From 29d06b61d14b3f6ddf798abb75ce494ca84cad5d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 17:08:14 -0500 Subject: [PATCH 1/3] Add iCloud partial --- .../agentless/dns/locations/index.mdx | 1 - .../policies/gateway/dns-policies/index.mdx | 2 +- .../cloudflare-one/gateway/add-locations.mdx | 22 +++++-------------- .../gateway/third-party-warning.mdx | 7 ++++++ 4 files changed, 13 insertions(+), 19 deletions(-) create mode 100644 src/content/partials/cloudflare-one/gateway/third-party-warning.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx index 0609d7584b6f002..054cf3cecf10d65 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx @@ -11,7 +11,6 @@ import { GlossaryDefinition, Render } from "~/components"; 10. Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI. - 11. Select **Go to DNS Location**. Your location will appear in your list of locations. You can now apply [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to your location using the [Location selector](/cloudflare-one/policies/gateway/dns-policies/#location). diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx index 154070686953d49..2bba69824437559 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx @@ -426,7 +426,7 @@ Use this selector to filter based on the country where the query arrived to Gate ### Third-party filtering conflict -Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay](https://support.apple.com/102602). To ensure your DNS policies apply to your traffic, we recommend restricting software that may interfere with Gateway. + ### Magic WAN forwarding diff --git a/src/content/partials/cloudflare-one/gateway/add-locations.mdx b/src/content/partials/cloudflare-one/gateway/add-locations.mdx index 95408224820758e..6f0f8fbe2f10787 100644 --- a/src/content/partials/cloudflare-one/gateway/add-locations.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-locations.mdx @@ -1,9 +1,8 @@ --- {} - --- -import { GlossaryDefinition, GlossaryTooltip } from "~/components" +import { GlossaryDefinition, GlossaryTooltip } from "~/components"; @@ -12,26 +11,15 @@ The fastest way to start filtering DNS queries from a location is by changing th To add a DNS location to Gateway: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **DNS Locations**. - 2. Select **Add a location**. - 3. Choose a name for your DNS location. - 4. Choose at least one [DNS endpoint](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#dns-endpoints) to resolve your organization's DNS queries. - 5. (Optional) Toggle the following settings: - - * **Enable EDNS client subnet** sends a user's IP geolocation to authoritative DNS nameservers. EDNS Client Subnet (ECS) helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user's exact IP address but rather a `/24` range which contains their IP address. - - * **Set as Default DNS Location** sets this location as the default DoH endpoint for DNS queries. - + - **Enable EDNS client subnet** sends a user's IP geolocation to authoritative DNS nameservers. EDNS Client Subnet (ECS) helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user's exact IP address but rather a `/24` range which contains their IP address. + - **Set as Default DNS Location** sets this location as the default DoH endpoint for DNS queries. 6. Select **Continue**. - 7. (Optional) Turn on source IP filtering for your configured endpoints, then add any source IPv4/IPv6 addresses to validate. - - * Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses. - * **DoH endpoint filtering & authentication** lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses. - + - Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses. + - **DoH endpoint filtering & authentication** lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses. 8. Select **Continue**. - 9. Review the settings for your DNS location, then choose **Done**. diff --git a/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx b/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx new file mode 100644 index 000000000000000..3bf7a3e098fe993 --- /dev/null +++ b/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay](https://support.apple.com/102602). To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway. + +To turn off iCloud Private Relay, refer to the Apple user guides for [Mac](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/mac) or [iPhone](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/ios). From e0a5aec5bd250706f50026b257d40cd7fe5771f0 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 17:12:07 -0500 Subject: [PATCH 2/3] Add locations limitations --- .../agentless/dns/locations/index.mdx | 12 ++++++++++-- .../gateway-onboarding/gateway-locations.mdx | 11 ++++++++--- .../gateway/add-locations-static-ip-warning.mdx | 7 ------- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx index 054cf3cecf10d65..ef5ff7f4dc44bb8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx @@ -15,8 +15,6 @@ import { GlossaryDefinition, Render } from "~/components"; You can now apply [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to your location using the [Location selector](/cloudflare-one/policies/gateway/dns-policies/#location). - - ## DNS endpoints ### IPv4 and IPv6 DNS @@ -48,3 +46,13 @@ For more information, refer to [DNS over TLS](/cloudflare-one/connections/connec Gateway requires a DoH endpoint for default DNS locations. For more information, refer to [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/). + +## Limitations + +### Captive portals + + + +### Third-party filtering + + diff --git a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-locations.mdx b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-locations.mdx index 60ae9b0ad69b1a2..911d6ed6e67f07c 100644 --- a/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-locations.mdx +++ b/src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-locations.mdx @@ -3,11 +3,16 @@ title: Gateway locations pcx_content_type: learning-unit sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render } from "~/components"; - +:::caution[Captive portal limitation] + + +::: diff --git a/src/content/partials/cloudflare-one/gateway/add-locations-static-ip-warning.mdx b/src/content/partials/cloudflare-one/gateway/add-locations-static-ip-warning.mdx index bcdc203d832070b..92e095307b31691 100644 --- a/src/content/partials/cloudflare-one/gateway/add-locations-static-ip-warning.mdx +++ b/src/content/partials/cloudflare-one/gateway/add-locations-static-ip-warning.mdx @@ -1,11 +1,7 @@ --- {} - --- -:::caution[Captive portal limitation] - - Deploying Gateway DNS filtering using static IP addresses may prevent users from connecting to public Wi-Fi networks through captive portals. If users are experiencing connectivity issues related to captive portals, they should: 1. Remove the static IP addresses from the device. @@ -13,6 +9,3 @@ Deploying Gateway DNS filtering using static IP addresses may prevent users from 3. Once the connection has been established, add the static IP addresses back. To avoid this issue, use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to connect your devices to Cloudflare Zero Trust. - - -::: From 3fff9fecd69c8b361500da193b7d133ab62ab0bf Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 17:16:02 -0500 Subject: [PATCH 3/3] Add warning to block page --- .../docs/cloudflare-one/policies/gateway/block-page.mdx | 6 ++++++ .../partials/cloudflare-one/gateway/third-party-warning.mdx | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index 43d80ee5f1b2d7c..651b2e07dcf690a 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -13,6 +13,12 @@ Configuring a custom block page in Zero Trust helps avoid this confusion. Your b Gateway supports custom block pages for DNS and HTTP policies. +:::caution[Third-party filtering conflict] + + + +::: + ## Prerequisites In order to display the block page as the URL of the blocked domain, your devices must have the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). diff --git a/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx b/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx index 3bf7a3e098fe993..809dcbf0d56b96d 100644 --- a/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx +++ b/src/content/partials/cloudflare-one/gateway/third-party-warning.mdx @@ -4,4 +4,4 @@ Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay](https://support.apple.com/102602). To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway. -To turn off iCloud Private Relay, refer to the Apple user guides for [Mac](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/mac) or [iPhone](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/ios). +To turn off iCloud Private Relay, refer to the Apple user guides for [macOS](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/) or [iOS](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/).