How to prevent malicious traffic from reaching your site? Find out how Cloudflare gateway DNS filtering answers it!
Cloudflare Gateway DNS Filtering
Gateway DNS is a new feature we are introducing today. It’s a DNS-layer protection service that works alongside our existing firewall (globally and on a per-zone basis), and the existing reverse proxy. The idea is to extend the benefits of our firewall and reverse proxy to any application or device on your network, beyond the browser.
Cloudflare DNS Web Filtering works by returning a “page not found” error when any content with words or phrases specified in the filtering policy is requested. While this is not as robust as a fully-featured web filtering solution, it does allow you to block access to sites with inappropriate content. This is while allowing access to sites without the content you want to be blocked.
There are two flavors of Gateway DNS: Basic and Advanced. The most important difference between Basic and Advanced is that Advanced allows you to specify custom patterns. These match against DNS query types such as A, AAAA, MX, NS, TXT, SOA, etc.
Basic Gateway DNS matches against the A record only. You can configure it to block all traffic. We have created a one-click install for Cloudflare Business customers on our Business Control Panel. All customers will be able to quickly install via the Cloudflare dashboard in the coming weeks.
DNS Content Filtering for CIPA Compliance
DNS Content Filtering is a new service we are introducing that helps customers meet the requirements of the Children’s Internet Protection Act (CIPA). CIPA requires schools and libraries to receive e-rate discounts to install technology protection measures (TPMs) to filter Internet access for minors. Cloudflare’s CIPA compliance service adds a DNS record that points to a third-party content filter.
This is a list of words or phrases that you can choose that aren’t served by Cloudflare. For example, if your website is about “dogs” and you want to block content about “cats,” you can create a DNS record that points to a third-party content filter. We don’t host the content filter ourselves, it is hosted by an independent company.
This company also provides ways for customers to subscribe so they can be notified of changes as needed. So, this service is free for all Cloudflare Business customers. Also, it’s just another area where we want to help protect our customers from online threats.
The best part about this new tool is that it is essentially plug-and-play! If you have a website and are using Cloudflare, you can start using this service immediately.
How Does DNS Content Filtering Work?
DNS Content Filtering uses a combination of a tagging framework and a whitelist to block access to specific DNS domains. This approach allows for a lot of flexibility when creating content filters. So, the tagging framework allows you to define a set of tags for each domain you want to block.
You can then use these tags in a whitelist to control which domains can be accessed on your network. Thus, this means that you do not need to create lists of domains directly. Cloudflare will automatically tag domains on our network as they come online.
The tags are based on categories that make sense in the context of schools and libraries. Also, you can see the complete set of tags here.