Adding DNS API calls to secure-internet-traffic learning path (#18388)

Co-authored-by: Max Phillips <[email protected]>

Author: tcerqueira-cf

src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx

@@ -54,101 +54,28 @@ To get the UUIDs of your lists, use the [List Zero Trust lists](/api/resources/z
 
 Block [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories) such as Command & Control, Botnet and Malware based on Cloudflare's threat intelligence.
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
 <Render
-	file="gateway/policies/block-security-categories"
+	file="gateway/policies/dash-plus-api/dns/block-security-categories"
 	product="cloudflare-one"
 />
 
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Block security threats",
-  "description": "Block all default Cloudflare DNS security categories",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "dns"
-  ],
-  "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
-  "identity": ""
-}'
-```
-
-</TabItem> </Tabs>
-
 ## Block content categories
 
 The categories included in this policy are not always a security threat, but blocking them can help minimize the risk that your organization is exposed to. For more information, refer to [domain categories](/cloudflare-one/policies/gateway/domain-categories/).
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-| Selector           | Operator | Value                                                     | Action |
-| ------------------ | -------- | --------------------------------------------------------- | ------ |
-| Content Categories | in       | _Questionable Content_, _Security Risks_, _Miscellaneous_ | Block  |
-
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Block content categories",
-  "description": "Block common content categories that may pose a risk",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "dns"
-  ],
-  "traffic": "any(dns.content_category[*] in {17 85 87 102 157 135 138 180 162 32 169 177 128 15 115 119 124 141 161})",
-  "identity": ""
-}'
-```
-
-</TabItem> </Tabs>
+<Render
+	file="gateway/policies/dash-plus-api/dns/block-content-categories"
+	product="cloudflare-one"
+/>
 
 ## Block unauthorized applications
 
 <Render file="gateway/policies/block-applications" product="cloudflare-one" />
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-| Selector    | Operator | Value                     | Action |
-| ----------- | -------- | ------------------------- | ------ |
-| Application | in       | _Artificial Intelligence_ | Block  |
-
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Block unauthorized applications",
-  "description": "Block access to unauthorized AI applications",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "dns"
-  ],
-  "traffic": "any(app.type.ids[*] in {25})",
-  "identity": ""
-}'
-```
-
-</TabItem> </Tabs>
+<Render
+	file="gateway/policies/dash-plus-api/dns/block-applications"
+	product="cloudflare-one"
+/>
 
 ## Block banned countries
 

src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx

@@ -92,69 +92,19 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
 
 Block content categories which go against your organization's acceptable use policy.
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-| Selector           | Operator | Value                      | Action |
-| ------------------ | -------- | -------------------------- | ------ |
-| Content Categories | in       | _Adult Themes_, _Gambling_ | Block  |
-
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Block content categories",
-  "description": "Block access to unauthorized adult and gambling applications",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "http"
-  ],
-  "traffic": "any(http.request.uri.content_category[*] in {2 67 125 133 99})",
-  "identity": "",
-  "device_posture": ""
-}'
-```
-
-</TabItem> </Tabs>
+<Render
+	file="gateway/policies/dash-plus-api/http/block-content-categories"
+	product="cloudflare-one"
+/>
 
 ## Block unauthorized applications
 
 <Render file="gateway/policies/block-applications" product="cloudflare-one" />
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-| Selector    | Operator | Value                     | Action |
-| ----------- | -------- | ------------------------- | ------ |
-| Application | in       | _Artificial Intelligence_ | Block  |
-
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Block unauthorized applications",
-  "description": "Block access to unauthorized AI applications",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "http"
-  ],
-  "traffic": "any(app.type.ids[*] in {25})",
-  "identity": "",
-  "device_posture": ""
-}'
-```
-
-</TabItem> </Tabs>
+<Render
+	file="gateway/policies/dash-plus-api/http/block-applications"
+	product="cloudflare-one"
+/>
 
 ## Check user identity
 

src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx

@@ -85,7 +85,7 @@ The Allow action allows outbound traffic to reach destinations you specify withi
 
 | Selector           | Operator | Value       | Action |
 | ------------------ | -------- | ----------- | ------ |
-| Content Categories | in       | `Education` | Allow  |
+| Content Categories | in       | _Education_ | Allow  |
 
 #### Untrusted certificates
 

src/content/docs/cloudflare-one/policies/gateway/network-policies/common-policies.mdx

@@ -87,35 +87,10 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
 
 Require devices to have certain software installed or other configuration attributes. For instructions on enabling a device posture check, refer to the [device posture section](/cloudflare-one/identity/devices/). For example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
 
