[DNS] Internal DNS initial docs (#20066)

* Create placeholder folder and pages

* Adjust order and add Overview markdown components

* Add Gateway and Magic WAN as related products

* Add Beta callout and sidebar badge

* Redefine folder structure and file names for consistency

* Slight text review and add intro overview paragraph

* Add placeholder sections to views and internal zones

* Group how-tos and add get-started and analytics

* Add siplified overview diagram

* Add explanatory paragraphs for architecture overview

* Add mermaid with view and internal zones examples

* Remove mermaid with view and internal zones examples

* Replace Features section and add Get Started placeholders

* Revise intro and fill in get-started requirements

* Fill in get-started steps for internal zones

* Fill in get-started steps to create views

* Create partial for beta callout and fill in Gateway steps

* Text review and link out to connectivity from get-started

* Rename setup to how-to and fill in iZone conditions

* Fill in create and reference steps in internal-zones

* Add links to other API operations from internal-zones.mdx

* Fill in views config conditions and deletion callouts

* Add beta label to h1 and adjust meta title

* Get-started and internal-zones overall review

* Adjust dns-views outline and fill in setup instructions and links

* Move connectivity out of how-to and adjust links and order

* Minor text reviews

* Delete dedicated connectivity page placeholder

* Move dns-views and internal-zones a level higher on the nav

* Add paragraph linking out to Gateway analytics

* Move conditions into partials and replace in get-started

* Add example reference zone API call

* Move ref zone API call into partial and replace

* Fix broken links and point from get-started to dedicated pages

* Add info on GraphQL schemas and dedicated log fields

* Add intro paragraph about connectivity and cross-product

* Separate Gateway and resolver policies to reflect plan difference

* More details on reference zones logic and conditions

* First pass following PM review: adjust wording

* Expand architecture overview with detailed examples

* Comment detail on connectivity and fill in gap re views

* Add missing view condition: unique name within account

* Add reference to Logpush filters and edit analytics intro

* Improve zone labeling

* Replace NXDOMAIN by SERVFAIL in response when view is deleted

* Dedicated section to Connectivity and more details on fallback

* Re-org internal-zones as folder with concept and how-to pages

* Review hyperlinks based on new folder org and pages

* Add dedicated page to connection options and complete list

* Adjust references to connectivity from get-started

* Overall text review

Author: RebeccaTamachiro

src/content/docs/dns/internal-dns/analytics.mdx

@@ -0,0 +1,25 @@
+---
+pcx_content_type: how-to
+title: Analytics and logs
+sidebar:
+  order: 10
+---
+
+Internal DNS leverages [Gateway analytics](/cloudflare-one/insights/analytics/gateway/). Below you can find information about specific fields and different methods you can use to access this data.
+
+## GraphQL
+
+For detailed metrics, use the [GraphQL API](/analytics/graphql-api/). Refer to the GraphQL Analytics API documentation for guidance on how to [get started](/analytics/graphql-api/getting-started/).
+
+The [fields](/analytics/graphql-api/getting-started/querying-basics/) added to cover Internal DNS are the following:
+
+- `InternalDNSFallbackStrategy`: The fallback strategy applied to the internal DNS response. Empty if no fallback strategy was applied.
+- `InternalDNSRCode`: The response code sent back by the internal DNS service.
+- `InternalDNSViewID`: The view identifier that was sent to the internal DNS service.
+- `InternalDNSZoneID`: The internal zone identifier returned by the internal DNS service.
+
+## Logs
+
+Leverage Logpush jobs for [Gateway DNS](/logs/reference/log-fields/account/gateway_dns/#internaldnsfallbackstrategy). For help setting up Logpush, refer to [Get started with Logs](/logs/get-started/).
+
+You can also set up [Logpush filters](/logs/reference/filters/) to only push logs related to a specific [internal zone](/dns/internal-dns/internal-zones/) or [view](/dns/internal-dns/dns-views/) ID.

src/content/docs/dns/internal-dns/connectivity.mdx

@@ -0,0 +1,18 @@
+---
+title: Connect to Gateway resolver
+pcx_content_type: reference
+sidebar:
+  order: 8
+  label: Connectivity
+---
+
+To connect to Cloudflare Gateway resolver - which is [required to reach private resources in Internal DNS](/dns/internal-dns/#architecture-overview) - you can use the following options:
+
+- DNS endpoints supported with [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/)
+    - DNS over UDP/TCP port 53 (IPv4 or IPv6)
+    - DNS over TLS
+    - DNS over HTTPS
+- [Proxy Auto-Configuration (PAC) files](/cloudflare-one/connections/connect-devices/agentless/pac-files/)
+- [WARP device client](/cloudflare-one/connections/connect-devices/warp/)
+- [Clientless browser isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/#filter-dns-queries)
+- [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)

