{"id":1691,"date":"2020-06-08T00:54:03","date_gmt":"2020-06-07T16:54:03","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&#038;p=1691"},"modified":"2026-01-12T13:39:14","modified_gmt":"2026-01-12T05:39:14","slug":"understanding-dns-firewall","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/understanding-dns-firewall","title":{"rendered":"Understanding DNS Firewall"},"content":{"rendered":"<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/cf-assets.www.cloudflare.com\/slt3lc6tev37\/4d5FOMGmOZuI85eO3xFMcX\/4a35297e8ed24b8996a62c941e11c8d8\/Advanced_DNS_protection.png\" alt=\"DNS Firewall\" width=\"2400\" height=\"1350\" \/><\/h2>\n<h2 class=\"mkb-anchor__title\">What is the DNS Firewall?<\/h2>\n<\/div>\n<p><a href=\"https:\/\/www.cloudflare.com\/dns\/dns-firewall\/\" rel=\"nofollow noopener\" target=\"_blank\"><strong>DNS Firewall<\/strong><\/a>\u00a0(previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.<\/p>\n<p>Cloudflare\u2019s\u00a0<strong>DNS Firewall<\/strong>\u00a0provides the following benefits while allowing organizations total control over their DNS:<\/p>\n<ul>\n<li>DDoS mitigation<\/li>\n<li>High availability<\/li>\n<li>Reliability<\/li>\n<li>Global distribution<\/li>\n<li>DNS caching<\/li>\n<li>Bandwidth savings<\/li>\n<\/ul>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How does the DNS Firewall\u00a0work?<\/h2>\n<\/div>\n<p><strong>DNS Firewall<\/strong>\u00a0proxies DNS requests and protects DNS servers similar to how CloudFlare proxies web requests and protects web servers. \u00a0The\u00a0<strong>DNS Firewall<\/strong> protects upstream nameservers from DDoS attack and reduces load on upstream nameservers by caching DNS responses in Cloudflare\u2019s global points of presence.<\/p>\n<p>DNS queries destined for the provider\u2019s nameservers are handled as follows:<\/p>\n<p>1. \u00a0 \u00a0Queries are sent to the Cloudflare point-of-presence closest to the website visitor.<\/p>\n<p>2. \u00a0 \u00a0Cloudflare will attempt to return the response to the visitor from DNS cache.<\/p>\n<p>3. \u00a0 \u00a0If cache is not available, Cloudflare will query the provider\u2019s nameservers.<\/p>\n<p>4. \u00a0 \u00a0Cloudflare will temporarily cache the response for subsequent DNS queries.<\/p>\n<p>Cloudflare can block malicious requests before those requests reach the provider\u2019s nameservers.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How does DNS Firewall\u00a0choose a backend nameserver to query upstream?<\/h2>\n<p><strong style=\"font-size: 16px;\">DNS Firewall<\/strong><span style=\"font-size: 16px;\">\u00a0round robins between a customer\u2019s nameservers. \u00a0Additionally, the\u00a0<\/span><strong style=\"font-size: 16px;\">DNS Firewall<\/strong><span style=\"font-size: 16px;\">\u00a0determines the fastest server from the group of nameservers and factors in this information via an algorithm.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How long does the DNS Firewall cache a stale object?<\/h2>\n<\/div>\n<p>DNS cache longevity is defined by a set allocated memory. \u00a0Also, Cloudflare doesn\u2019t push out anything from cache forcefully, even when the TTL expires. \u00a0This allows Cloudflare to serve stale objects from cache if the origin nameservers are offline.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Does the DNS Firewall cache SERVFAIL?<\/h2>\n<\/div>\n<p>No. If the customer\u2019s nameservers respond with a SERVFAIL, the\u00a0<strong>DNS Firewall<\/strong>\u00a0will try again on the next request.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Does the\u00a0DNS Firewall support EDNS-Client-Subnet?<\/h2>\n<\/div>\n<p>Yes. Often, DNS providers want to see a client\u2019s IP via EDNS-Client-Subnet because they serve geographically specific DNS answers based on the client\u2019s IP. With EDNS-Client-Subnet enabled, the DNS Firewall will send the client\u2019s IP subnet along with the DNS query to the origin nameserver.<\/p>\n<p>The DNS Firewall\u00a0does not set the EDNS header, it just forwards EDNS.<\/p>\n<p>When EDNS is enabled, the\u00a0<strong>DNS Firewall<\/strong>\u00a0gives out the geographically correct answer in cache based on the client IP subnet. To do this, the DNS Firewall segments its cache. For example:<\/p>\n<ol>\n<li>A resolver says it\u2019s looking for an answer for client 1.2.3.0\/24.<\/li>\n<li>The\u00a0<strong>DNS Firewall\u00a0<\/strong>will\u00a0proxy the request to the origin for the answer.<\/li>\n<li>The\u00a0<strong>DNS Firewall<\/strong>\u00a0will cache the answer from the origin, but only for that \/24.<\/li>\n<li>1.2.9.0\/24 now asks the same DNS question and the answer is again returned from the origin instead of the cache.<\/li>\n<\/ol>\n<p>EDNS limits the effectiveness of the DNS cache.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How do I enable\u00a0EDNS-Client-Subnet?<strong>\u00a0<\/strong><\/h2>\n<p><span style=\"font-size: 16px;\">Enable EDNS at your origin DNS servers. \u00a0If the <\/span><strong style=\"font-size: 16px;\">DNS Firewall\u00a0<\/strong><span style=\"font-size: 16px;\">sees a query sent with EDNS-Client-Subnet and the\u00a0<\/span><strong style=\"font-size: 16px;\">DNS Firewall<\/strong><span style=\"font-size: 16px;\">\u00a0knows the origin supports it, the\u00a0<\/span><strong style=\"font-size: 16px;\">DNS Firewall<\/strong><span style=\"font-size: 16px;\">\u00a0will let the DNS request through. \u00a0To determine if an origin supports EDNS-Client-Subnet, the\u00a0<\/span><strong style=\"font-size: 16px;\">DNS Firewall<\/strong><span style=\"font-size: 16px;\">\u00a0lets such a request through once an hour.<\/span><\/p>\n<\/div>\n<p>To disable EDNS-Client-Subnet, disable it at your origin DNS servers. The\u00a0<strong>DNS Firewall<\/strong>\u00a0will detect this change.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How do I enable the DNS Firewall?<\/h2>\n<\/div>\n<p>The\u00a0<strong>DNS Firewall<\/strong>\u00a0is an Enterprise product that is available for both existing and new Cloudflare customers.<\/p>\n<p>Contact our sales team:<br \/>\n+1 888 99 FLARE<br \/>\nor fill out our\u00a0Enterprise Solutions Form.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>If you need Step-by-Step Configuring DNS Firewall, please refer<a href=\"https:\/\/www.servergigabit.com\/guide\/kb\/configuring-dns-firewall\"> this article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is the DNS Firewall? DNS Firewall\u00a0(previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure. Cloudflare\u2019s\u00a0DNS Firewall\u00a0provides the following benefits while allowing organizations total control over their DNS: DDoS mitigation High availability Reliability Global distribution DNS caching Bandwidth savings How does&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1392],"class_list":["post-1691","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-dns-firewall"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1691"}],"version-history":[{"count":4,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1691\/revisions"}],"predecessor-version":[{"id":5998,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1691\/revisions\/5998"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1691"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1691"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}