Filter DNS on home or office network
You can use Cloudflare Gateway to filter and log DNS queries from any device in your network without installing client software.
This tutorial covers how to:
- Create a DNS filtering policy that secures a home or office network by blocking malicious hostnames
- Review logs and events that occur on that network
Time to complete:
15 minutes
Before you start
Configure Cloudflare Gateway
Before you begin, you’ll need to follow these instructions to set up Cloudflare Gateway in your account. To perform DNS filtering, you need one of the following subscriptions:
- Zero Trust Free
- Zero Trust Standard
Add a DNS location
During the Gateway onboarding flow, the dashboard will prompt you to configure a DNS location for the IP you are currently using. Gateway will automatically detect the IP of your current network and assign it to the DNS location being created.
If you want to create a different location, one that you are not currently using, you can add a new DNS location from Gateway > DNS Locations.
Create a Gateway policy
Next, you can build a policy that will filter DNS queries for known malicious hostnames and other types of threats. Navigate to the Policies
page. On the DNS tab, click Create a DNS policy
.
First, assign the policy a name and add an optional description. Next, build an expression to determine what is blocked.
In this example, the policy will block any hostnames that Cloudflare’s data intelligence platform identifies as containing security risks like malware or phishing campaigns. You can click All security risks
to include all options or check individual types of threats in the dropdown.
The policy will block security threats for any DNS location in your Cloudflare Zero Trust deployment. If you want to only block the security risks selected above for the location created previously, add an AND
rule to the selector. Choose DNS Location
and check the location to include in this policy.
Finally, choose Block
as the action and create the policy.
The rule will appear in your DNS policies list.
Configure your router
You will need to make a one-time change to your router to use Cloudflare Gateway for DNS filtering for all devices in your network.
Instructions to change your router’s DNS settings are available in Zero Trust. Navigate to Gateway > DNS Locations and expand the location you want to configure. Click Setup instructions
.
The default toggle presented will be Router
. Follow the instructions on the page to change your router settings. Additional instructions are available for routers from specific manufacturers in the 1.1.1.1 documentation.
Review events
Once configured, you can review DNS queries made from your network in the Analytics > Gateway page.