diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
index 82777d2468f5c7..07cef2adcbd1af 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
@@ -8,7 +8,7 @@ head:
content: Common DNS policies
---
-import { Render, Tabs, TabItem } from "~/components";
+import { Render, Tabs, TabItem, APIRequest } from "~/components";
The following policies are commonly used to secure DNS traffic.
@@ -68,6 +68,62 @@ The categories included in this policy are not always a security threat, but blo
product="cloudflare-one"
/>
+## Block a dynamic list of categories
+
+You can add a list of category IDs to the [EDNS header](https://datatracker.ietf.org/doc/html/rfc6891) of a request sent to Gateway as a JSON object using OPT code `65050`. For example:
+
+```json
+{
+ "categories": [2, 67, 125, 133]
+}
+```
+
+With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories.
+
+
+
+| Selector | Operator | Value | Action |
+| ------------------------ | -------- | ------- | ------ |
+| Request Context Category | is | _Present_ | Block |
+
+
+
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+ "name": "All-DNS-Bock-Category-Matches-In-Request",
+ "description": "Block all category matches in the request EDNS context",
+ "enabled": true,
+ "action": "block",
+ "filters": [
+ "dns"
+ ],
+ "traffic": "dns.categories_in_request_context_matches",
+ "identity": ""
+}'
+```
+
+
+
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
+ account_id = var.cloudflare_account_id
+ name = "All-DNS-Bock-Category-Matches-In-Request"
+ description = "Block all category matches in the request EDNS context"
+ enabled = true
+ action = "block"
+ filters = ["dns"]
+ traffic = "dns.categories_in_request_context_matches"
+ identity = ""
+}
+```
+
+
+
## Block unauthorized applications
diff --git a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
index 5f16451a0b7ad1..add8e649db2f16 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
@@ -63,6 +63,7 @@ API value: `allow`
- [Resolved Continent IP Geolocation](#resolved-continent)
- [Resolved Country IP Geolocation](#resolved-country)
- [Resolved IP](#resolved-ip)
+- [Request Context Categories](#request-context-categories)
- [Security Categories](#security-categories)
- [Source Continent IP Geolocation](#source-continent)
- [Source Country IP Geolocation](#source-country)
@@ -114,6 +115,7 @@ API value: `block`
- [Resolved Continent IP Geolocation](#resolved-continent)
- [Resolved Country IP Geolocation](#resolved-country)
- [Resolved IP](#resolved-ip)
+- [Request Context Categories](#request-context-categories)
- [Security Categories](#security-categories)
- [Source Continent IP Geolocation](#source-continent)
- [Source Country IP Geolocation](#source-country)
@@ -392,6 +394,14 @@ Use this selector to filter based on the IP addresses that the query resolves to
| ----------- | ------------------------------------------ | -------------------- |
| Resolved IP | `any(dns.resolved_ips[*] == 198.51.100.0)` | After DNS resolution |
+### Request Context Categories
+
+Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`.
+
+| UI name | API example | Evaluation phase |
+| -------------------------- | ------------------------------------------- | --------------------- |
+| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution |
+
### Security Categories