Skip to content

Commit 76e7afb

Browse files
maxvpmaxvp
authored
[Gateway] Private networks internal DNS (cloudflare#25009)
1 parent ae66cdc commit 76e7afb

File tree

1 file changed

+24
-1
lines changed

1 file changed

+24
-1
lines changed

src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ import { Render } from "~/components";
1010

1111
[Cloudflare Gateway](/cloudflare-one/policies/gateway/), our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, network, HTTP, and egress traffic.
1212

13-
You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN.
13+
You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN. Additionally, you can configure Gateway to [resolve DNS queries](#dns-filtering) from Magic WAN.
1414

1515
## HTTPS filtering
1616

@@ -32,6 +32,28 @@ If your organization onboards users to Magic WAN via an [on-ramp other than WARP
3232
| --------- | -------- | ---------------- | -------------- |
3333
| Source IP | in | `203.0.113.0/24` | Do Not Inspect |
3434

35+
## DNS filtering
36+
37+
You can configure the DNS resolver for your Magic WAN networks to the shared IP addresses for the Gateway DNS resolver. The Gateway DNS resolver IPs are `172.64.36.1` and `172.64.36.2`. When you resolve DNS queries from Magic WAN through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns).
38+
39+
```mermaid
40+
flowchart LR
41+
subgraph subGraph0["Data center"]
42+
direction TB
43+
InternalDNS(["Internal DNS"])
44+
ResolverPolicies["Resolver policies"]
45+
CloudflareGatewayDNSResolver["Gateway DNS resolver"]
46+
end
47+
ResolverPolicies -- Retain and use</br>Source Internal IP --> InternalDNS
48+
CloudflareGatewayDNSResolver -- <br> --> ResolverPolicies
49+
WarpConnector["WARP Connector"] -- DHCP/DNS resolver --> IPSecTunnel["IPsec tunnel"]
50+
MagicWAN["Magic WAN"] -- DHCP/DNS resolver --> IPSecTunnel
51+
IPSecTunnel -- Shared IP endpoints --> CloudflareGatewayDNSResolver
52+
ResolverPolicies@{ shape: proc}
53+
WarpConnector@{ shape: in-out}
54+
MagicWAN@{ shape: in-out}
55+
```
56+
3557
## Outbound Internet traffic
3658

3759
By default, the following traffic routed through Magic WAN tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:
@@ -50,6 +72,7 @@ By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and dest
5072
Contact your account team to enable Gateway filtering for traffic destined to routes behind Magic WAN tunnels.
5173

5274
If enabled, by default TCP/UDP traffic meeting **all** the following criteria will be proxied/filtered by Cloudflare Gateway:
75+
5376
- Both source and destination IPs are part of either [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918) space, [WARP](/cloudflare-one/connections/connect-devices/warp/), [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/)
5477
- Source port must be a client port strictly higher than `1023`
5578
- Destination port is a well-known port lower than `1024`

0 commit comments

Comments
 (0)