Skip to content

[Gateway] DNS resolver BYOIP #19183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jan 16, 2025
Merged

[Gateway] DNS resolver BYOIP #19183

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f4b1671
Initial commit
maxvp Jan 10, 2025
2db6efb
Rearrange page
maxvp Jan 10, 2025
eb703cf
Add sections
maxvp Jan 10, 2025
8cf6e34
Add more BYOIP info
maxvp Jan 13, 2025
0a96d99
Add BYOIP links
maxvp Jan 13, 2025
db94fc1
Fix anycast casing
maxvp Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions src/content/docs/byoip/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,17 @@ sidebar:
head:
- tag: title
content: Bringing Your Own IPs to Cloudflare

---

import { LinkButton, Plan } from "~/components"
import { LinkButton, Plan } from "~/components";

<Plan type="enterprise" />

With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with Magic Transit, Spectrum, or CDN services.
With **Bringing Your Own IPs** (BYOIP), Cloudflare announces your IPs in all our locations. Use your IPs with Magic Transit, Spectrum, CDN services, or Gateway DNS.

BYOIP is compatible with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), and [CDN services](/cache/).
BYOIP is compatible with [Magic Transit](/magic-transit/), [Spectrum](/spectrum/), [CDN services](/cache/), and [Gateway DNS](/cloudflare-one/policies/gateway/dns-policies/).

<LinkButton variant="primary" href="/byoip/get-started/">Get started</LinkButton>
{" "}
<LinkButton variant="primary" href="/byoip/get-started/">
Get started
</LinkButton>
30 changes: 17 additions & 13 deletions ...re-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,33 +39,37 @@ flowchart TB
2. Next, if the query was not sent with DNS over HTTPS, Gateway checks whether it was sent over IPv4. If yes, it looks up the DNS location by the source IPv4 address.
3. Last, if the query was not sent over IPv4, it means it was sent over IPv6. Gateway will look up the DNS location associated with the query based on the unique DNS resolver IPv6 address.

## IPv6 address
## IPv4/IPv6 address

When you create a DNS location, your location will receive a unique DNS resolver IPv6 address. This IPv6 address is how Gateway will match DNS queries to locations and apply the appropriate filtering rules.
### Source IP

## IPv4 address
Gateway uses the public source IPv4 address of your network to identify your DNS location, apply policies, and log DNS requests. Unless you have purchased a [dedicated IPv4 resolver IP](#dedicated-dns-resolver-ip), you must provide source IP addresses for the IPv4 traffic you want to filter with DNS policies. Otherwise, Gateway will not be able to attribute the traffic to your account.

### Source IP
If you are on an Enterprise plan, you have the option of manually entering one or more source IP addresses of your choice. This enables you to create Gateway DNS locations even if you are not connecting from any of those networks' IP addresses.

### DNS resolver IP

Gateway uses the public source IPv4 address of your network to identify your DNS location, apply policies and log DNS requests. Unless you have purchased a [dedicated IPv4 resolver IP](#dns-resolver-ip), you must provide source IP addresses for the IPv4 traffic you want to filter with DNS policies. Otherwise, Gateway will not be able to attribute the traffic to your account.
When you create a DNS location, Gateway will resolve queries over IPv4 with the default DNS resolver IP addresses. These addresses are Anycast IP addresses shared across every Cloudflare Zero Trust account. To resolve queries over IPv6, your location will receive and use a unique DNS resolver IPv6 address. These IP addresses are how Gateway will match DNS queries to locations and apply the appropriate filtering rules.
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot Jan 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When you create a DNS location, Gateway will resolve queries over IPv4 with the default DNS resolver IP addresses. These addresses are Anycast IP addresses shared across every Cloudflare Zero Trust account. To resolve queries over IPv6, your location will receive and use a unique DNS resolver IPv6 address. These IP addresses are how Gateway will match DNS queries to locations and apply the appropriate filtering rules.
When you create a DNS location, Gateway will resolve queries over IPv4 with the default DNS resolver IP addresses. These addresses are anycast IP addresses shared across every Cloudflare Zero Trust account. To resolve queries over IPv6, your location will receive and use a unique DNS resolver IPv6 address. These IP addresses are how Gateway will match DNS queries to locations and apply the appropriate filtering rules.

Issues:

  • Style Guide - (Terms-error) Use 'anycast' instead of 'Anycast'.

Fix Explanation:

The term 'Anycast' should be changed to 'anycast' to comply with the style guide's capitalization rules. This change does not affect code references or templating language syntax, so it is safe to apply.


