Cloudflare Docs
Learning Paths
Secure your Internet traffic and SaaS apps (Learning Path)
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Recommended DNS policies

  3 min read

We recommend you add the following DNS policies to build an Internet and SaaS app security strategy for your organization.

All-DNS-Domain-Allowlist

Allowlist any known domains and hostnames. With this policy, you ensure that your users can access your organization’s domains even if the domains fall under a blocked category, such as Newly Seen Domains or Login Screens.

SelectorOperatorValueLogicAction
Domainin listKnown DomainsOrAllow
Hostin listKnown Domains
Quarantined-Users-DNS-Restricted-Access

Restrict access for users included in an identity provider (IdP) user group for risky users. This policy ensures your security team can restrict traffic for users of whom malicious or suspicious activity was detected.

SelectorOperatorValueLogicAction
Domainin listKnown DomainsOrBlock
Hostin listKnown DomainsAnd
User Group NamesinQuarantined Users
All-DNS-SecurityCategories-Blocklist

Block security categories, such as Command and Control & Botnet and Malware, based on Cloudflare’s threat intelligence.

SelectorOperatorValueAction
Security CategoriesinAll security risksBlock
All-DNS-ContentCategories-Blocklist

Entries in the security risk content subcategory, such as New Domains, do not always pose a security threat. We recommend you first create an Allow policy to track policy matching and identify any false positives. You can add false positives to your Trusted Domains list used in All-DNS-Domain-Allowlist.

After your test is complete, we recommend you change the action to Block to minimize risk to your organization.

SelectorOperatorValueAction
Content CategoriesinSecurity RisksAllow
All-DNS-Application-Blocklist

Block unauthorized applications to limit your users’ access to certain web-based tools and minimize the risk of shadow IT. For example, the following policy blocks popular AI chatbots.

SelectorOperatorValueAction
ApplicationinChatGPT, BardBlock
All-DNS-GeoCountryIP-Blocklist

Block websites hosted in countries categorized as high risk. The designation of such countries may result from your organization’s users or through the implementation of regulations including EAR, OFAC, and ITAR.

SelectorOperatorValueAction
Resolved Country IP GeolocationinAfghanistan, Belarus, Congo (Kinshasa), Cuba, Iran, Iraq, Korea (North), Myanmar, Russian Federation, Sudan, Syria, Ukraine, ZimbabweBlock
All-DNS-DomainTopLevel-Blocklist

Block frequently misused top-level domains (TLDs) to reduce security risks, especially when there is no discernible advantage to be gained from allowing access. Similarly, restricting access to specific country-level TLDs may be necessary to comply with regulations such as OFAC and ITAR.

SelectorOperatorValueAction
Domainmatches regex[.](cn|ru)$ or [.](rest|hair|top|live|cfd|boats|beauty|mom|skin|okinawa)$ or [.](zip|mobi)$Block
All-DNS-DomainPhishing-Blocklist

Block misused domains to protect your users against sophisticated phishing attacks, such as domains that specifically target your organization. For example, the following policy blocks specific keywords associated with an organization or its authentication services (such as okta, 2fa, cloudflare and sso) while still allowing access to known domains.

SelectorOperatorValueLogicAction
Domainnot in listKnown DomainsAndBlock
Domainmatches regex.*okta.*|.*cloudflare.*|.*mfa.*|.sso.*
All-DNS-ResolvedIP-Blocklist

Block specific IP addresses that are malicious or pose a threat to your organization.

You can implement this policy by either creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). Ideally, your CERTs can update the blocklist with an API automation to provide real-time threat protection.

SelectorOperatorValueAction
Resolved IPin listIP BlocklistBlock
All-DNS-DomainHost-Blocklist

Block specific domains or hosts that are malicious or pose a threat to your organization. Like All-DNS-ResolvedIP-Blocklist, this blocklist can be updated manually or via API automation.

SelectorOperatorValueLogicAction
Domainin listDomain BlocklistOrBlock
Hostin listHost BlocklistOr
Hostmatches regex.*example\.com