- Your CloudFlare account team must enable DNS Firewall for your account.
- Change the IP addresses of your nameservers.
Configuring the DNS Firewall
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account where DNS Firewall is enabled.
3. Click Configurations in the second navigation bar from the top.
4. Click DNS Firewall from the navigation bar on the left side of the UI.
5. Click Add DNS Firewall Cluster.
6. In the Setup a DNS Firewall Cluster popup, enter the DNS Cluster Name.
7. Enter your nameserver IP addresses.
8. Set the Minimum Cache TTL and Maximum Cache TTL that should be respected on any DNS record proxied from your nameservers. Cloudflare recommends a minimum TTL of 30 seconds and a maximum TTL of 1 hour.
9. Choose whether the DNS Firewall should answer ANY Queries.
10. Click Continue.
11. Take note of the Cloudflare designated IPv4 and IPv6 nameserver addresses within the Your new DNS Firewall IP Addresses window.
12. After waiting for one hour, update domain NS glue records at your Registrar with DNS FW IP Address.
13. At your DNS servers, update ns A records at your DNS zone file with DNS FW IP Address.
14. Ensure that the name resolutions worked perfectly by running dig to your name servers and DNS records.
DNS Server and Firewall
15. After confirming that name resolution works fine, configure security policy in your DNS servers and Firewall to allow only Cloudflare IPs and TCP/UDP port 53.
How can I add multiple members to manage the DNS Firewall?
The DNS Firewall supports multi-user access. Contact your Cloudflare account team to enable multi-user access.