You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,6 +45,23 @@ For more information, refer to [DNS over TLS](/cloudflare-one/connections/connec
45
45
46
46
Gateway requires a DoH endpoint for default DNS locations. For more information, refer to [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/).
47
47
48
+
## Secure DNS locations
49
+
50
+
Secure DNS locations provide additional protection against malicious domains for use in services such as [protective DNS (PDNS)](/reference-architecture/diagrams/sase/gateway-for-protective-dns/). For a DNS location to be considered secure, Gateway requires that:
51
+
52
+
- Your IPv4 and IPv6 endpoints use your [BYOIP addresses](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) (if any).
53
+
-[Source network filtering](/cloudflare-one/policies/gateway/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints.
54
+
- Source network filtering or token authentication are configured for your DoH endpoints.
55
+
- Any enabled endpoints for a DNS location meet security permissions.
56
+
57
+
You can assign users the [**Cloudflare Zero Trust DNS Locations Write** role](/cloudflare-one/roles-permissions/#zero-trust-roles) to grant them the permission to create and edit secure DNS locations. To allow users to view locations, you must also assign the **Cloudflare Zero Trust Read Only** role. Users with these roles can view any DNS location, but can only create or edit secure locations.
58
+
59
+
Roles that supersede **Cloudflare Zero Trust DNS Locations Write** include:
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/roles-permissions.mdx
+14-13Lines changed: 14 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,19 +13,20 @@ To check the list of members in your account, or to manage roles and permissions
13
13
14
14
Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.
The Cloudflare Zero Trust role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.
[^1]: The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.
28
+
29
+
[^2]: Users with the **Cloudflare Zero Trust DNS Locations Write** role can view all DNS locations for an organization but can only create and edit [secure DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#secure-dns-locations).
0 commit comments