What is the DNS Firewall and how does it work?

What is the DNS Firewall?

DNS Firewall (previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.

By proxying requests to the origin nameservers, Cloudflare's DNS Firewall provides DDoS mitigation, high availability, reliability, global distribution and caching, while still giving an organization total control over their DNS.

How does the DNS Firewall work?

The DNS Firewall takes the same approach to proxying DNS requests and protecting DNS servers as CloudFlare takes for proxying web requests and protecting web servers. It is used by DNS hosting providers and registrars, as well as enterprises that choose to run their own DNS infrastructure but want to deploy an additional layer of security. The DNS Firewall protects upstream nameservers from DDoS attack and reduces load on the upstream nameservers by caching DNS responses in all of CloudFlare’s 100+ global points of presence.


The DNS Firewall leverages Cloudflare’s global DNS and proxying infrastructure to provide performance and security services for a DNS provider's nameservers. DNS queries destined for the provider's nameservers will first be sent to the nearest Cloudflare point-of-presence to the website visitor. If the proper DNS response is available in Cloudflare's cache, Cloudflare will return the response to the visitor. If the DNS response is not available in cache, Cloudflare will query the provider's nameservers in the background to fetch the DNS response and send it back to the visitor. Simultaneously, that response will be temporarily cached on Cloudflare to be automatically returned when the next query for that record comes along. Malicious requests to the nameservers can be identified and blocked at Cloudflare before those requests ever make it to the provider's nameservers.

How does the DNS Firewall choose which backend name server to upstream queries to

The DNS Firewall round robins between the customer's name servers, but includes an algorithm that is most likely to choose the fastest server from that metal and the least likely to choose the slowest server from that metal.

How long does the DNS Firewall cache stale object for

It depends on the cache invalidation rate, how quickly new items are being added to the cache, removing old ones. We have a set allocated memory for DNS cache, and we don't push out anything from cache forcefully, even when the TTL expires, so there's a good chance that we may still have some records in cache, even if they are not fresh.

The DNS Firewall will serve stale objects from cache if the origin nameservers are offline.

Does the DNS Firewall cache SERVFAIL

No. If the customer responds with a SERVFAIL, the DNS Firewall will try again on the next request.

Does the DNS Firewall support EDNS-Client-Subnet?

Yes. Often DNS providers want to see a client's IP via EDNS-Client-Subnet because they serve geographically-specific DNS answers based on the client's IP. With EDNS-Client-Subnet enabled, the DNS Firewall will send the client's IP subnet along with the DNS query to the origin nameserver. Note that the DNS Firewall does not set the EDNS header, it just forwards EDNS.

When EDNS is enabled, the DNS Firewall gives out the geographically correct answer in cache based on the client IP subnet. To do this, the DNS Firewall segments its cache. For example, a resolver says it's looking for an answer for client The DNS Firewall will proxy it to the origin and origin returns the answer. The DNS Firewall will cache the answer only for that /24 so when asks, it will go to the origin again. Note that this limits the effectiveness of the cache.

To enable EDNS, the customer needs to enable EDNS at their origin DNS servers.  If the DNS Firewall sees a query with EDNS-Client-Subnet set and the DNS Firewall knows the origin supports it, the DNS Firewall will let it through.

How does the DNS Firewall know if the origin supports it? Once an hour,the DNS Firewall lets EDNS-Client-Subnet through to see if the origins support it.

To disable EDNS-Client-Subnet, you need to disable EDNS-Client-Subnet at your origin DNS servers. The DNS Firewall will detect this.

Who can use the DNS Firewall?

The DNS Firewall is useful for DNS providers, hosts, registrars, TLD's and enterprises who run their own DNS infrastructure.

How do I sign up for the DNS Firewall?

The DNS Firewall is an Enterprise product that is available for both existing Cloudflare customers and new customers interested in the DNS Firewall.

Contact our sales team: +1 888 99 FLARE or let us know you are interested here: cloudflare.com/enterprise-service-request.


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk