[Gateway] Global DNS policies (#21349)

maxvp · web-flow · commit 9a35e41af6cc · 2025-04-25T14:15:36.000-04:00
diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx
@@ -53,8 +53,8 @@ To create an HTTP policy to redirect URLs, refer to the [Redirect action](/cloud
 
 Paths and queries in the redirect URL take precedence over the original URL. When you turn on **Send policy context**, Gateway will append context to the end of the redirected URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to:
 
-```txt ins="&user_email=user@example.com"
-cloudflare.com/redirect-path?querystring=Y&user_email=user@example.com
+```txt ins="&cf_user_email=user@example.com"
+cloudflare.com/redirect-path?querystring=Y&cf_user_email=user@example.com
 ```
 
 ### Customize the block page
diff --git a/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx
@@ -42,4 +42,41 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic
 | Always Blocked Categories              | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | Child Abuse                                                        | block     | Blocks child abuse materials.                                                                                                                  |
 | Don't Isolate RBI Help Pages           | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname         | `developers.cloudflare.com` and `help.cloudflarebrowser.com`       | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues.                        |
 | Don't AV Scan CF Speed                 | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname         | `speed.cloudflare.com`                                             | noscan    | Allows files transferred by the Cloudflare speed test.                                                                                         |
-| Allow Gateway Services                 | `00000001-346f-4710-b444-eb62e369b5f7` | Destination IP   | Cloudflare Resolver IPs                                            | allow     | Ensures traffic can reach the block page when Gateway matches DNS Block policies.                                                              |
+| Allow Gateway Services                 | `00000001-346f-4710-b444-eb62e369b5f7` | Destination IP   | Cloudflare resolver IPs                                            | allow     | Ensures traffic can reach the block page when Gateway matches DNS Block policies.                                                              |
+
+## DNS resolution policies
+
+For each of the domains above, Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](/1.1.1.1/).
+
+| Name                                                                                      | ID                                     | Value                                                              | Action  |
+| ----------------------------------------------------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------ | ------- |
+| Allow DNS queries for cloudflareclient.com domain                                         | `00000001-e139-4a1b-90d5-698d8fa371e0` | `cloudflareclient.com`                                             | allow   |
+| Resolve cloudflareclient.com through 1.1.1.1                                              | `00000001-e738-4554-823b-0b2c75af2c66` | `cloudflareclient.com`                                             | resolve |
+| Allow DNS queries for assets.browser.run domain                                           | `00000001-9bff-4d83-a9e4-e5ed321fe0b9` | `assets.browser.run`                                               | allow   |
+| Resolve assets.browser.run through 1.1.1.1                                                | `00000001-0df5-472b-80c0-02888e7167ee` | `assets.browser.run`                                               | resolve |
+| Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains                  | `00000001-e2f1-4e99-bab3-91df88879587` | `edge.browser.run` and `cloudflarebrowser.com`                     | allow   |
+| Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1                        | `00000001-b103-44c6-a114-7a784cdf3fb7` | `edge.browser.run` and `cloudflarebrowser.com`                     | resolve |
+| Allow DNS queries for help.teams.cloudflare.com domain                                    | `00000001-b2fc-46db-b0f1-69ef3553bd7a` | `help.teams.cloudflare.com`                                        | allow   |
+| Resolve help.teams.cloudflare.com through 1.1.1.1                                         | `00000001-ce13-486a-b006-ba0435ccb013` | `help.teams.cloudflare.com`                                        | resolve |
+| Allow DNS queries for cloudflare-gateway.com domain                                       | `00000001-e83d-492b-995e-351970cd5e8e` | `cloudflare-gateway.com`                                           | allow   |
+| Resolve cloudflare-gateway.com through 1.1.1.1                                            | `00000001-d9bc-4913-a2f5-905dbb3ecf9a` | `cloudflare-gateway.com`                                           | resolve |
+| Allow DNS queries for cloudflarestatus.com domain                                         | `00000001-78da-4f8a-b9ee-76563f1ec46b` | `cloudflarestatus.com`                                             | allow   |
+| Resolve cloudflarestatus.com through 1.1.1.1                                              | `00000001-4d1d-43a3-9015-c49fc3a6da31` | `cloudflarestatus.com`                                             | resolve |
+| Allow DNS queries for nel.cloudflare.com domain                                           | `00000001-af28-4afa-8987-eadc21187e14` | `nel.cloudflare.com`                                               | allow   |
+| Resolve nel.cloudflare.com through 1.1.1.1                                                | `00000001-0034-45a0-8333-f339451fba46` | `nel.cloudflare.com`                                               | resolve |
+| Allow DNS queries for api.cloudflare.com domain                                           | `00000001-5eea-4932-8dd5-8e1ec9770396` | `api.cloudflare.com`                                               | allow   |
+| Resolve api.cloudflare.com through 1.1.1.1                                                | `00000001-4f0c-4f86-9b96-5d26123a194b` | `api.cloudflare.com`                                               | resolve |
+| Allow DNS queries for dash.teams.cloudflare.com domain                                    | `00000001-0f75-48a9-b3e1-925a974d2b65` | `dash.teams.cloudflare.com`                                        | allow   |
+| Resolve dash.teams.cloudflare.com through 1.1.1.1                                         | `00000001-3d84-41a6-bc84-3014685c0d81` | `dash.teams.cloudflare.com`                                        | resolve |
+| Allow DNS queries for dash.cloudflare.com domain                                          | `00000001-0c2a-4b31-8606-3e5a1d87c1bf` | `dash.cloudflare.com`                                              | allow   |
+| Resolve dash.cloudflare.com through 1.1.1.1                                               | `00000001-c47f-41f3-b234-d66c82b8d422` | `dash.cloudflare.com`                                              | resolve |
+| Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains | `00000001-1c6c-4793-b48f-799eee6e0e31` | `cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com` | allow   |
+| Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1       | `00000001-8c35-4d7d-9dbb-cb7350375b7b` | `cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com` | resolve |
+| Allow DNS queries for cloudflareaccess.com domain                                         | `00000001-d738-4dad-bac4-1a50201d9503` | `cloudflareaccess.com`                                             | allow   |
+| Resolve cloudflareaccess.com through 1.1.1.1                                              | `00000001-4404-4572-80f6-f7b098909460` | `cloudflareaccess.com`                                             | resolve |
+| Allow DNS queries for blocked.teams.cloudflare.com domain                                 | `00000001-76f4-4438-b8ab-a9da53f4a2f1` | `blocked.teams.cloudflare.com`                                     | allow   |
+| Resolve blocked.teams.cloudflare.com through 1.1.1.1                                      | `00000001-af3c-458f-aeb2-b3bb5d3fe1d5` | `blocked.teams.cloudflare.com`                                     | resolve |
+| Allow DNS queries for developers.cloudflare.com domain                                    | `00000001-4263-4808-8457-4d4329c91f66` | `developers.cloudflare.com`                                        | allow   |
+| Resolve developers.cloudflare.com through 1.1.1.1                                         | `00000001-9f91-4462-9270-78beca5b4dbc` | `developers.cloudflare.com`                                        | resolve |
+| Allow DNS queries for speed.cloudflare.com domain                                         | `00000001-4fc0-4286-b783-6c442adda171` | `speed.cloudflare.com`                                             | allow   |
+| Resolve speed.cloudflare.com through 1.1.1.1                                              | `00000001-ec51-4471-9e78-bd47d46a3002` | `speed.cloudflare.com`                                             | resolve |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -143,10 +143,10 @@ When you turn on **Preserve original path and query string**, Gateway will appen
 cloudflare.com/redirect-path/path/to/page?querystring=Y
 ```
 
