Adding DNS API calls to secure-internet-traffic learning path

src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-list.mdx

@@ -6,14 +6,55 @@ sidebar:
 
 ---
 
+import { Tabs, TabItem } from "~/components"
+
 In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. An allowlist is a list of allowed domains or IP addresses, such as the domains of essential corporate applications.
 
 Gateway supports creating [lists](/cloudflare-one/policies/gateway/lists/) of URLs, hostnames, or other entries to use in your policies.
 
 ## Example list policy
 
+<Tabs syncKey="dashPlusAPI">
+<TabItem label="Dashboard">
 The following DNS policy will allow access to all approved corporate domains included in a list called **Corporate Domains**.
 
 | Selector | Operator | Value               | Action |
 | -------- | -------- | ------------------- | ------ |
 | Domain   | in list  | *Corporate Domains* | Allow  |
+</TabItem>
+<TabItem label="API">
+	```sh
+curl --request POST \
+  --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+  --header 'Content-Type: application/JSON' \
+  --header "Authorization: Bearer <API TOKEN>" \
+	--data '{
+  "name": "All-DNS-CorporateDomain-AllowList",
+  "description": "Allow access to the corporate domains defined under the Corporate Domains list",
+  "precedence": 1,
+  "enabled": false,
+  "action": "allow",
+  "filters": [
+    "dns"
+  ],
+  "traffic": "any(dns.domains[*] in $<Corporate Domains List UUID>)"
+}'
+
+	```
+</TabItem>
+<TabItem label="Terraform">
+To create a new DNS policy using **Terraform** to allow access to all approved corporate domains included in a list called **Corporate Domains**.
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "allow_corporate_domain_access" {
+  account_id  = var.account_id
+  name        = "All-DNS-CorporateDomain-AllowList"
+  description = "Allow access to the corporate domains defined under the Corporate Domains list"
+  precedence  = 1
+  enabled     = false
+  action      = "allow"
+  filters     = ["dns"]
+  traffic     = "any(dns.domains[*] in $<Corporate Domains List UUID>)"
+}
+```
+</TabItem>
+</Tabs>

src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/create-policy.mdx

@@ -5,14 +5,16 @@ sidebar:
   order: 1
 ---
 
-import { Render } from "~/components";
+import { Tabs, TabItem, Render } from "~/components"
 
 DNS policies determine how Gateway should handle a DNS request. When a user sends a DNS request, Gateway matches the request against your filters and either allows the query to resolve, blocks the query, or responds to the query with a different IP.
 
 You can filter DNS traffic based on query or response parameters (such as domain, source IP, or geolocation). You can also filter by user identity if you connect your devices to Gateway with the [WARP client or Cloudflare One Agent](/learning-paths/secure-internet-traffic/connect-devices-networks/install-agent/).
 
 To create a new DNS policy:
 
+<Tabs syncKey="dashPlusAPI">
+<TabItem label="Dashboard">
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
 2. In the **DNS** tab, select **Add a policy**.
 3. Name the policy.
@@ -25,3 +27,48 @@ To create a new DNS policy:
 6. Select **Create policy**.
 
 For more information, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
+</TabItem>
+<TabItem label="API">
+To create a new DNS policy using **cURL**:
+	```sh
+	curl --request POST \
+	  --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+	  --header 'Content-Type: application/JSON' \
+	  --header "Authorization: Bearer <API_TOKEN>" \
+		--data '{
+		"name": "All-DNS-SecurityCategories-Blocklist",
+			"description": "Block known security risks based on Cloudflare's threat intelligence",
+			"precedence": 0,
+			"enabled": false,
+			"action": "block",
+			"filters": [
+				"dns"
+			],
+			"traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+			"rule_settings": {
+				"block_page_enabled": true,
+				"block_reason": "This domain was blocked due to being classified as a security risk to the organisation"
+				}
+  	}'
+	```
+</TabItem>
+<TabItem label="Terraform">
+To create a new DNS policy using **Terraform**:
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "security_risks_dns_policy" {
+  account_id  = var.account_id
+  name        = "All-DNS-SecurityCategories-Blocklist"
+  description = "Block known security risks based on Cloudflare's threat intelligence"
+  precedence  = 0
+  enabled     = false
+  action      = "block"
+  filters     = ["dns"]
+  traffic     = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+  rule_settings {
+      block_page_enabled = true
+      block_page_reason = "This domain was blocked due to being classified as a security risk to the organisation"
+    }
+}
+```
+</TabItem>
+</Tabs>

src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx

@@ -6,34 +6,115 @@ sidebar:
 
 ---
 
-import { Details, Render } from "~/components"
+import { Details, Render, Tabs, TabItem } from "~/components"
 
 We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization.
 
