Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Common DNS policies

The following policies are commonly used to secure DNS traffic.

Refer to the DNS policies page for a comprehensive list of other selectors, operators, and actions.

​​ Block content categories

Block content categories which go against your organization’s acceptable use policy.

SelectorOperatorValueAction
Content categoriesinAdult Themes, GamblingBlock

​​ Block applications

Block content categories which go against your organization’s acceptable use policy.

SelectorOperatorValueAction
ApplicationinNetflixBlock

​​ Check user identity

Configure access on a per user or group basis by adding identity-based conditions to your policies.

SelectorOperatorValueAction
ApplicationinSalesforceBlock
User Group NamesinContractors

​​ Restrict access to specific groups

Filter DNS queries to allow only specific users access.

The following example includes two policies. The first policy allows the specified group, while the second policy blocks all other users. To ensure the policies are evaluated properly, place the Allow policy above the Block policy. For more information, refer to the order of precedence.

​​ 1. Allow a group

SelectorOperatorValueLogicAction
Content CategoriesinSocial NetworksAndAllow
User Group Namesinmarketing-team

​​ 2. Block all other users

SelectorOperatorValueAction
Content CategoriesinSocial NetworksBlock

​​ Block sites by top-level domain

Block sites with a specific top-level domain (TLD).

SelectorOperatorValueAction
Domainmatches regex[.]failBlock

​​ Control IP version

Enterprise users can pair these policies with an egress policy to control which IP address is used to egress to the origin server.

​​ Force IPv4

Force users to connect with IPv4.

SelectorOperatorValueLogicAction
Query Record TypeisAAAAAndBlock
Domainisexample.com

​​ Force IPv6

Force users to connect with IPv6.

SelectorOperatorValueLogicAction
Query Record TypeisAAndBlock
Domainisexample.com