What is the DNS Firewall?
DNS Firewall (previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.
Cloudflare’s DNS Firewall provides the following benefits while allowing organizations total control over their DNS:
- DDoS mitigation
- High availability
- Global distribution
- DNS caching
- Bandwidth savings
How does the DNS Firewall work?
DNS Firewall proxies DNS requests and protects DNS servers similar to how CloudFlare proxies web requests and protects web servers. The DNS Firewall protects upstream nameservers from DDoS attack and reduces load on upstream nameservers by caching DNS responses in Cloudflare’s global points of presence.
DNS queries destined for the provider’s nameservers are handled as follows:
1. Queries are sent to the Cloudflare point-of-presence closest to the website visitor.
2. Cloudflare will attempt to return the response to the visitor from DNS cache.
3. If cache is not available, Cloudflare will query the provider’s nameservers.
4. Cloudflare will temporarily cache the response for subsequent DNS queries.
Cloudflare can block malicious requests before those requests reach the provider’s nameservers.
How does DNS Firewall choose a backend nameserver to query upstream?
DNS Firewall round robins between a customer’s nameservers. Additionally, the DNS Firewall determines the fastest server from the group of nameservers and factors in this information via an algorithm.
How long does the DNS Firewall cache a stale object?
DNS cache longevity is defined by a set allocated memory. Also, Cloudflare doesn’t push out anything from cache forcefully, even when the TTL expires. This allows Cloudflare to serve stale objects from cache if the origin nameservers are offline.
Does the DNS Firewall cache SERVFAIL?
No. If the customer’s nameservers respond with a SERVFAIL, the DNS Firewall will try again on the next request.
Does the DNS Firewall support EDNS-Client-Subnet?
Yes. Often, DNS providers want to see a client’s IP via EDNS-Client-Subnet because they serve geographically specific DNS answers based on the client’s IP. With EDNS-Client-Subnet enabled, the DNS Firewall will send the client’s IP subnet along with the DNS query to the origin nameserver.
The DNS Firewall does not set the EDNS header, it just forwards EDNS.
When EDNS is enabled, the DNS Firewall gives out the geographically correct answer in cache based on the client IP subnet. To do this, the DNS Firewall segments its cache. For example:
- A resolver says it’s looking for an answer for client 220.127.116.11/24.
- The DNS Firewall will proxy the request to the origin for the answer.
- The DNS Firewall will cache the answer from the origin, but only for that /24.
- 18.104.22.168/24 now asks the same DNS question and the answer is again returned from the origin instead of the cache.
EDNS limits the effectiveness of the DNS cache.
How do I enable EDNS-Client-Subnet?
Enable EDNS at your origin DNS servers. If the DNS Firewall sees a query sent with EDNS-Client-Subnet and the DNS Firewall knows the origin supports it, the DNS Firewall will let the DNS request through. To determine if an origin supports EDNS-Client-Subnet, the DNS Firewall lets such a request through once an hour.
To disable EDNS-Client-Subnet, disable it at your origin DNS servers. The DNS Firewall will detect this change.
How do I enable the DNS Firewall?
The DNS Firewall is an Enterprise product that is available for both existing and new Cloudflare customers.