA FilterBlock

​​ Hide explicit search results

SafeSearch is a feature of search engines that helps you filter explicit or offensive content. You can enable SafeSearch on search engines like Google, Bing, Yandex, YouTube, and DuckDuckGo:

SelectorOperatorValueAction
Content CategoriesinSearch EnginesSafe Search

​​ Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

SelectorOperatorValueLogicAction
ApplicationinSalesforceAndBlock
User Group NamesinContractors

​​ Restrict access to specific groups

Filter DNS queries to allow only specific users access.

The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the order of precedence.

​​ 1. Allow a group

SelectorOperatorValueLogicAction
Content CategoriesinSocial NetworksAndAllow
User Group Namesinmarketing-team

​​ 2. Block all other users

SelectorOperatorValueAction
Content CategoriesinSocial NetworksBlock

​​ Control IP version

Enterprise users can pair these policies with an egress policy to control which IP address is used to egress to the origin server.

​​ Force IPv4

Force users to connect with IPv4.

SelectorOperatorValueLogicAction
Query Record TypeisAAAAAndBlock
Domainisexample.com

​​ Force IPv6

Force users to connect with IPv6.

SelectorOperatorValueLogicAction
Query Record TypeisAAndBlock
Domainisexample.com