Skip to content

[Gateway] Global DNS policies #21349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Apr 25, 2025
Merged

[Gateway] Global DNS policies #21349

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
69d2baf
Add DNS policy table
maxvp Apr 2, 2025
767bdc1
Add better context
maxvp Apr 2, 2025
a24b9e8
Add even better context
maxvp Apr 3, 2025
05c8155
Merge branch 'production' into max/gw/dns-global-policies
maxvp Apr 15, 2025
0b4bda5
Fix typo
maxvp Apr 25, 2025
9020076
Fix context policy
maxvp Apr 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions src/content/docs/cloudflare-one/policies/gateway/global-policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,40 @@ The following policies are sorted by [order of precedence](/cloudflare-one/polic
| Always Blocked Categories | `00000001-bed5-462e-b0f1-2e2c3555e9f7` | Content Category | Child Abuse | block | Blocks child abuse materials. |
| Don't Isolate RBI Help Pages | `00000001-1a18-431f-9c9d-bce431f1002a` | Hostname | `developers.cloudflare.com` and `help.cloudflarebrowser.com` | noisolate | Prevents browser isolation of Cloudflare developer docs and help pages to help users troubleshoot configuration issues. |
| Don't AV Scan CF Speed | `00000001-c194-408f-87dd-9a366ce76e12` | Hostname | `speed.cloudflare.com` | noscan | Allows files transferred by the Cloudflare speed test. |

## DNS resolution policies

For each of the domains above, Gateway enforces global DNS and resolver policies before any other policies. This ensures the traffic is not blocked by user policies and gets resolved with Cloudflare's public DNS resolver, [1.1.1.1](/1.1.1.1/).

| Name | ID | Value | Action |
| ----------------------------------------------------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------ | ------- |
| Allow DNS queries for cloudflareclient.com domain | `00000001-e139-4a1b-90d5-698d8fa371e0` | `cloudflareclient.com` | allow |
| Resolve cloudflareclient.com through 1.1.1.1 | `00000001-e738-4554-823b-0b2c75af2c66` | `cloudflareclient.com` | resolve |
| Allow DNS queries for assets.browser.run domain | `00000001-9bff-4d83-a9e4-e5ed321fe0b9` | `assets.browser.run` | allow |
| Resolve assets.browser.run through 1.1.1.1 | `00000001-0df5-472b-80c0-02888e7167ee` | `assets.browser.run` | resolve |
| Allow DNS queries for edge.browser.run and cloudflarebrowser.com domains | `00000001-e2f1-4e99-bab3-91df88879587` | `edge.browser.run` and `cloudflarebrowser.com` | allow |
| Resolve edge.browser.run and cloudflarebrowser.com through 1.1.1.1 | `00000001-b103-44c6-a114-7a784cdf3fb7` | `edge.browser.run` and `cloudflarebrowser.com` | resolve |
| Allow DNS queries for help.teams.cloudflare.com domain | `00000001-b2fc-46db-b0f1-69ef3553bd7a` | `help.teams.cloudflare.com` | allow |
| Resolve help.teams.cloudflare.com through 1.1.1.1 | `00000001-ce13-486a-b006-ba0435ccb013` | `help.teams.cloudflare.com` | resolve |
| Allow DNS queries for cloudflare-gateway.com domain | `00000001-e83d-492b-995e-351970cd5e8e` | `cloudflare-gateway.com` | allow |
| Resolve cloudflare-gateway.com through 1.1.1.1 | `00000001-d9bc-4913-a2f5-905dbb3ecf9a` | `cloudflare-gateway.com` | resolve |
| Allow DNS queries for cloudflarestatus.com domain | `00000001-78da-4f8a-b9ee-76563f1ec46b` | `cloudflarestatus.com` | allow |
| Resolve cloudflarestatus.com through 1.1.1.1 | `00000001-4d1d-43a3-9015-c49fc3a6da31` | `cloudflarestatus.com` | resolve |
| Allow DNS queries for nel.cloudflare.com domain | `00000001-af28-4afa-8987-eadc21187e14` | `nel.cloudflare.com` | allow |
| Resolve nel.cloudflare.com through 1.1.1.1 | `00000001-0034-45a0-8333-f339451fba46` | `nel.cloudflare.com` | resolve |
| Allow DNS queries for api.cloudflare.com domain | `00000001-5eea-4932-8dd5-8e1ec9770396` | `api.cloudflare.com` | allow |
| Resolve api.cloudflare.com through 1.1.1.1 | `00000001-4f0c-4f86-9b96-5d26123a194b` | `api.cloudflare.com` | resolve |
| Allow DNS queries for dash.teams.cloudflare.com domain | `00000001-0f75-48a9-b3e1-925a974d2b65` | `dash.teams.cloudflare.com` | allow |
| Resolve dash.teams.cloudflare.com through 1.1.1.1 | `00000001-3d84-41a6-bc84-3014685c0d81` | `dash.teams.cloudflare.com` | resolve |
| Allow DNS queries for dash.cloudflare.com domain | `00000001-0c2a-4b31-8606-3e5a1d87c1bf` | `dash.cloudflare.com` | allow |
| Resolve dash.cloudflare.com through 1.1.1.1 | `00000001-c47f-41f3-b234-d66c82b8d422` | `dash.cloudflare.com` | resolve |
| Allow DNS queries for cloudflareportal.com, cloudflareok.com and cloudflarecp.com domains | `00000001-1c6c-4793-b48f-799eee6e0e31` | `cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com` | allow |
| Resolve cloudflareportal.com, cloudflareok.com and cloudflarecp.com through 1.1.1.1 | `00000001-8c35-4d7d-9dbb-cb7350375b7b` | `cloudflareportal.com`, `cloudflareok.com`, and `cloudflarecp.com` | resolve |
| Allow DNS queries for cloudflareaccess.com domain | `00000001-d738-4dad-bac4-1a50201d9503` | `cloudflareaccess.com` | allow |
| Resolve cloudflareaccess.com through 1.1.1.1 | `00000001-4404-4572-80f6-f7b098909460` | `cloudflareaccess.com` | resolve |
| Allow DNS queries for blocked.teams.cloudflare.com domain | `00000001-76f4-4438-b8ab-a9da53f4a2f1` | `blocked.teams.cloudflare.com` | allow |
| Resolve blocked.teams.cloudflare.com through 1.1.1.1 | `00000001-af3c-458f-aeb2-b3bb5d3fe1d5` | `blocked.teams.cloudflare.com` | resolve |
| Allow DNS queries for developers.cloudflare.com domain | `00000001-4263-4808-8457-4d4329c91f66` | `developers.cloudflare.com` | allow |
| Resolve developers.cloudflare.com through 1.1.1.1 | `00000001-9f91-4462-9270-78beca5b4dbc` | `developers.cloudflare.com` | resolve |
| Allow DNS queries for speed.cloudflare.com domain | `00000001-4fc0-4286-b783-6c442adda171` | `speed.cloudflare.com` | allow |
| Resolve speed.cloudflare.com through 1.1.1.1 | `00000001-ec51-4471-9e78-bd47d46a3002` | `speed.cloudflare.com` | resolve |