[Gateway] Generic DoT/DoH endpoints (#20570)

maxvp · web-flow · commit 9b09b2d926e8 · 2025-03-06T17:46:58.000-05:00
* Add new DoT instructions

* Remove limitation section

* Add generic DoT procedure

* Refine values

* Add DoH procedure

* Add generic DoH endpoint

* More specific wording
diff --git a/src/assets/images/cloudflare-one/connections/get-unique-subdomain.png b/src/assets/images/cloudflare-one/connections/get-unique-subdomain.png
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https.mdx
@@ -13,7 +13,7 @@ Location-based policies require that you send DNS requests to a [location-specif
 
 ## Filter DoH requests by location
 
-Location-based policies require that you send DNS requests to a unique <GlossaryTooltip term="DoH subdomain">DoH endpoint</GlossaryTooltip> assigned to the location:
+Location-based policies require that you send DNS queries to a unique <GlossaryTooltip term="DoH subdomain">DoH endpoint</GlossaryTooltip> assigned to the location:
 
 ```txt
 https://<YOUR_DOH_SUBDOMAIN>.cloudflare-gateway.com/dns-query
@@ -105,6 +105,17 @@ For more information, refer to [Microsoft's DoH guide](https://learn.microsoft.c
 
 </Details>
 
+### Use generic DoH endpoint
+
+You can send DoH requests to the generic Cloudflare DoH endpoint, `dns.cloudflare-gateway.com`. To specify a location in your request, include a header named `cf-dns-location` with a value of your location's DoH subdomain. For example:
+
+```http
+GET /dns-query?name=example.com&type=A HTTP/2
+Host: dns.cloudflare-gateway.com
+cf-dns-location: 9y65g5srsm
+Accept: application/dns-message
+```
+
 ## Filter DoH requests by user
 
 In order to filter DoH queries based on user identity, each query must include a user-specific authentication token. If you have several devices per user and want to apply device-specific policies, you will need to map each device to a different email.
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-tls.mdx
@@ -7,35 +7,40 @@ sidebar:
 
 By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
 
-Cloudflare supports DoT on standard port `853` and is compliant with [RFC7858](https://tools.ietf.org/html/rfc7858).
+Cloudflare supports DoT on standard port `853` over TLS 1.2 and TLS 1.3 in compliance with [RFC7858](https://tools.ietf.org/html/rfc7858).
 
-## 1. Obtain your DoT hostname
+## Configure DoT queries
+
+### 1. Obtain your DoT hostname
 
 Each Gateway DNS location has a unique DoT hostname. DNS locations and corresponding DoT hostnames have policies associated with them.
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **DNS locations**.
-2. If you have more than one location set up, you will see a list of all your locations.
-3. Expand the location card for the location whose DoT hostname you'd like to retrieve.
-4. Get the **DoT hostname** for the location.
-
-In the example below, the DoT hostname is: `9y65g5srsm.cloudflare-gateway.com`.
+2. [Add a new location](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) or select an existing location from the list.
+3. Under **DoT endpoint**, copy the value in **DoT addresses**.
 
-![Getting the DoT hostname for a DNS location from the dashboard](~/assets/images/cloudflare-one/connections/get-unique-subdomain.png)
+The DoT hostname contains your unique location name. For example, if the DoT hostname is `9y65g5srsm.cloudflare-gateway.com`, the location name is `9y65g5srsm`.
 
-Next, configure your DoT client with the DoT hostname.
+### 2. Configure your DoT client
 
-## 2. Configure your DoT client
+To configure a DoT client such as `dig`, specify the IP address and the DoT hostname for your location in your query. For example:
 
-Depending on your operating system, you can choose from a variety of standalone DoT clients.
+```txt
+Hostname: 9y65g5srsm.cloudflare-gateway.com
+IP address: 162.159.36.5
+```
 
-To configure your DoT client, enter the following IP address and the DoT hostname for your location (for example, `9y65g5srsm.cloudflare-gateway.com`):
+Alternatively, you can use the generic DoT endpoint (`dns.cloudflare-gateway.com`) and include an `OPT` record with code `65011`. You can select a specific location for the value of the `OPT` record. For example:
 
 ```txt
-Hostname: <DoT hostname>
+Hostname: dns.cloudflare-gateway.com
 IP address: 162.159.36.5
+OPT Record:
+  - Code: 65011
+  - Value: 9y65g5srsm
 ```
 
-Alternatively, stub resolvers (e.g., Unbound) support DoT natively. An example configuration is shown below.
+Some stub resolvers support DoT natively. For example, you can configure Unbound to send a DoT query:
 
 ```txt
 # Unbound TLS Config
@@ -44,15 +49,6 @@ tls-cert-bundle: "/etc/ssl/cert.pem"
 forward-zone:
  name: "."
  forward-tls-upstream: yes
- forward-addr: 172.64.36.1@853#9y65g5srsm.cloudflare-gateway.com
- forward-addr: <IPv6 address>#<DoT hostname>
+ forward-addr: 162.159.36.5@853#9y65g5srsm.cloudflare-gateway.com
+ forward-addr: 2001:db8:abcd::1234#9y65g5srsm.cloudflare-gateway.com
 ```
-
-:::note
-
-Each DNS location has a unique DoT hostname and IPv6 address. Remember to substitute your location's values into the `<IPv6 address>` and `<DoT hostname>` fields.
-:::
-
-## Supported TLS versions
-
-Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2.
