Locations
DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers.
The fastest way to start filtering DNS queries from a location is by changing the DNS resolvers at the router.
To add a DNS location to Gateway:
-
In Zero Trust ↗, go to Gateway > DNS Locations.
-
Select Add a location.
-
Choose a name for your DNS location.
-
Choose at least one DNS endpoint to resolve your organization’s DNS queries.
-
(Optional) Toggle the following settings:
-
Enable EDNS client subnet sends a user’s IP geolocation to authoritative DNS nameservers. EDNS Client Subnet (ECS) helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user’s exact IP address but rather a
/24
range which contains their IP address. -
Set as Default DNS Location sets this location as the default DoH endpoint for DNS queries.
-
-
Select Continue.
-
(Optional) Turn on source IP filtering for your configured endpoints, then add any source IPv4/IPv6 addresses to validate.
- Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses.
- DoH endpoint filtering & authentication lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses.
-
Select Continue.
-
Review the settings for your DNS location, then choose Done.
-
Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI.
-
Select Go to DNS Location. Your location will appear in your list of locations.
You can now apply DNS policies to your location using the Location selector.
Cloudflare will prefill the Source IPv4 Address based on the network you are on. Enterprise users have the option of using dedicated DNS resolver IP addresses assigned to their account.
You do not need to configure the IPv4 DNS endpoint if:
- Your network only uses IPv6.
- Your users will send all DNS requests from this location using DNS over HTTPS via a browser.
- You will deploy the WARP client.
DNS over TLS (DoT) is a standard for encrypting DNS traffic using its own port (853
) and TLS encryption.
For more information, refer to DNS over TLS.
DNS over HTTPS (DoH) is a standard for encrypting DNS traffic via the HTTPS protocol, preventing tracking and spoofing of DNS queries.
Gateway requires a DoH endpoint for default DNS locations. For more information, refer to DNS over HTTPS.