When creating a DNS location, Zero Trust automatically identifies the source IP address of the network you are on.
#### Dedicated DNS resolver IP

If you are on the Enterprise plan, you have the option of manually entering one or more source IP addresses of your choice. This enables you to create Gateway DNS locations even if you are not connecting from any of those networks' IP addresses.
Enterprise users can request a dedicated DNS resolver IPv4 address to be provisioned for a DNS location instead of the default Anycast addresses. Queries forwarded to that address will be identified using the dedicated DNS resolver IPv4 address.
Copy link
Contributor

@hyperlint-ai hyperlint-ai bot Jan 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Enterprise users can request a dedicated DNS resolver IPv4 address to be provisioned for a DNS location instead of the default Anycast addresses. Queries forwarded to that address will be identified using the dedicated DNS resolver IPv4 address.
Enterprise users can request a dedicated DNS resolver IPv4 address to be provisioned for a DNS location instead of the default anycast addresses. Queries forwarded to that address will be identified using the dedicated DNS resolver IPv4 address.

Issues:

  • Style Guide - (Terms-error) Use 'anycast' instead of 'Anycast'.

Fix Explanation:

The term 'Anycast' should be lowercase 'anycast' as per the style guide recommendation. This is a straightforward capitalization correction.


### DNS resolver IP
Cloudflare will only assign resolver IP addresses to the Zero Trust account you request. For more information on requesting dedicated DNS resolver IPv4 addresses, contact your account team.

#### Bring your own DNS resolver IP

For queries over IPv4, the default DNS resolver IP addresses are anycast IP addresses, and they are shared across every Cloudflare Zero Trust account.
Enterprise users can use their own authority-provided IPv4 and IPv6 addresses as DNS endpoints for a location. Gateway can resolve UDP, TCP, DoT, and DoH queries through the IPv4 addresses provided, as well as UDP and TCP queries through the IPv6 addresses provided.

If you are on the Enterprise plan, you can request a dedicated DNS resolver IPv4 address to be provisioned for a DNS location in lieu of the default anycast addresses. Like IPv6, queries forwarded to that address will be identified using the dedicated DNS resolver IPv4 address.
After you onboard your IP addresses, the IP addresses will appear under the associated endpoint when you create a new DNS location. If you did not provide IP addresses for a specific endpoint type, you can use the default Cloudflare resolver IPs or dedicated resolver IPs alongside your own resolver IPs. For example, if you want to use the IPv6 endpoint but only provided IPv4 addresses, you can use your own resolver IPs for IPv4 and the default Cloudflare IPs for IPv6.

Resolver IP addresses you will only be assigned to the Zero Trust account you request. For more information on requesting dedicated DNS resolver IPv4 addresses, contact your account team.
For more information, refer to [Cloudflare BYOIP](/byoip/) or contact your account team.

## DNS over TLS
## DNS over TLS (DoT)

Each DNS location is assigned a unique hostname for DNS over TLS (DoT). Gateway will identify your location based on its DoT hostname.

## DNS over HTTPS
## DNS over HTTPS (DoH)

Each DNS location is assigned a unique hostname for DNS over HTTPS (DoH). Gateway will identify your location based on its DoH hostname.

Expand Down
6 changes: 2 additions & 4 deletions ...cs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,20 +19,18 @@ You can now apply [DNS policies](/cloudflare-one/policies/gateway/dns-policies/)

### IPv4 and IPv6 DNS

Cloudflare will prefill the [**Source IPv4 Address**](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#source-ip) based on the network you are on. Enterprise users have the option of using [dedicated DNS resolver IP addresses](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) assigned to their account.
Cloudflare will prefill the [**Source IPv4 Address**](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#source-ip) based on the network you are on. Additionally, Enterprise users can use [dedicated DNS resolver IP addresses](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) assigned to their account or [resolver IP addresses they provide (BYOIP)](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip).

You do not need to configure the IPv4 DNS endpoint if:

- Your network only uses IPv6.
- Your users will send all DNS requests from this location using [DNS over HTTPS](#dns-over-https-doh) via a browser.
- You will deploy the [WARP client](/cloudflare-one/connections/connect-devices/warp/).

:::note[Your IPv4 address is taken]

:::note[Your IPv4 address is taken error]
When you try to configure a DNS location over IPv4, Gateway may display a **Your source IPv4 address is taken** error. This may mean someone else in the same network configured Gateway before you did. If your network supports IPv6, you can still use Gateway's DNS filtering by sending DNS queries over IPv6. You can also use the DNS over HTTPS hostname to send queries using a DNS over HTTPS client.

If you think someone else is wrongfully using this IPv4 address, [contact Cloudflare support](/support/contacting-cloudflare-support/#getting-help-with-an-issue).

:::

### DNS over TLS (DoT)
Expand Down
Loading