Skip to content

[Gateway] Secure DNS location role #20768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Mar 17, 2025
Merged

[Gateway] Secure DNS location role #20768

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
fab1977
Add ZT role footnote
maxvp Mar 12, 2025
c250d7c
Add DNS location column
maxvp Mar 12, 2025
cdafb7b
Rearrange columns
maxvp Mar 12, 2025
9b75839
Add DNS location footnote
maxvp Mar 12, 2025
f23a78b
Add role criteria
maxvp Mar 12, 2025
6717376
Add API caveat
maxvp Mar 12, 2025
2f85968
Add role to roles table
maxvp Mar 12, 2025
3d0aca0
Refine core docs
maxvp Mar 12, 2025
eacf8fb
Add additional role context
maxvp Mar 13, 2025
40ddd0c
Reword
maxvp Mar 13, 2025
c034836
Add supersede roles
maxvp Mar 14, 2025
663bf97
Add supersede roles
maxvp Mar 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions ...cs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,23 @@ For more information, refer to [DNS over TLS](/cloudflare-one/connections/connec

Gateway requires a DoH endpoint for default DNS locations. For more information, refer to [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/).

## Secure DNS locations

Secure DNS locations provide additional protection against malicious domains for use in services such as [protective DNS (PDNS)](/reference-architecture/diagrams/sase/gateway-for-protective-dns/). For a DNS location to be considered secure, Gateway requires that:

- Your IPv4 and IPv6 endpoints use your [BYOIP addresses](/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) (if any).
- [Source network filtering](/cloudflare-one/policies/gateway/network-policies/) is configured for your IPv4, IPv6, and DoT endpoints.
- Source network filtering or token authentication are configured for your DoH endpoints.
- Any enabled endpoints for a DNS location meet security permissions.

You can assign users the [**Cloudflare Zero Trust DNS Locations Write** role](/cloudflare-one/roles-permissions/#zero-trust-roles) to grant them the permission to create and edit secure DNS locations. To allow users to view locations, you must also assign the **Cloudflare Zero Trust Read Only** role. Users with these roles can view any DNS location, but can only create or edit secure locations.

Roles that supersede **Cloudflare Zero Trust DNS Locations Write** include:

- Cloudflare Gateway
- Cloudflare Zero Trust
- Super Administrator

## Limitations

### Captive portals
Expand Down
27 changes: 14 additions & 13 deletions src/content/docs/cloudflare-one/roles-permissions.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,20 @@ To check the list of members in your account, or to manage roles and permissions

Only Super Administrators will be able to assign or remove the following roles from users in their account. Scroll to the right to see a full list of permissions for each role.

| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | Billing Read | Billing Edit | DEX Read | DEX Edit |
| ------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ------------ | ------------ | -------- | -------- |
| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Zero Trust | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |

:::note
The Cloudflare Zero Trust role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.
:::
| | Access Read | Access Edit | Gateway Read | Gateway Edit | Gateway Report | DNS Location Read | DNS Location Edit | Billing Read | Billing Edit | DEX Read | DEX Edit |
| --------------------------------------------- | ----------- | ----------- | ------------ | ------------ | -------------- | ----------------- | ----------------- | ------------ | ------------ | -------- | -------- |
| Super Administrator | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Cloudflare Zero Trust[^1] | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Cloudflare Access | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Gateway | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Read Only | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Cloudflare Zero Trust Reporting | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ |
| Cloudflare Zero Trust DNS Locations Write[^2] | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cloudflare DEX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |

[^1]: The **Cloudflare Zero Trust** role grants administrator access to all Zero Trust products including Access, Gateway, WARP, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email Security.

[^2]: Users with the **Cloudflare Zero Trust DNS Locations Write** role can view all DNS locations for an organization but can only create and edit [secure DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#secure-dns-locations).

### Cloudflare Zero Trust PII

Expand Down
Loading
Loading