 
 <Details header="All-DNS-Domain-Allowlist">
-
+<Tabs syncKey="dashPlusAPI">
 Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization's domains even if the domains fall under a blocked category, such as **Newly Seen Domains** or **Login Screens**.
-
+<TabItem label="Dashboard">
 | Selector | Operator | Value           | Logic | Action |
 | -------- | -------- | --------------- | ----- | ------ |
 | Domain   | in list  | *Known Domains* | Or    | Allow  |
 | Host     | in list  | *Known Domains* |       |        |
-
-
+</TabItem>
+<TabItem label="API">
+```sh
+curl --request POST \
+  --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+  --header 'Content-Type: application/JSON' \
+  --header "Authorization: Bearer <API TOKEN>" \
+	--data '{
+  "name": "All-DNS-Domain-Allowlist",
+  "description": "Organization-wide whitelist. Explicitly allow resolution of these DNS domains",
+  "precedence": 0,
+  "enabled": false,
+  "action": "allow",
+  "filters": [
+    "dns"
+  ],
+  "traffic": "any(dns.domains[*] in $<Global Whitelist UUID>) or dns.fqdn in $<Global Whitelist UUID>"
+}'
+```
+</TabItem>
+<TabItem label="Terraform">
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_whitelist_policy" {
+  account_id  = var.account_id
+  name        = "All-DNS-Domain-Allowlist"
+  description = "Organization-wide whitelist. Explicitly allow resolution of these DNS domains"
+  precedence  = 0
+  enabled     = false
+  action      = "allow"
+  filters     = ["dns"]
+  traffic     = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}) or dns.fqdn in ${"$"}${cloudflare_zero_trust_list.domain_whitelist.id}"
+}
+```
+</TabItem>
+</Tabs>
 </Details>
 
 
 <Details header="Quarantined-Users-DNS-Restricted-Access">
 
 <Render file="zero-trust/blocklist-restricted-users" />
-
-| Selector         | Operator | Value               | Logic | Action |
-| ---------------- | -------- | ------------------- | ----- | ------ |
-| Domain           | in list  | *Known Domains*     | Or    | Block  |
-| Host             | in list  | *Known Domains*     | And   |        |
-| User Group Names | in       | *Quarantined Users* |       |        |
-
+<Tabs>
+<TabItem label="Dashboard">
+| Selector         | Operator			| Value															| Logic | Action |
+| ---------------- | ------------ | --------------------------------- | ----- | ------ |
+| Domain           | not in list  | *Allowed Remediation Domains*     | Or    | Block  |
+| Host             | not in list  | *Allowed Remediation Domains*     | And   |        |
+| User Group Names | in						| *Quarantined Users*								|       |        |
+</TabItem>
+<TabItem label="API">
+```sh
+curl --request POST \
+  --URL https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
+  --header 'Content-Type: application/JSON' \
+  --header "Authorization: Bearer <API TOKEN>" \
+	--data '{
+  "name": "Quarantined-Users-DNS-Restricted-Access",
+  "description": "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture",
+  "precedence": 10,
+  "enabled": false,
+  "action": "block",
+  "filters": [
+    "dns"
+  ],
+	"traffic": "not(any(dns.domains[*] in $<Allowed Remediation Domains list UUID>)) or not(any(dns.domains[*] in $<Allowed Remediation Domains list UUID>))",
+  "identity": "any(identity.groups.name[*] in {\"Quarantined Users\"})",
+	"rule_settings": {
+    "block_page_enabled": true,
+    "notification_settings": {
+      "enabled": true
+    }
+	}'
+```
+</TabItem>
+<TabItem label="Terraform">
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users" {
+  account_id  = var.account_id
+  name        = "Quarantined-Users-DNS-Restricted-Access"
+  description = "Restrict quarantined users traffic to corporate policy remediation domains, so that quarantined users can obtain help and/or remediate their security posture"
+  precedence  = 10
+  enabled     = false
+  action      = "block"
+  filters     = ["dns"]
+  traffic     = "not(any(dns.domains[*] in $<Allowed Remediation Domains list UUID>)) or not(any(dns.domains[*] in $<Allowed Remediation Domains list UUID>))"
+	identity		=	"any(identity.groups.name[*] in {\"Quarantined Users\"})"
+	rule_settings {
+			block_page_enabled = true
+			notification_settings {
+					enabled = true
+				}
+		}
+}
+```
+</TabItem>
+</Tabs>
 
 </Details>
 
@@ -120,4 +201,4 @@ Block specific IP addresses that are malicious or pose a threat to your organiza
 <Render file="zero-trust/blocklist-domain-host" params={{ one: "DNS" }} />
 
 
-</Details>
+</Details>