You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/reference-architecture/diagrams/sase/gateway-for-protective-dns.mdx
+12-8Lines changed: 12 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ updated: 2024-12-19
13
13
14
14
Protective DNS services are security services that analyze DNS queries and block access to malicious websites and other harmful online content. As technology becomes increasingly vital for public sector operations, government departments are looking to adopt these cybersecurity services to bolster incident detection and response, and to build more resilient enterprise networks. Traditionally, deploying this type of solution posed significant challenges due to the reliance on legacy systems that required costly on-premises hardware. This makes it difficult to deploy and manage, and introduces post-deployment struggles with scalability and availability.
15
15
16
-
Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), Government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies.
16
+
Today, these limitations can be addressed through cloud-based solutions like [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our Secure Web Gateway service. Cloudflare Gateway's DNS filtering capabilities allow administrators to offer enhanced security. With easy-to-create policies backed by Cloudflare's [extensive threat intelligence](https://www.cloudflare.com/en-gb/security/), government agencies can effectively safeguard their end users from accessing potentially [harmful domains](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Additionally, agencies can further strengthen these defenses by [integrating their own threat intelligence data](https://developers.cloudflare.com/security-center/indicator-feeds/) into the policies.
17
17
18
18
Finally, Cloudflare Gateway eliminates concerns around availability, performance, and scalability, as it is built on [Cloudflare's 1.1.1.1 public DNS resolver](/1.1.1.1/), one of the [fastest](https://www.dnsperf.com/#!dns-providers) and most widely used DNS resolvers in the world.
19
19
@@ -29,7 +29,7 @@ IT administrators forward public DNS requests to Cloudflare where they are filte
29
29
30
30
To distinguish queries originating from the government departments and agencies they are responsible for, admins configure a location in the Cloudflare dashboard. When a DNS location is created, Gateway assigns IPv4/IPv6 addresses and DNS over TLS/HTTPS (DoT/DoH) hostnames for that location. These IP addresses and hostnames are then used by the admins to send DNS queries for resolution. In turn, the administrator configures the location object with the public IP addresses of their on-premises DNS servers, allowing Cloudflare to accurately associate queries with the corresponding location.
31
31
32
-
DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with 0.0.0.0 for IPv4 queries or :: for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an [Override](/cloudflare-one/policies/gateway/dns-policies/#override) action can redirect the DNS query to a block page hosted by the government agency.
32
+
DNS filtering is then enforced through policies set up by the administrator to detect domains linked to [security risks](/cloudflare-one/policies/gateway/domain-categories/#security-categories). Cloudflare continuously updates the list of high risk domains using [its extensive threat intelligence](https://www.cloudflare.com/security/). When a DNS query matches a flagged domain, the corresponding action specified in the DNS policy is executed. This action can be a '[Block](/cloudflare-one/policies/gateway/dns-policies/#block),' where Gateway responds with `0.0.0.0` for IPv4 queries or `::` for IPv6 queries, or displays a [custom block page hosted by Cloudflare](/cloudflare-one/policies/gateway/block-page/). Alternatively, an [Override](/cloudflare-one/policies/gateway/dns-policies/#override) action can redirect the DNS query to a block page hosted by the government agency.
33
33
34
34
Cloudflare's own threat intelligence can be seamlessly integrated with threat intelligence data provided by the agency or third-party sources. In this setup, the agency or the third-party entity acts as a [threat feed provider](/security-center/indicator-feeds/) to Cloudflare. This enables IT admins to create DNS policies that combine Cloudflare's security risk categories with the data sourced by the agency, for a unified and enhanced security posture (see diagram below). Additionally, [publicly available custom indicator feeds](/security-center/indicator-feeds/#publicly-available-feeds) can be accessed by eligible public and private sector organizations without the need to establish a provider relationship, further expanding security capabilities.
35
35
@@ -51,7 +51,7 @@ The device agent is compatible with the [leading desktop and mobile operating sy
51
51
52
52
### Additional controls
53
53
54
-
To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domains policies. By setting these policies with [lower precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains.
54
+
To achieve more precise control over which domains are allowed or blocked, the administrator can configure additional Allowed Domain and Blocked Domain policies. By setting these policies with [lower precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) than the Security Risks policy, the agency can override the Security Risks policy for specific domains.
55
55
56
56
To streamline the management of allowed and blocked domains, use [lists](/cloudflare-one/policies/gateway/lists/). Lists are easily updated through the dashboard or via [APIs](/api/operations/zero-trust-lists-update-zero-trust-list), making policy adjustments more efficient.
