{"id":1693,"date":"2020-06-08T00:58:14","date_gmt":"2020-06-07T16:58:14","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&#038;p=1693"},"modified":"2026-03-26T12:41:14","modified_gmt":"2026-03-26T04:41:14","slug":"configuring-dns-firewall","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/configuring-dns-firewall","title":{"rendered":"Step-by-Step Configuring DNS Firewall"},"content":{"rendered":"<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Prerequisites<\/h2>\n<\/div>\n<ul>\n<li>Your CloudFlare account team must enable<a href=\"https:\/\/www.cloudflare.com\/dns\/dns-firewall\/\" rel=\"nofollow noopener\" target=\"_blank\">\u00a0<strong>DNS Firewall<\/strong><\/a>\u00a0for your account.<\/li>\n<li>Change the IP addresses of your nameservers.<\/li>\n<\/ul>\n<p>If changing nameserver IP addresses prior to implementing\u00a0<strong>DNS Firewall<\/strong>\u00a0will prevent attacks from circumventing the\u00a0<strong>DNS Firewall<\/strong>.<\/p>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">Configuring DNS Firewall<\/h2>\n<\/div>\n<p>1. Log in to the Cloudflare dashboard.<\/p>\n<p>2. Click the appropriate Cloudflare account where\u00a0<strong>DNS Firewall<\/strong>\u00a0is enable.<\/p>\n<p>3. Click\u00a0<strong>Configurations<\/strong>\u00a0in the second navigation bar from the top.<\/p>\n<p>4. Click\u00a0<strong>DNS Firewall<\/strong>\u00a0from the navigation bar on the left side of the UI.<\/p>\n<p>5. Click\u00a0<strong>Add DNS Firewall Cluster<\/strong>.<\/p>\n<p>* A\u00a0<strong>DNS Firewall Cluster<\/strong>\u00a0is a group of nameservers that all store the same DNS zone data.<\/p>\n<p>6. In the\u00a0<strong>Setup a DNS Firewall Cluster<\/strong>\u00a0popup, enter the\u00a0<strong>DNS Cluster Name<\/strong>.<\/p>\n<p>7. Enter your nameserver\u00a0<strong>IP addresses<\/strong>.<\/p>\n<p>*Cloudflare is recommends to supplying at least two IPv4 and two IPv6 nameserver IP addresses.<\/p>\n<p>8. Set the\u00a0<strong>Minimum Cache TTL<\/strong>\u00a0and\u00a0<strong>Maximum Cache TTL<\/strong>\u00a0that should be respected on any DNS record proxied from your nameservers.<\/p>\n<p>* Cloudflare recommends a minimum TTL of 30 seconds and a maximum TTL of 1 hour.<\/p>\n<p>9. Choose whether the DNS Firewall should answer\u00a0<strong>ANY Queries<\/strong>.<\/p>\n<p>The DNS Firewall responds to ANY with the following. For example, HINFO is record if the\u00a0<strong>ANY Queries<\/strong>\u00a0toggle is set to\u00a0<em>Off<\/em>:<\/p>\n<pre>cloudflare.com.  3788  IN  HINFO  \"Please stop asking for ANY\" \"See draft-ietf-dnsop-refuse-any\"<\/pre>\n<p>10. Click\u00a0<strong>Continue<\/strong>.<\/p>\n<p>11. Denote the Cloudflare designated IPv4 and IPv6 nameserver addresses within the\u00a0<strong>Your new DNS Firewall IP Addresses<\/strong>\u00a0window.<\/p>\n<p>*Cloudflare\u2019s designated nameserver addresses become effective worldwide after one hour.<\/p>\n<p>12. After waiting one hour:<\/p>\n<ul>\n<li>Verify that the Cloudflare nameservers respond to DNS queries.<\/li>\n<li>Confirm the Cloudflare nameservers provide correct DNS responses.<\/li>\n<li>Switch your nameservers to the new Cloudflare nameserver IP addresses.<\/li>\n<\/ul>\n<hr \/>\n<div class=\"mkb-anchor mkb-clearfix mkb-back-to-top-inline\">\n<h2 class=\"mkb-anchor__title\">How can I add multiple members to manage the DNS Firewall?<\/h2>\n<p>&nbsp;<\/p>\n<\/div>\n<p>The\u00a0<strong>DNS Firewall<\/strong>\u00a0supports multi-user access. Contact your Cloudflare account team to enable\u00a0multi-user access.<\/p>\n<p><strong>DNS Administrator<\/strong>\u00a0or\u00a0<strong>Super Administrator<\/strong>\u00a0permissions are require to view and manage the\u00a0<strong>DNS Firewall<\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p><span data-sheets-root=\"1\">Please refer to the following article to know more.<br \/>\nKnowledge Base: <a href=\"https:\/\/www.servergigabit.com\/guide\/kb\/understanding-dns-firewall\">Understanding DNS Firewall<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prerequisites Your CloudFlare account team must enable\u00a0DNS Firewall\u00a0for your account. Change the IP addresses of your nameservers. If changing nameserver IP addresses prior to implementing\u00a0DNS Firewall\u00a0will prevent attacks from circumventing the\u00a0DNS Firewall. Configuring DNS Firewall 1. Log in to the Cloudflare dashboard. 2. Click the appropriate Cloudflare account where\u00a0DNS Firewall\u00a0is enable. 3. Click\u00a0Configurations\u00a0in the second navigation bar from the top.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1392],"class_list":["post-1693","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-dns-firewall"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1693","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1693"}],"version-history":[{"count":4,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1693\/revisions"}],"predecessor-version":[{"id":5996,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1693\/revisions\/5996"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1693"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1693"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}