How to setup the DNS Firewall:
First of all, welcome to the DNS Firewall! Here are the steps for how to get started.
Before you begin, you may want to change the IP addresses of your nameservers to brand new IP addresses. The reason to do that is to prevent any attacker from circumventing the DNS Firewall and targeting your nameservers directly. You want to make sure all of your traffic has to go through the DNS Firewall to reach your nameservers.
The next thing you will want to do is login to the the DNS Firewall management panel, available in the CloudFlare dashboard. Your account team at CloudFlare will have enabled that for your account when you signed up for the DNS Firewall.
To login, go to cloudflare.com/login. Next, find your user email or username in the top right corner, and click on that. That will bring up a menu of accounts you are a part of.
Click on the account you use the DNS Firewall in. It may be in “My Settings” if Virtual DNS is in your personal account, or it may be under an organization’s settings if you use Virtual DNS for an organization.
Now click on the DNS Firewall tab in your account settings.
The DNS Firewall works on a “cluster” basis. A cluster is a group of nameservers that all store the same DNS zone data.
To add your first DNS cluster, click the “Add DNS Firewall Cluster” button.
A modal will pop up with a form you will need to fill in. The first field you will need to enter is a name for the DNS cluster. The name will appear inside your DNS Firewall management panel for you as reference.
Next, enter in your nameserver IP addresses. This will tell CloudFlare where to find your nameservers to fetch DNS answers from.
Next, set the minimum and maximum cache TTL that the DNS Firewall should respect on any DNS record it proxies from your nameservers. The DNS Firewall will respect any TTL on the DNS records within the boundaries you set. We recommend a minimum of 30 seconds and a maximum of 1 hour.
Then, choose whether you want the DNS Firewall to answer ANY queries. If the ANY Query toggle is set to “off”, then the DNS Firewall will deprecate ANY queries and instead respond to ANY with an HINFO record like this:
cloudflare.com. 3788 IN HINFO "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any"
This is in accordance with the IETF Internet Draft, “Providing Minimal-Sized Responses to DNS Queries with QTYPE=ANY”.
Once you are done, click ‘continue’.
On the following page, you will see the new the DNS Firewall IP Addresses that CloudFlare has assigned to your nameservers. They will take one hour to take effect worldwide.
After you wait one hour, you can test that the addresses work by doing DNS lookups against them for domains on your nameservers and making sure you are getting correct responses.
Once you have verified that the IP’s are working, you may switch your nameservers to use these new IP addresses. This will start your DNS traffic flowing through the DNS Firewall.
That’s it! Welcome to the DNS Firewall.
How can I add multiple members of my team to manage the DNS Firewall?
The DNS Firewall dashboard supports multi-user. To get multi-user enabled for your account, reach out to your account team at CloudFlare and they can enable it for you.
Once the DNS Firewall is enabled for your account, you can add members of your team to manage the DNS Firewall together.
To do so, login to the CloudFlare dashboard at cloudflare.com/login. Click on your user email or username in the upper right corner, and select the multi-user organization you use for the DNS Firewall.
Now that you are in that organization’s settings, click on the “Members” tab.
You can add members to your team by typing in their email addresses and clicking “invite”.
Members need DNS Administrator or Super Administrator permission to be able to see and manage the DNS Firewall.
If you would like to additionally require two-factor authentication for all users in that organization, click on the “Organization” tab, and click “Require Two-Factor”.