Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Set up DNS filtering

Secure Web Gateway allows you to inspect DNS traffic and control which websites users can visit.

​​ 1. Connect to Gateway

​​ Connect devices

To filter DNS requests from an individual device such as a laptop or phone:

  1. Install the WARP client on your device.
  2. In the WARP client Settings, log in to your organization’s Zero Trust instance.
  3. (Optional) If you want to display a custom block page, install the Cloudflare root certificate on your device .

​​ Connect locations

To filter DNS requests from a location such as an office or data center:

  1. Add the location to your Zero Trust dashboard.
  2. On your router, browser, or OS, forward DNS queries to the address shown in the location setup flow.

​​ 2. Verify device connectivity

  1. In the Zero Trust dashboard, navigate to Settings > Network.
  2. Under Gateway logging, enable activity logging for all DNS logs.
  3. On your WARP-enabled device, open a browser and visit any website.
  4. In the Zero Trust dashboard, navigate to Logs > Gateway > DNS. Before building DNS policies, make sure you see DNS queries from the email associated with your device.

To create a new DNS policy, navigate to Gateway > Policies > DNS in the Zero Trust dashboard. We recommend adding the following policy:

​​ Block all security risks

Block known threats such as Command & Control, Botnet and Malware based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security categoriesinAll security risksBlock

​​ 4. Add optional policies

Refer to our list of common DNS policies for other policies you may want to create.