Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding DNS API calls to secure-internet-traffic learning path #18388

Draft
wants to merge 23 commits into
base: production
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
9279651
Initial code commit
tcerqueira-cf Nov 23, 2024
3c7697a
Fixed typos
tcerqueira-cf Nov 25, 2024
09414ca
Added terraform code
tcerqueira-cf Nov 25, 2024
e3975b6
Fixed typo
tcerqueira-cf Nov 25, 2024
0a78d47
Added API and Terraform code to create the allow list policy
tcerqueira-cf Nov 27, 2024
19c71bf
Added terraform and API code for the All-DNS-Domain-Allowlist rule
tcerqueira-cf Nov 27, 2024
566551a
Fixed JSON capitalization
tcerqueira-cf Nov 27, 2024
2a360ce
Fixed missing import
tcerqueira-cf Nov 27, 2024
5c42de6
Fixed styling issue
tcerqueira-cf Nov 27, 2024
df6ab87
Added API and terraform code for Quarantined users restricted access …
tcerqueira-cf Nov 27, 2024
141c95a
Fixed typo
tcerqueira-cf Nov 27, 2024
f0dc556
Added terraform and API code for the country geolocation block rule
tcerqueira-cf Nov 27, 2024
4ac36e6
Added Terraform and API code for the misuesed TLD block rule
tcerqueira-cf Nov 27, 2024
16c8ba0
Fixed small typo
tcerqueira-cf Nov 27, 2024
f8199f5
Added terraform and API code for the Domain Phishing block rule
tcerqueira-cf Nov 28, 2024
dbf54f2
Added tf and API code for the DNS Resolved IP Blocklist rule
tcerqueira-cf Nov 28, 2024
a061c44
Modified enforce-device-posture partial to add terraform and API code
tcerqueira-cf Nov 28, 2024
1ab4823
Fixed typo
tcerqueira-cf Nov 28, 2024
a15df8f
Fixed typo
tcerqueira-cf Nov 28, 2024
a977605
Fixed small typo
tcerqueira-cf Nov 28, 2024
0adca5b
Fixed typo
tcerqueira-cf Nov 28, 2024
7f40cc7
Merge branch 'production' into origin/tcerqueira/defense-in-depth-api…
maxvp Dec 30, 2024
95be41f
Fix formatting
maxvp Dec 30, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,66 @@ title: Create an allowlist or blocklist
pcx_content_type: learning-unit
sidebar:
order: 2

---

import { Tabs, TabItem } from "~/components";

In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications.

Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies.

## Example list policy

<Tabs syncKey="dashPlusAPI">

<TabItem label="Dashboard">

The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**.

| Selector | Operator | Value | Action |
| -------- | -------- | ------------------- | ------ |
| Domain | in list | *Corporate Domains* | Allow |
| Domain | in list | _Corporate Domains_ | Allow |

</TabItem>

<TabItem label="API">

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/JSON' \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "All-DNS-CorporateDomain-AllowList",
"description": "Allow access to the corporate domains defined under the Corporate Domains list",
"precedence": 1,
"enabled": true,
"action": "allow",
"filters": [
"dns"
],
"traffic": "any(dns.domains[*] in $<CORPORATE_DOMAINS_LIST_UUID>)"
}'
```

</TabItem>

<TabItem label="Terraform">

To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**.

```tf
resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" {
account_id = var.account_id
name = "All-DNS-CorporateDomain-AllowList"
description = "Allow access to the corporate domains defined under the Corporate Domains list"
precedence = 1
enabled = false
action = "allow"
filters = ["dns"]
traffic = "any(dns.domains[*] in $<Corporate Domains List UUID>)"
}
```

</TabItem>

</Tabs>
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,81 @@ sidebar:
order: 1
---

import { Render } from "~/components";
import { Render, Tabs, TabItem } from "~/components";

DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.

You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).

<Render file="gateway/get-started/create-dns-policy" product="cloudflare-one" />
To create a new DNS policy:

<Tabs syncKey="dashPlusAPI">

<TabItem label="Dashboard">

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
2. In the **DNS** tab, select **Add a policy**.
3. Name the policy.
4. Under **Traffic**, build a logical expression that defines the traffic you want to allow or block.
5. Choose an **Action** to take when traffic matches the logical expression. For example, we recommend adding a policy to block all [security categories](/cloudflare-one/policies/gateway/domain-categories/#security-categories):
<Render
file="gateway/policies/block-security-categories"
product="cloudflare-one"
/>
6. Select **Create policy**.

For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).

</TabItem>

<TabItem label="API">
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I investigated if it was possible to add this to the partial referenced for the dashboard (gateway/policies/block-security-categories), however, this partial is being re-used for HTTP and DNS policies. Considering that in the API/Terraform you need different wirefilter expressions for HTTP and DNS, I would love to know if there's a way to modify the partial so that it also contains the API and Terraform code when it's inserted.
Following up on this note, on the DNS policies, the selector is in fact "Security Categories", while in the HTTP tab, the selector is "Security Risks". I'm not sure if this alone warrants for splitting this partial into one that is applied to DNS and another that is applied to HTTP, to which it would then make sense to add the API and TF code for the respective traffic type

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Files that reference the mentioned partial:
src/content/docs/cloudflare-one/policies/gateway/initial-setup/http.mdx
src/content/docs/cloudflare-one/policies/gateway/initial-setup/dns.mdx
src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-create-test-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/test-policy.mdx
src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
src/content/partials/cloudflare-one/gateway/policies/recommended-dns-policies.mdx

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can create flexible partials that accept parameters for different use cases (e.g. if a selector is used in both DNS and HTTP policies, you can use either dns or http.conn in the API value depending on the page). Since the API sections are much longer than a string, it may be easier to break them out into their own partials.


To create a new DNS policy using cURL:

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
--header 'Content-Type: application/JSON' \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"name": "All-DNS-SecurityCategories-Blocklist",
"description": "Block known security risks based on Cloudflare's threat intelligence",
"precedence": 0,
"enabled": true,
"action": "block",
"filters": [
"dns"
],
"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
"rule_settings": {
"block_page_enabled": true,
"block_reason": "This domain was blocked due to being classified as a security risk to your organization"
}
}'
```

</TabItem>

<TabItem label="Terraform">

To create a new DNS policy using **Terraform**:

```tf
resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" {
account_id = var.account_id
name = "All-DNS-SecurityCategories-Blocklist"
description = "Block known security risks based on Cloudflare's threat intelligence"
precedence = 0
enabled = true
action = "block"
filters = ["dns"]
traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
rule_settings {
block_page_enabled = true
block_page_reason = "This domain was blocked due to being classified as a security risk to your organization"
}
}
```

</TabItem>

</Tabs>
Loading
Loading