This article outlines how to setup Cloudflare's DNS Firewall.
- Your CloudFlare account team must enable DNS Firewall for your account.
- Change the IP addresses of your nameservers.
Configuring the DNS Firewall
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account where DNS Firewall is enabled.
3. Click Configurations in the second navigation bar from the top.
4. Click DNS Firewall from the navigation bar on the left side of the UI.
5. Click Add DNS Firewall Cluster.
6. In the Setup a DNS Firewall Cluster popup, enter the DNS Cluster Name.
7. Enter your nameserver IP addresses.
8. Set the Minimum Cache TTL and Maximum Cache TTL that should be respected on any DNS record proxied from your nameservers.
9. Choose whether the DNS Firewall should answer ANY Queries.
The DNS Firewall responds to ANY with the following example HINFO record if the ANY Queries toggle is set to Off:
cloudflare.com. 3788 IN HINFO "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any"
10. Click Continue.
11. Denote the Cloudflare designated IPv4 and IPv6 nameserver addresses within the Your new DNS Firewall IP Addresses window.
12. After waiting one hour:
- Verify that the Cloudflare nameservers respond to DNS queries.
- Confirm the Cloudflare nameservers provide correct DNS responses.
- Switch your nameservers to the new Cloudflare nameserver IP addresses.
How can I add multiple members to manage the DNS Firewall?
The DNS Firewall supports multi-user access. Contact your Cloudflare account team to enable multi-user access.