Skip to content

Adding DNS API calls to secure-internet-traffic learning path #18388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 42 commits into from
Feb 11, 2025
Merged

Adding DNS API calls to secure-internet-traffic learning path #18388

Changes from 1 commit
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
9279651
Initial code commit
tcerqueira-cf Nov 23, 2024
3c7697a
Fixed typos
tcerqueira-cf Nov 25, 2024
09414ca
Added terraform code
tcerqueira-cf Nov 25, 2024
e3975b6
Fixed typo
tcerqueira-cf Nov 25, 2024
0a78d47
Added API and Terraform code to create the allow list policy
tcerqueira-cf Nov 27, 2024
19c71bf
Added terraform and API code for the All-DNS-Domain-Allowlist rule
tcerqueira-cf Nov 27, 2024
566551a
Fixed JSON capitalization
tcerqueira-cf Nov 27, 2024
2a360ce
Fixed missing import
tcerqueira-cf Nov 27, 2024
5c42de6
Fixed styling issue
tcerqueira-cf Nov 27, 2024
df6ab87
Added API and terraform code for Quarantined users restricted access …
tcerqueira-cf Nov 27, 2024
141c95a
Fixed typo
tcerqueira-cf Nov 27, 2024
f0dc556
Added terraform and API code for the country geolocation block rule
tcerqueira-cf Nov 27, 2024
4ac36e6
Added Terraform and API code for the misuesed TLD block rule
tcerqueira-cf Nov 27, 2024
16c8ba0
Fixed small typo
tcerqueira-cf Nov 27, 2024
f8199f5
Added terraform and API code for the Domain Phishing block rule
tcerqueira-cf Nov 28, 2024
dbf54f2
Added tf and API code for the DNS Resolved IP Blocklist rule
tcerqueira-cf Nov 28, 2024
a061c44
Modified enforce-device-posture partial to add terraform and API code
tcerqueira-cf Nov 28, 2024
1ab4823
Fixed typo
tcerqueira-cf Nov 28, 2024
a15df8f
Fixed typo
tcerqueira-cf Nov 28, 2024
a977605
Fixed small typo
tcerqueira-cf Nov 28, 2024
0adca5b
Fixed typo
tcerqueira-cf Nov 28, 2024
7f40cc7
Merge branch 'production' into origin/tcerqueira/defense-in-depth-api…
maxvp Dec 30, 2024
95be41f
Fix formatting
maxvp Dec 30, 2024
237b683
Merge branch 'production' into origin/tcerqueira/defense-in-depth-api…
maxvp Jan 29, 2025
3192b2f
Adjust formatting
maxvp Feb 6, 2025
3d74ce3
Merge branch 'production' into origin/tcerqueira/defense-in-depth-api…
maxvp Feb 10, 2025
df5d239
Add policy partial and Terraform procedure
maxvp Feb 10, 2025
81ace67
Add dash-plus-api folder
maxvp Feb 10, 2025
ab07e7e
Fix device posture partial
maxvp Feb 10, 2025
0ab52bb
Add block category partials
maxvp Feb 10, 2025
6915edf
Add block application partials
maxvp Feb 10, 2025
13147be
Add TF for application policy
maxvp Feb 11, 2025
5e77ecc
Convert to US spelling
maxvp Feb 11, 2025
29cc080
Decouple blocklist policy
maxvp Feb 11, 2025
e41b92f
Add domain blocklist API calls
maxvp Feb 11, 2025
2a81263
Fix styling and precendece
maxvp Feb 11, 2025
18a7bf2
Move partials into subfolder
maxvp Feb 11, 2025
ef88048
Remove Details tags
maxvp Feb 11, 2025
a4d7333
Fix misc API call styling
maxvp Feb 11, 2025
3cf4b2f
Remove Details tags from all recommended policy pages
maxvp Feb 11, 2025
ad0e381
Add missing network recommended policy
maxvp Feb 11, 2025
9f56295
Update policies to enabled=true
maxvp Feb 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion ...ocs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,16 @@ sidebar:
order: 1
---

import { Render } from "~/components";
import { Tabs, TabItem, Render } from "~/components"

DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.

You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).

To create a new DNS policy:

<Tabs syncKey="dashPlusAPI">
<TabItem label="Dashboard">
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
Expand All @@ -25,3 +27,29 @@ To create a new DNS policy:
6. Select **Create policy**.

For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
</TabItem>
<TabItem label="API">
Copy link
Contributor Author

@tcerqueira-cf tcerqueira-cf Nov 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I investigated if it was possible to add this to the partial referenced for the dashboard (gateway/policies/block-security-categories), however, this partial is being re-used for HTTP and DNS policies. Considering that in the API/Terraform you need different wirefilter expressions for HTTP and DNS, I would love to know if there's a way to modify the partial so that it also contains the API and Terraform code when it's inserted.
Following up on this note, on the DNS policies, the selector is in fact "Security Categories", while in the HTTP tab, the selector is "Security Risks". I'm not sure if this alone warrants for splitting this partial into one that is applied to DNS and another that is applied to HTTP, to which it would then make sense to add the API and TF code for the respective traffic type

Copy link
Contributor Author

@tcerqueira-cf tcerqueira-cf Nov 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Files that reference the mentioned partial:
src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx
src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx

Copy link
Contributor

@maxvp maxvp Nov 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can create flexible partials that accept parameters for different use cases (e.g. if a selector is used in both DNS and HTTP policies, you can use either dns or http.conn in the API value depending on the page). Since the API sections are much longer than a string, it may be easier to break them out into their own partials.

To create a new DNS policy using **cURL**:
```sh
curl --request POST \
--url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "All-DNS-SecurityCategories-Blocklist",
"description": "Block known security risks based on Cloudflare's threat intelligence",
"precedence": 2,
"enabled": false,
"action": "block",
"filters": [
"dns"
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"rule_settings": {
"block_page_enabled": true,
"block_reason": "This domain was blocked due to being classified as a security risk to the organisation"
}
}'
```
</TabItem>
</Tabs>
Loading