Set up DNS filtering
Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.
1. Connect to Gateway
Connect devices
To filter DNS requests from an individual device such as a laptop or phone:
- Install the WARP client on your device.
- In the WARP client Settings, log in to your organization’s Zero Trust instance.
- (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .
Connect locations
To filter DNS requests from a location such as an office or data center:
- Add the location to your Zero Trust dashboard.
- On your router, browser, or OS, forward DNS queries to the address shown in the location setup flow.
2. Verify device connectivity
- In the Zero Trust dashboard, navigate to Settings > Network.
- Under Gateway logging, enable activity logging for all DNS logs.
- On your WARP-enabled device, open a browser and visit any website.
- In the Zero Trust dashboard, navigate to Logs > Gateway > DNS. Before building DNS policies, make sure you see DNS queries from the email associated with your device.
3. Add recommended policies
To create a new DNS policy, navigate to Gateway > Policies > DNS in the Zero Trust dashboard. We recommend adding the following policy:
Block all security risks
Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.
Selector | Operator | Value | Action |
---|---|---|---|
Security categories | in | All security risks | Block |
4. Add optional policies
Refer to our list of common DNS policies for other policies you may want to create.