[WIP] add gateway dns request context categories selector doc (cloudflare#20896)

* add gateway dns request context categories selector doc

* Add selector to list

* Add common policy to page

* Add additional context

* Add to Allow and Block action list

* Add more context

* Update API call

* Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx

* Update src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx

---------

Co-authored-by: Rex Scaria <[email protected]>
Co-authored-by: Max Phillips <[email protected]>
Co-authored-by: Max Phillips <[email protected]>

Author: 3 people

src/content/docs/cloudflare-one/policies/gateway/dns-policies/common-policies.mdx

@@ -8,7 +8,7 @@ head:
     content: Common DNS policies
 ---
 
-import { Render, Tabs, TabItem } from "~/components";
+import { Render, Tabs, TabItem, APIRequest } from "~/components";
 
 The following policies are commonly used to secure DNS traffic.
 
@@ -68,6 +68,62 @@ The categories included in this policy are not always a security threat, but blo
 	product="cloudflare-one"
 />
 
+## Block a dynamic list of categories
+
+You can add a list of category IDs to the [EDNS header](https://datatracker.ietf.org/doc/html/rfc6891) of a request sent to Gateway as a JSON object using OPT code `65050`. For example:
+
+```json
+{
+	"categories": [2, 67, 125, 133]
+}
+```
+
+With the [Request Context Categories](/cloudflare-one/policies/gateway/dns-policies/#request-context-categories) selector, you can block the category IDs sent with EDNS. This is useful to filter by categories not known at the time of creating a policy, or to enforce device-specific DNS content filtering without reaching your account limit. When Gateway uses this selector to block a DNS query, the request will return an Extended DNS Error (EDE) Code 15 - Blocked error, along with a field containing an array of the matched categories.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+| Selector                 | Operator | Value   | Action |
+| ------------------------ | -------- | ------- | ------ |
+| Request Context Category | is       | _Present_ | Block  |
+
+</TabItem>
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+  "name": "All-DNS-Bock-Category-Matches-In-Request",
+  "description": "Block all category matches in the request EDNS context",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "dns"
+  ],
+  "traffic": "dns.categories_in_request_context_matches",
+  "identity": ""
+}'
+```
+
+</TabItem>
+<TabItem label="Terraform">
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_content_categories" {
+  account_id  = var.cloudflare_account_id
+  name        = "All-DNS-Bock-Category-Matches-In-Request"
+  description = "Block all category matches in the request EDNS context"
+  enabled     = true
+  action      = "block"
+  filters     = ["dns"]
+  traffic     = "dns.categories_in_request_context_matches"
+  identity    = ""
+}
+```
+
+</TabItem> </Tabs>
+
 ## Block unauthorized applications
 
 <Render file="gateway/policies/block-applications" product="cloudflare-one" />

src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx

@@ -63,6 +63,7 @@ API value: `allow`
 - [Resolved Continent IP Geolocation](#resolved-continent)
 - [Resolved Country IP Geolocation](#resolved-country)
 - [Resolved IP](#resolved-ip)
+- [Request Context Categories](#request-context-categories)
 - [Security Categories](#security-categories)
 - [Source Continent IP Geolocation](#source-continent)
 - [Source Country IP Geolocation](#source-country)
@@ -114,6 +115,7 @@ API value: `block`
 - [Resolved Continent IP Geolocation](#resolved-continent)
 - [Resolved Country IP Geolocation](#resolved-country)
 - [Resolved IP](#resolved-ip)
+- [Request Context Categories](#request-context-categories)
 - [Security Categories](#security-categories)
 - [Source Continent IP Geolocation](#source-continent)
 - [Source Country IP Geolocation](#source-country)
@@ -392,6 +394,14 @@ Use this selector to filter based on the IP addresses that the query resolves to
 | ----------- | ------------------------------------------ | -------------------- |
 | Resolved IP | `any(dns.resolved_ips[*] == 198.51.100.0)` | After DNS resolution |
 
+### Request Context Categories
+
+Use this selector to match a dynamic list of [category IDs](/cloudflare-one/policies/gateway/domain-categories/#category-and-subcategory-ids) sent in the [EDNS](https://datatracker.ietf.org/doc/html/rfc6891) portion of a DNS query. Gateway includes request context with the OPT code `65050`.
+
+| UI name                    | API example                                 | Evaluation phase      |
+| -------------------------- | ------------------------------------------- | --------------------- |
+| Request Context Categories | `dns.categories_in_request_context_matches` | Before DNS resolution |
+
 ### Security Categories
 
 <Render file="gateway/selectors/security-categories" />