-<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
-
-<Render file="gateway/policies/enforce-device-posture" />
-
-</TabItem>
-
-<TabItem label="API">
-
-```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rule \
---header "Content-Type: application/json" \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "name": "Enforce device posture",
-  "description": "Limit access to an internal application to approved organization devices",
-  "enabled": true,
-  "action": "block",
-  "filters": [
-    "l4"
-  ],
-  "traffic": "any(net.sni.domains[*] == \"example.com\")",
-  "identity": "",
-  "device_posture": "not(any(device_posture.checks.passed[*] in {\"<POSTURE_CHECK_UUID>\"}))"
-}'
-```
-
-To get the UUIDs of your device posture checks, use the [List device posture rules](/api/resources/zero_trust/subresources/devices/subresources/posture/methods/list/) endpoint.
-
-</TabItem> </Tabs>
+<Render
+	file="gateway/policies/dash-plus-api/network/enforce-device-posture"
+	product="cloudflare-one"
+/>
 
 ## Enforce session duration
 

src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx

@@ -3,17 +3,66 @@ title: Create an allowlist or blocklist
 pcx_content_type: learning-unit
 sidebar:
   order: 2
-
 ---
 
+import { Tabs, TabItem } from "~/components";
+
 In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications.
 
 Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies.
 
 ## Example list policy
 
+<Tabs syncKey="dashPlusAPI">
+
+<TabItem label="Dashboard">
+
 The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**.
 
 | Selector | Operator | Value               | Action |
 | -------- | -------- | ------------------- | ------ |
-| Domain   | in list  | *Corporate Domains* | Allow  |
+| Domain   | in list  | _Corporate Domains_ | Allow  |
+
+</TabItem>
+
+<TabItem label="API">
+
+```sh
+curl  https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+  --header 'Content-Type: application/json' \
+  --header "Authorization: Bearer <API_TOKEN>" \
+	--data '{
+  "name": "All-DNS-CorporateDomain-AllowList",
+  "description": "Allow access to the corporate domains defined under the Corporate Domains list",
+  "precedence": 1,
+  "enabled": true,
+  "action": "allow",
+  "filters": [
+    "dns"
+  ],
+  "traffic": "any(dns.domains[*] in $<CORPORATE_DOMAINS_LIST_UUID>)"
+}'
+```
+
+</TabItem>
+
+<TabItem label="Terraform">
+
+To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**.
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" {
+  account_id  = var.account_id
+  name        = "All-DNS-CorporateDomain-AllowList"
+  description = "Allow access to the corporate domains defined under the Corporate Domains list"
+  precedence  = 1
+  enabled     = false
+  action      = "allow"
+  filters     = ["dns"]
+  traffic     = "any(dns.domains[*] in $<Corporate Domains List UUID>)"
+}
+```
+
+</TabItem>
+
+</Tabs>

src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx

@@ -5,10 +5,81 @@ sidebar:
   order: 1
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.
 
 You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).
 
-<Render file="gateway/get-started/create-dns-policy" product="cloudflare-one" />
+To create a new DNS policy:
+
+<Tabs syncKey="dashPlusAPI">
+
+<TabItem label="Dashboard">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **DNS** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
+5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
+   <Render
+   	file="gateway/policies/block-security-categories"
+   	product="cloudflare-one"
+   />
+6. Select **Create policy**.
+
+For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
+
+</TabItem>
+
+<TabItem label="API">
+
+To create a new DNS policy using cURL:
+
+```sh
+curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+  --header 'Content-Type: application/json' \
+  --header "Authorization: Bearer <API_TOKEN>" \
+	--data '{
+		"name": "All-DNS-SecurityCategories-Blocklist",
+		"description": "Block known security risks based on Cloudflare's threat intelligence",
+		"precedence": 0,
+		"enabled": true,
+		"action": "block",
+		"filters": [
+			"dns"
+		],
+		"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+		"rule_settings": {
+			"block_page_enabled": true,
+			"block_reason": "This domain was blocked due to being classified as a security risk to your organization"
+		}
+	}'
+```
+
+</TabItem>
+
+<TabItem label="Terraform">
+
+To create a new DNS policy using **Terraform**:
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" {
+  account_id  = var.account_id
+  name        = "All-DNS-SecurityCategories-Blocklist"
+  description = "Block known security risks based on Cloudflare's threat intelligence"
+  precedence  = 0
+  enabled     = true
+  action      = "block"
+  filters     = ["dns"]
+  traffic     = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+  rule_settings {
+      block_page_enabled = true
+      block_page_reason = "This domain was blocked due to being classified as a security risk to your organization"
+    }
+}
+```
+
+</TabItem>
+
+</Tabs>