Skip to content

[WIP] add gateway dns request context categories selector doc #20896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Mar 25, 2025
Merged

[WIP] add gateway dns request context categories selector doc #20896

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
104f8c7
add gateway dns request context categories selector doc
Mar 17, 2025
08164a5
Add selector to list
maxvp Mar 20, 2025
fcb43d5
Add common policy to page
maxvp Mar 20, 2025
48f3503
Add additional context
maxvp Mar 20, 2025
4534e7c
Add to Allow and Block action list
maxvp Mar 20, 2025
f7010a5
Add more context
maxvp Mar 20, 2025
0d1ea61
Update API call
maxvp Mar 20, 2025
7efd626
Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/…
maxvp Mar 21, 2025
c0a739b
Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/…
maxvp Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ head:
content: Common DNS policies
---

import { Render, Tabs, TabItem } from "~/components";
import { Render, Tabs, TabItem, APIRequest } from "~/components";

The following policies are commonly used to secure DNS traffic.

Expand Down Expand Up @@ -68,6 +68,62 @@ The categories included in this policy are not always a security threat, but blo
product="cloudflare-one"
/>

## Block a dynamic list of categories

You can add a list of category IDs to the [EDNS header](https://datatracker.ietf.org/doc/html/rfc6891) of a request sent to Gateway as a JSON object using OPT code `65050`. For example:

```json
{
"categories": [2, 67, 125, 133]
}
```

With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories.

<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">

| Selector | Operator | Value | Action |
| ------------------------ | -------- | ------- | ------ |
| Request Context Category | is | Present | Block |

</TabItem>
<TabItem label="API">

```bash
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
"name": "All-DNS-Bock-Category-Matches-In-Request",
"description": "Block all category matches in the request EDNS context",
"enabled": true,
"action": "block",
"filters": [
"dns"
],
"traffic": "dns.categories_in_request_context_matches",
"identity": ""
}'
```

</TabItem>
<TabItem label="Terraform">

```tf
resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
account_id = var.cloudflare_account_id
name = "All-DNS-Bock-Category-Matches-In-Request"
description = "Block all category matches in the request EDNS context"
enabled = true
action = "block"
filters = ["dns"]
traffic = "dns.categories_in_request_context_matches"
identity = ""
}
```

</TabItem> </Tabs>

## Block unauthorized applications

<Render file="gateway/policies/block-applications" product="cloudflare-one" />
Expand Down
10 changes: 10 additions & 0 deletions src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ API value: `allow`
- [Resolved Continent IP Geolocation](#resolved-continent)
- [Resolved Country IP Geolocation](#resolved-country)
- [Resolved IP](#resolved-ip)
- [Request Context Categories](#request-context-categories)
- [Security Categories](#security-categories)
- [Source Continent IP Geolocation](#source-continent)
- [Source Country IP Geolocation](#source-country)
Expand Down Expand Up @@ -114,6 +115,7 @@ API value: `block`
- [Resolved Continent IP Geolocation](#resolved-continent)
- [Resolved Country IP Geolocation](#resolved-country)
- [Resolved IP](#resolved-ip)
- [Request Context Categories](#request-context-categories)
- [Security Categories](#security-categories)
- [Source Continent IP Geolocation](#source-continent)
- [Source Country IP Geolocation](#source-country)
Expand Down Expand Up @@ -392,6 +394,14 @@ Use this selector to filter based on the IP addresses that the query resolves to
| ----------- | ------------------------------------------ | -------------------- |
| Resolved IP | `any(dns.resolved_ips[*] == 198.51.100.0)` | After DNS resolution |

### Request Context Categories

Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`.

| UI name | API example | Evaluation phase |
| -------------------------- | ------------------------------------------- | --------------------- |
| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution |

### Security Categories

<Render file="gateway/selectors/security-categories" />
Expand Down
Loading