src/content/docs/dns/internal-dns/dns-views.mdx

@@ -0,0 +1,37 @@
+---
+pcx_content_type: how-to
+title: Manage DNS views
+sidebar:
+  order: 3
+  label: Views
+---
+
+import { Details, Render } from "~/components";
+
+Internal DNS views are logical groupings of [internal DNS zones](/dns/internal-dns/internal-zones/). As explained in the [architecture overview](/dns/internal-dns/#architecture-overview), DNS views are referenced by [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to define how a specific query should be resolved.
+
+Refer to the sections below for details on how to manage your DNS views, or consider the [get started](/dns/internal-dns/#architecture-overview) for a complete workflow.
+
+## Configuration conditions
+
+When setting up DNS views, observe the following conditions:
+
+<Render file="internal-dns-view-conditions" />
+
+## Create a view
+
+Use the [Create Internal DNS View](/api/resources/dns/subresources/settings/subresources/views/methods/create/) endpoint. For each view you create, list all the internal zones that should be grouped under that view.
+
+## Delete a view
+
+Use the [Delete Internal DNS View](/api/resources/dns/subresources/settings/subresources/views/methods/delete/) endpoint.
+
+DNS views can be deleted even if they still have internal zones linked to them. The internal DNS zones will continue to exist but will be unlinked once the view is deleted.
+
+It is also possible to delete a DNS view that is being referenced by a Gateway resolver policy. In this case, queries matching the policy will return SERVFAIL.
+
+## Other actions
+
+- [Update a DNS view](/api/resources/dns/subresources/settings/subresources/views/methods/edit/) (`PATCH`)
+- [Get view details](/api/resources/dns/subresources/settings/subresources/views/methods/get/) (`GET`)
+- [List DNS views](/api/resources/dns/subresources/settings/subresources/views/methods/list/) (`GET`)

src/content/docs/dns/internal-dns/get-started.mdx

@@ -0,0 +1,101 @@
+---
+title: Get started
+pcx_content_type: get-started
+sidebar:
+  order: 2
+---
+
+import { TabItem, Tabs, Details, Example, Render } from "~/components";
+
+Follow this guide to get started with Internal DNS.
+
+Although there are some steps that can be achieved on the dashboard, currently the whole process can only be completed via API.
+
+## Before you begin
+
+<Render file="internal-dns-beta-note" />
+
+- Make sure you have an Enterprise account with access to [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) and [Internal DNS](/dns/internal-dns/).
+- Consider the different ways in which you can [connect to Gateway resolver](/dns/internal-dns/connectivity/).
+- If you are not familiar with how to use Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/).
+- If you will be using an API token for authentication, make sure you have the following permissions:
+
+<Details header="API token configuration">
+<Example>
+**Permissions**
+- *Account* - *DNS Views* - *Edit*
+- *Zone* - *DNS* - *Edit*
+- *Account* - *Account Settings* - *Edit*
+- *Zone* - *DNS Settings* - *Edit*
+- *Zone* - *Zone* - *Edit*
+
+**Account Resources**
+- *Include* - *(Your account)*
+
+**Zone Resources**
+- *Include* - *All zones*
+
+</ Example>
+</ Details>
+
+
+## 1. Set up your internal DNS zone
+
+1. Use the [Create Zone](/api/resources/zones/) endpoint to create an [internal zone](/dns/internal-dns/internal-zones/). Specify your account ID and set the `type` to `internal`.
+
+<Details header="Internal zone configuration conditions">
+<Render file="internal-zones-conditions" />
+</Details>
+
+2. Add DNS records to your internal zone using your preferred option:
+- [Import](/api/resources/dns/subresources/records/methods/import/) a formatted BIND file. Refer to the [DNS records how-to](/dns/manage-dns-records/how-to/import-and-export/) for guidance.
+- Use other API endpoints, such as [`/batch`](/api/resources/dns/subresources/records/methods/batch/), to manage DNS records. Refer to [Batch record changes](/dns/manage-dns-records/how-to/batch-record-changes/#use-the-api) for details.
+3. Repeat this process for each internal zone you wish to add.
+
+### (Optional) Reference a zone from another zone
+
+1. Use the [Update DNS settings](/api/resources/dns/subresources/settings/methods/edit/) endpoint to add a reference from an internal zone to another internal zone. In `--data`, specify the `internal_dns` object with the parameter `reference_zone_id`. For details, refer to [reference zones](/dns/internal-dns/internal-zones/#reference-zones).
+
+<Example>
+<Render file="internal-reference-zone-api"/>
+</ Example>
+
+## 2. Link your internal zone to a view
+
+Since the resolver policy will require a [DNS view](/dns/internal-dns/dns-views/), you must have at least one view to be able to route requests to internal zones.
+
+1. Use the [Create Internal DNS View](/api/resources/dns/subresources/settings/subresources/views/methods/create/) endpoint. For each view you create, list all the internal zones that should be grouped under that view.
+
+<Details header="DNS view configuration conditions">
+<Render file="internal-dns-view-conditions" />
+</Details>
+
+## 3. Configure Gateway policies
+
+:::note
+The Gateway configuration must exist within the same Cloudflare account where the internal zone exists.
+:::
+
+Besides selecting an internal DNS view when setting up your resolver policies, you can also enable the **fallback through public DNS** option.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**.
+2. Select **Add a policy** and enter a name and description.
+3. Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/policies/gateway/resolver-policies/#selectors).
+4. Select **Use DNS view**. In the dropdown, choose the view that queries matching the expression should be sent to.
+5. (Optional) Adjust the option to **fallback through public DNS** according to your use case.
+- Off: Gateway DNS resolver returns the response as-is to the client.
+- On: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.
+6. Select **Create policy** to confirm.
+
+</TabItem> <TabItem label="API">
+
+Use the API endpoints under [Zero Trust > Gateway > Rules](/api/resources/zero_trust/subresources/gateway/subresources/rules/) to set up resolver policies. For guidance about selectors, operators, and values, refer to [Gateway](/cloudflare-one/policies/gateway/resolver-policies/#selectors).
+
+Use the rule settings object to define `resolve_dns_internally`, specifying `view_id` and `fallback` option. The fallback options behave as follows:
+
+- `none`: Gateway DNS resolver returns the response as-is to the client.
+- `public_dns`: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.
+
+</TabItem> </Tabs>