57
57
@@ -61,7 +61,11 @@ To streamline the management of allowed and blocked domains, use [lists](/cloudf
61
61
62
62
One of the key advantages of adopting Cloudflare Gateway as a protective DNS service is the enhanced visibility it provides IT administrators into existing and emerging threats impacting governmental departments and agencies. All DNS queries sent to Cloudflare Gateway are logged, and when an identity is associated with a query, it is mapped to the corresponding user in the logs.
63
63
64
-
:::note[Note]The ability to view personally identifiable information (PII) in Cloudflare Gateway logs is a [role-based permission](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) that can be selectively assigned to IT administrators.:::
64
+
:::note[Note]
65
+
66
+
The ability to view personally identifiable information (PII) in Cloudflare Gateway logs is a [role-based permission](/cloudflare-one/roles-permissions/#cloudflare-zero-trust-pii) that can be selectively assigned to IT administrators.
67
+
68
+
:::
65
69
66
70
These logs are accessible directly through [Cloudflare's dashboard](/cloudflare-one/insights/logs/gateway-logs/) or can be exported to external systems for further analysis via [Logpush](/cloudflare-one/insights/logs/logpush/). Cloudflare also offers robust analytics capabilities, empowering IT administrators to detect trends and identify indicators of compromise. A built-in analytics dashboard is available in [Cloudflare's dashboard](/cloudflare-one/insights/analytics/gateway/), and custom dashboards can be created using any GraphQL-compatible tool using [Cloudflare's GraphQL API](/analytics/graphql-api/).
67
71
@@ -73,17 +77,17 @@ When inspecting HTTP traffic, Cloudflare prevents interference by decrypting, in
73
77
74
78
### Threat protection
75
79
76
-
When Cloudflare Gateway is doing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet:
77
-
-**Anti-virus scanning (AV):**users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) in real time to detect malicious content.
78
-
-**Sandboxing:**for files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected.
80
+
When Cloudflare Gateway is performing HTTP inspection, it extends protection beyond DNS security by enabling additional capabilities to safeguard users as they browse the Internet:
81
+
-**Anti-virus scanning (AV):**Users are protected when downloading or uploading files to or from the Internet. [Files are scanned](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/) in real time to detect malicious content.
82
+
-**Sandboxing:**For files not previously seen, Cloudflare Gateway can [quarantine them in a secure sandbox environment for analysis](/cloudflare-one/policies/gateway/http-policies/file-sandboxing/). In this sandbox, Cloudflare monitors the file's actions and compares them against known malware patterns. Files are only released to users if no malicious content is detected.
79
83
-**Remote Browser Isolation (RBI):**[Isolation policies](/cloudflare-one/policies/browser-isolation/) can be configured to safeguard users when accessing potentially risky websites. For example, [if a user attempts to visit a newly seen domain that triggers an isolation policy](/cloudflare-one/policies/browser-isolation/isolation-policies/), the website's active content is executed in a secure, isolated browser hosted in the nearest Cloudflare data center. This ensures that zero-day attacks and malware are mitigated before they can impact the user. This remote browsing experience is seamless and transparent, allowing users to continue using their preferred browsers and workflows. Every browser tab and window is automatically isolated, and sessions are deleted when closed.
80
84
81
85
### Data protection
82
86
83
87
In addition to threat protection, Cloudflare Gateway enables the implementation of robust data protection policies during HTTP inspection, including:
84
88
-**File upload controls:** Administrators can enforce policies that monitor and [restrict file uploads](/cloudflare-one/policies/gateway/http-policies/#download-and-upload-file-types) to the Internet, preventing the inadvertent sharing of sensitive data.
85
89
-**Data Loss Prevention (DLP):**[DLP policies](/cloudflare-one/policies/data-loss-prevention/) can be deployed to identify and block unauthorized sharing of confidential or classified information. For more details, see [securing data in transit](/reference-architecture/diagrams/security/securing-data-in-transit/).
86
-
-**Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/policies/browser-isolation/) can enforce [user action restrictions](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, see[securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/).
90
+
-**Remote Browser Isolation (RBI):** Beyond threat protection, [isolation policies](/cloudflare-one/policies/browser-isolation/) can enforce [user action restrictions](/cloudflare-one/policies/browser-isolation/isolation-policies/#policy-settings), such as disabling copy/paste functionality or keyboard inputs, to safeguard sensitive information. For additional information, refer to[securing data in use](/reference-architecture/diagrams/security/securing-data-in-use/).
87
91
88
92
## Adopting Cloudflare Gateway as Secure Web Gateway
0 commit comments