-When you turn on both options, Gateway will preserve the original path and query string, then append context policy to the end of the redirect URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to:
+When you turn on both options, Gateway will preserve the original path and query string, then append policy context to the end of the redirect URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to:
 
-```txt "cloudflare.com/redirect-path" "?querystring=Y" ins="&user_email=user@example.com"
-cloudflare.com/redirect-path/path/to/page?querystring=Y&k=1&user_email=user@example.com
+```txt "cloudflare.com/redirect-path" "?querystring=Y" ins="&cf_user_email=user@example.com"
+cloudflare.com/redirect-path/path/to/page?querystring=Y&k=1&cf_user_email=user@example.com
 ```
 
 ### Isolate

-Original file line number
+Diff line change
 Paths and queries in the redirect URL take precedence over the original URL. When you turn on **Send policy context**, Gateway will append context to the end of the redirected URL. For example, if the original URL is `example.com/path/to/page?querystring=X&k=1` and the redirect URL is `cloudflare.com/redirect-path?querystring=Y`, Gateway will redirect requests to:
 -```txt ins="&user_email[email protected]"
 -cloudflare.com/redirect-path?querystring=Y&user_email[email protected]
 +```txt ins="&cf_user_email[email protected]"
 +cloudflare.com/redirect-path?querystring=Y&cf_user_email[email protected]
 ```
 ### Customize the block page