Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. Tutorials
  4. Filter DNS on home or office network

Filter DNS on home or office network

You can use Cloudflare Gateway to filter and log DNS queries from any device in your network without installing client software.

This tutorial covers how to:

  • Create a DNS filtering policy that secures a home or office network by blocking malicious hostnames
  • Review logs and events that occur on that network

Time to complete:

15 minutes

​​ Before you start

  1. Add Gateway to your account

​​ Configure Cloudflare Gateway

Before you begin, you’ll need to follow these instructions to set up Cloudflare Gateway in your account. To perform DNS filtering, you need one of the following subscriptions:

  • Zero Trust Free
  • Zero Trust Standard

​​ Add a DNS location

During the Gateway onboarding flow, the dashboard will prompt you to configure a DNS location for the IP you are currently using. Gateway will automatically detect the IP of your current network and assign it to the DNS location being created.

If you want to create a different location, one that you are not currently using, you can add a new DNS location from Gateway > DNS Locations.

​​ Create a Gateway policy

Next, you can build a policy that will filter DNS queries for known malicious hostnames and other types of threats. Navigate to the Policies page. On the DNS tab, click Create a DNS policy.

First, assign the policy a name and add an optional description. Next, build an expression to determine what is blocked.

In this example, the policy will block any hostnames that Cloudflare’s data intelligence platform identifies as containing security risks like malware or phishing campaigns. You can click All security risks to include all options or check individual types of threats in the dropdown.

Block Threats

The policy will block security threats for any DNS location in your Cloudflare Zero Trust deployment. If you want to only block the security risks selected above for the location created previously, add an AND rule to the selector. Choose DNS Location and check the location to include in this policy.

Include Location

Finally, choose Block as the action and create the policy.

The rule will appear in your DNS policies list.

Rule Listed

​​ Configure your router

You will need to make a one-time change to your router to use Cloudflare Gateway for DNS filtering for all devices in your network.

Instructions to change your router’s DNS settings are available in Zero Trust. Navigate to Gateway > DNS Locations and expand the location you want to configure. Click Setup instructions.

Expand Location

The default toggle presented will be Router. Follow the instructions on the page to change your router settings. Additional instructions are available for routers from specific manufacturers in the 1.1.1.1 documentation.

​​ Review events

Once configured, you can review DNS queries made from your network in the Analytics > Gateway page.