Set up DNS Firewall
Prerequisites
Prior to setting up DNS Firewall, you need:
- Account access to DNS Firewall (provided by your Enterprise account team).
- Access to DNS Administrator or Super Administrator privileges on your account.
- Newly updated IP addresses for your nameservers (protects against previously compromised IP addresses).
Configure DNS Firewall
Create a DNS Firewall cluster
Using the dashboard
- Log in to the Cloudflare account with DNS Firewall.
- On the account homepage, expand the Manage Account section and click Configurations.
- Click DNS Firewall.
- Click Add Firewall Cluster.
- Fill out the required fields, including:
- IP Addresses: The upstream IPv4 and/or IPv6 addresses of your authoritative nameservers.
- Minimum Cache TTL: Recommended setting of 30 seconds.
- Maximum Cache TTL: Recommended setting of 1 hour. Larger values increase the cache hit ratio, but also increase the time required for DNS changes to propagate.
- ANY queries: Recommended setting is Off because these are often used as part of DDoS attacks. Also refer to this blog post.
- Click Continue.
- On the following screen, save the values for Your new DNS Firewall IP Addresses.
Using the API
You can also create a DNS Firewall cluster by sending a POST request to the API.
Update registrar settings
Update the A/AAAA glue records for your nameserver hostnames at your registrar with your DNS Firewall cluster IP addresses.
Update DNS servers
At your DNS servers, update the A/AAAA records for your nameserver hostnames in your DNS zone file with your DNS Firewall cluster IP addresses.
Test DNS resolution
Confirm that your nameservers are functioning correctly by running a dig command.
Update security policies
Configure security policy in your DNS servers and Firewall to allow only Cloudflare IPs and TCP/UDP port 53.