Add DNS resolution section

maxvp · maxvp · commit d5d3c0ff2087 · 2025-09-08T16:27:41.000-05:00
diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx
@@ -10,9 +10,7 @@ import { Render } from "~/components";
 
 [Cloudflare Gateway](/cloudflare-one/policies/gateway/), our comprehensive Secure Web Gateway, allows you to set up policies to inspect DNS, network, HTTP, and egress traffic.
 
-You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN.
-
-Additionally, you can point the DNS resolver for your Magic WAN networks to the shared IP addresses for the Gateway DNS resolver. When you resolve DNS queries from Magic WAN through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns).
+You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magic-firewall/) policies (for L3/4 traffic filtering) to Internet-bound traffic or private traffic entering the Cloudflare network via Magic WAN. Additionally, you can configure Gateway to [resolve DNS queries](#dns-resolution) from Magic WAN.
 
 ## HTTPS filtering
 
@@ -34,6 +32,10 @@ If your organization onboards users to Magic WAN via an [on-ramp other than WARP
 | --------- | -------- | ---------------- | -------------- |
 | Source IP | in       | `203.0.113.0/24` | Do Not Inspect |
 
+## DNS resolution
+
+You can configure the DNS resolver for your Magic WAN networks to the shared IP addresses for the Gateway DNS resolver. The Gateway DNS resolver IPs are `172.64.36.1` and `172.64.36.2`. When you resolve DNS queries from Magic WAN through Gateway, Gateway will log the queries with the private source IP. You can use the private source IP to create [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) for queries intended for [internal DNS records](/cloudflare-one/policies/gateway/resolver-policies/#internal-dns).
+
 ## Outbound Internet traffic
 
 By default, the following traffic routed through Magic WAN tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:
