Adding DNS API calls to secure-internet-traffic learning path #18388
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,14 +5,16 @@ sidebar: | |
| order: 1 | ||
| --- | ||
|
|
||
| import { Tabs, TabItem, Render } from "~/components" | ||
|
|
||
| DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP. | ||
|
|
||
| You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/). | ||
|
|
||
| To create a new DNS policy: | ||
|
|
||
| <Tabs syncKey="dashPlusAPI"> | ||
| <TabItem label="Dashboard"> | ||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**. | ||
| 2. In the **DNS** tab, select **Add a policy**. | ||
| 3. Name the policy. | ||
|
|
@@ -25,3 +27,48 @@ To create a new DNS policy: | |
| 6. Select **Create policy**. | ||
|
|
||
| For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/). | ||
| </TabItem> | ||
| <TabItem label="API"> | ||
|
There was a problem hiding this comment. I investigated if it was possible to add this to the partial referenced for the dashboard (gateway/policies/block-security-categories), however, this partial is being re-used for HTTP and DNS policies. Considering that in the API/Terraform you need different wirefilter expressions for HTTP and DNS, I would love to know if there's a way to modify the partial so that it also contains the API and Terraform code when it's inserted. There was a problem hiding this comment. Files that reference the mentioned partial: There was a problem hiding this comment. You can create flexible partials that accept parameters for different use cases (e.g. if a selector is used in both DNS and HTTP policies, you can use either |
||
| To create a new DNS policy using **cURL**: | ||
| ```sh | ||
| curl --request POST \ | ||
| --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ | ||
| --header 'Content-Type: application/json' \ | ||
| --header "Authorization: Bearer <API_TOKEN>" \ | ||
| --data '{ | ||
| "name": "All-DNS-SecurityCategories-Blocklist", | ||
| "description": "Block known security risks based on Cloudflare's threat intelligence", | ||
| "precedence": 0, | ||
| "enabled": false, | ||
| "action": "block", | ||
| "filters": [ | ||
| "dns" | ||
| ], | ||
| "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})", | ||
| "rule_settings": { | ||
| "block_page_enabled": true, | ||
| "block_reason": "This domain was blocked due to being classified as a security risk to the organisation" | ||
| } | ||
| }' | ||
| ``` | ||
| </TabItem> | ||
| <TabItem label="Terraform"> | ||
| To create a new DNS policy using **Terraform**: | ||
| ```tf | ||
| resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" { | ||
| account_id = var.account_id | ||
| name = "All-DNS-SecurityCategories-Blocklist" | ||
| description = "Block known security risks based on Cloudflare's threat intelligence" | ||
| precedence = 0 | ||
| enabled = false | ||
| action = "block" | ||
| filters = ["dns"] | ||
| traffic = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})" | ||
| rule_settings { | ||
| block_page_enabled = true | ||
| block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation" | ||
| } | ||
| } | ||
| ``` | ||
| </TabItem> | ||
| </Tabs> | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,21 +6,54 @@ sidebar: | |
|
|
||
| --- | ||
|
|
||
| import { Details, Render, Tabs, TabItem } from "~/components" | ||
|
|
||
| We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization. | ||
|
|
||
|
|
||
| <Details header="All-DNS-Domain-Allowlist"> | ||
| <Tabs syncKey="dashPlusAPI"> | ||
| Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**. | ||
| <TabItem label="Dashboard"> | ||
| | Selector | Operator | Value | Logic | Action | | ||
| | -------- | -------- | --------------- | ----- | ------ | | ||
| | Domain | in list | *Known Domains* | Or | Allow | | ||
| | Host | in list | *Known Domains* | | | | ||
| </TabItem> | ||
| <TabItem label="API"> | ||
| ```sh | ||
| curl --request POST \ | ||
| --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \ | ||
| --header 'Content-Type: application/json' \ | ||
| --header "Authorization: Bearer <API TOKEN>" \ | ||
| --data '{ | ||
| "name": "All-DNS-Domain-Allowlist", | ||
| "description": "Organization-wide whitelist. Explicitly allow resolution of these DNS domains", | ||
| "precedence": 0, | ||
| "enabled": false, | ||
| "action": "allow", | ||
| "filters": [ | ||
| "dns" | ||
| ], | ||
| "traffic": "any(dns.domains[*] in $<Global Whitelist UUID>) or dns.fqdn in $<Global Whitelist UUID>" | ||
| }' | ||
| ``` | ||
| </TabItem> | ||
| <TabItem label="Terraform"> | ||
| ```tf | ||
| resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" { | ||
| account_id = var.account_id | ||
| name = "All-DNS-Domain-Allowlist" | ||
| description = "Organization-wide whitelist. Explicitly allow resolution of these DNS domains" | ||
| precedence = 0 | ||
| enabled = false | ||
| action = "allow" | ||
| filters = ["dns"] | ||
| traffic = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}" | ||
| } | ||
| ``` | ||
| </TabItem> | ||
| </Tabs> | ||
| </Details> | ||
|
|
||
|
|
||
|
|
@@ -120,4 +153,4 @@ Block specific IP addresses that are malicious or pose a threat to your organiza | |
| <Render file="zero-trust/blocklist-domain-host" params={{ one: "DNS" }} /> | ||
|
|
||
|
|
||
| </Details> | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issues:
Fix Explanation:
The style guide suggests using 'URL' instead of 'url'. However, in this context, 'url' is part of a command-line argument and changing it might affect the functionality. Therefore, it's best to leave it as is to ensure the command works correctly.