src/content/docs/dns/internal-dns/index.mdx

@@ -0,0 +1,115 @@
+---
+pcx_content_type: overview
+title: Internal DNS (beta)
+sidebar:
+  order: 14
+  label: Overview
+  group:
+    badge:
+      text: Beta
+    label: Internal DNS
+head:
+  - tag: title
+    content: Internal DNS
+---
+
+import { Render, Description, Plan, RelatedProduct, DirectoryListing, GlossaryTooltip, Example } from "~/components";
+
+<Description>
+Simplify private network management with Cloudflare DNS for your internal resources.
+</Description>
+
+<Plan type="enterprise" />
+
+Manage DNS records that should only be accessible within your private network. Internal DNS [zones](/dns/internal-dns/internal-zones/) and [views](/dns/internal-dns/dns-views/) pair up with [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) so that you can control how a DNS query should be responded to according to the query context, such as its source IP.
+
+<Render file="internal-dns-beta-note" />
+
+## Architecture overview
+
+You can use different [connectivity options](/dns/internal-dns/connectivity/) to on-ramp your traffic to Cloudflare. Then, Cloudflare Gateway resolver acts as an interface between the DNS client and internal DNS zones.
+
+Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via Cloudflare Gateway resolver.
+
+```mermaid
+flowchart LR
+        accTitle: Internal DNS query overview
+        accDescr: Diagram comparing internal DNS query with public DNS
+        A[Client]
+        subgraph Cloudflare account
+        subgraph Gateway
+				B[Default 1.1.1.1 resolver]
+        X[Resolver policy selecting an internal DNS view]
+        end
+        subgraph Authoritative DNS
+        Y[(Public DNS)]
+				Z[(Internal DNS)]
+        end
+        end
+
+			  C[Public resolver]
+
+        B --Query--> Y
+        X --Query + View ID--> Z
+        A --Query--> B
+				A --Query--> X
+				C --Query--> Y
+```
+
+Internal DNS zones are grouped into DNS views, which are selected by the resolver policy you define. Views are usually logical groupings relevant to your organization, such as different geographical locations.
+
+```mermaid
+flowchart LR
+        accTitle: Internal DNS views and zones
+        accDescr: Diagram exemplifying Internal DNS views and zones relationship
+        subgraph Internal DNS
+        subgraph View 111 - London
+        Y[Zone 600 <br /> example.local]
+				Z[Zone 601 <br /> local]
+        end
+        subgraph View 110 - San Francisco
+        X[Zone 101 <br /> example.com]
+				B[Zone 100 <br /> example.local]
+				S[Zone 102 <br /> com]
+        end
+				W[Zone 701 <br /> net]
+				end
+```
+
+Internal DNS zones contain the <GlossaryTooltip term="DNS record" link="/dns/manage-dns-records/">DNS records</ GlossaryTooltip> that should be used to resolve an internal DNS query. Also, if no internal record is found within a matching internal zone, Cloudflare will check if the matching internal zone is [referencing another internal zone](/dns/internal-dns/internal-zones/#reference-zones).
+
+<Example>
+
+```mermaid
+flowchart LR
+        accTitle: Internal DNS zones and internal records
+        accDescr: Diagram exemplifying Internal DNS zones and records relationship
+        subgraph View 111 - London
+				subgraph Zone 601 - local
+				S[@ A 192.0.2.10]
+				T[ghi.example A 192.0.2.15]
+				end
+        subgraph Zone 600 - example.local
+				X[@ A 192.0.2.1]
+				Y[abc A 192.0.2.6]
+				Z[def A 192.0.2.9]
+				end
+				end
+```
+In this example, a query for `ghi.example.local` routed to view ID 111 would go to zone 600, which presents the longest matching zone name (`example.local`). Zone 600 does not contain a record for `ghi` but, if it is referencing zone 601, Cloudflare will then look for the queried record within the reference zone.
+
+</Example>
+
+## Resources
+
+<DirectoryListing />
+
+## Related products
+
+<RelatedProduct header="Cloudflare Gateway" href="/cloudflare-one/policies/gateway/" product="privacy-gateway">
+Set up policies to inspect DNS, Network, HTTP, and Egress traffic.
+</RelatedProduct>
+
+<RelatedProduct header="Cloudflare Magic WAN" href="/magic-wan/" product="magic-wan">
+Improve security and performance for your entire corporate networking, reducing cost and operation complexity.
+</RelatedProduct>

