| title | Setup | |||||
|---|---|---|---|---|---|---|
| pcx_content_type | how-to | |||||
| products |
|
|||||
| sidebar |
|
|||||
| head |
|
|||||
| description | Set up DNS Firewall to protect upstream nameservers from DDoS attacks and reduce load by caching DNS responses. |
import { TabItem, Tabs, DashButton } from "~/components";
Prior to setting up DNS Firewall, you need:
- Account access to DNS Firewall (provided by your Enterprise account team).
- Access to DNS Administrator or Super Administrator privileges on your account.
- Newly updated IP addresses for your nameservers (protects against previously compromised IP addresses).
-
In the Cloudflare dashboard, go to the DNS Firewall Clusters page.
-
Select Add Firewall Cluster.
-
Fill out the required fields, including:
- IP Addresses: The upstream IPv4 and/or IPv6 addresses of your authoritative nameservers.
- Minimum Cache TTL: Recommended setting of 30 seconds.
- Maximum Cache TTL: Recommended setting of 4 hours. Larger values increase the cache hit ratio, but also increase the time required for DNS changes to propagate.
- ANY queries: Recommended setting is Off because these are often used as part of DDoS attacks. Also refer to this blog post.
-
Optionally, configure any of the additional options available on the same form.
-
Select Continue.
-
On the following screen, save the values for Your new DNS Firewall IP Addresses.
:::note[Note:]
If you forget to save your new IP addresses, find your cluster and click IP Addresses.
If you delete your cluster, the assigned set of IPs will be lost. If you recreate the cluster you will get a different set of IPs.
:::
You can also create a DNS Firewall cluster by sending a POST request to the API.
Update the A/AAAA glue records for your nameserver hostnames at your registrar with your DNS Firewall cluster IP addresses.
At your DNS servers, update the A/AAAA records for your nameserver hostnames in your DNS zone file with your DNS Firewall cluster IP addresses.
Confirm that your nameservers are functioning correctly by running a dig command.
Configure security policy in your DNS servers and Firewall to allow only Cloudflare IPs and TCP/UDP port 53.
Beyond the required fields, you can configure the following settings on your DNS Firewall cluster — in the Cloudflare dashboard when you create or edit a cluster, or via the API:
- Rate limit (queries per second per data center).
- Negative cache TTL for
REFUSED,NXDOMAIN, andSERVFAILresponses. - EDNS Client Subnet (ECS) fallback — forward the resolver's IP subnet when the incoming query does not include ECS data. Refer to the FAQ for details.
- Attack mitigation for random prefix attacks.
For the full parameter reference, refer to the Create and Update DNS Firewall Cluster API endpoints.