src/content/docs/dns/internal-dns/internal-zones/index.mdx

@@ -0,0 +1,32 @@
+---
+pcx_content_type: concept
+title: Internal zones
+sidebar:
+  order: 2
+  group:
+    label: Internal zones
+---
+
+import { Example, Render } from "~/components";
+
+Internal DNS zones are groupings of internal DNS records. While [public DNS records](/dns/manage-dns-records/) contain information about resources that you want to make available to the public Internet, [internal DNS records](#internal-dns-records) allow you to manage resources that should only be available within your private network.
+
+Refer to [Manage internal zones](/dns/internal-dns/internal-zones/setup/) for a full list of configuration conditions and step-by-step instructions.
+
+Internal DNS zones do not get assigned Cloudflare nameservers and can only be queried via [Cloudflare Gateway](/cloudflare-one/policies/gateway/resolver-policies/) when linked to a [DNS view](/dns/internal-dns/dns-views/). The Gateway configuration must exist within the same Cloudflare account where the internal zone exists.
+
+## Reference zones
+
+During an [internal DNS query resolution](/dns/internal-dns/#architecture-overview), if no internal record is found within a matching internal zone, Cloudflare will check if the matching internal zone is referencing another internal zone. Successive references can be followed with a maximum of five references in a chain.
+
+Each internal zone can only reference one other zone, but the same zone can be referenced by multiple internal zones. Public zones cannot be used as reference zones.
+
+Refer to [Set up reference zones](/dns/internal-dns/internal-zones/reference-zones/) for step-by-step instructions.
+
+## Internal DNS records
+
+Internal zones can contain the same [DNS record types](/dns/manage-dns-records/reference/dns-record-types/) that Cloudflare supports for public zones.
+
+You can manage internal DNS records in the same way as you would manage public DNS records, with the difference that [proxy status](/dns/proxy-status/) does not apply to internal DNS records.
+
+Refer to [Manage DNS records](/dns/manage-dns-records/how-to/create-dns-records/) or to the [API documentation](/api/resources/dns/subresources/records/) for further guidance.

src/content/docs/dns/internal-dns/internal-zones/reference-zones.mdx

@@ -0,0 +1,23 @@
+---
+pcx_content_type: how-to
+title: Set up reference zones
+sidebar:
+  order: 4
+---
+
+import { Example, Render } from "~/components";
+
+During an [internal DNS query resolution](/dns/internal-dns/#architecture-overview), if no internal record is found within a matching internal zone, Cloudflare will check if the matching internal zone is referencing another internal zone. Successive references can be followed with a maximum of five references in a chain.
+
+Each internal zone can only reference one other zone, but the same zone can be referenced by multiple internal zones. Public zones cannot be used as reference zones.
+
+## Steps
+
+To set up a reference zone, use the [Update DNS settings](/api/resources/dns/subresources/settings/methods/edit/) endpoint. In `--data`, specify the `internal_dns` object with the parameter `reference_zone_id`.
+
+<Example>
+<Render file="internal-reference-zone-api"/>
+
+A third zone (C) could also point to zone B as a reference, but zone A cannot add another zone as a reference while also having zone B configured as its reference zone.
+
+</ Example>