{"id":2626,"date":"2019-10-22T17:32:31","date_gmt":"2019-10-22T09:32:31","guid":{"rendered":"https:\/\/www.mondoze.com\/guide\/?post_type=kb&#038;p=2626"},"modified":"2022-10-05T08:02:36","modified_gmt":"2022-10-05T00:02:36","slug":"understanding-dns-firewall","status":"publish","type":"kb","link":"https:\/\/www.mondoze.com\/guide\/kb\/understanding-dns-firewall","title":{"rendered":"Understanding DNS Firewall"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2626\" class=\"elementor elementor-2626\" data-elementor-settings=\"[]\">\n\t\t\t\t\t\t<div class=\"elementor-inner\">\n\t\t\t\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-75a6ebbe elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"75a6ebbe\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-47e5f437\" data-id=\"47e5f437\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7a87a3a elementor-widget elementor-widget-heading\" data-id=\"7a87a3a\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">What is the DNS Firewall?<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a61f25d elementor-widget elementor-widget-text-editor\" data-id=\"4a61f25d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\">\n\t\t\t\t<p><strong>DNS Firewall<\/strong> (previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.\u00a0<\/p><p>Cloudflare&#8217;s\u00a0<strong>DNS Firewall<\/strong>\u00a0provides the following benefits while allowing organizations total control over their DNS:<\/p><ul><li>DDoS mitigation<\/li><li>High availability<\/li><li>Reliability<\/li><li>Global distribution<\/li><li>DNS caching<\/li><li>Bandwidth savings<\/li><\/ul><hr \/><h3><strong>How does the DNS Firewall\u00a0work?<\/strong><\/h3><p><strong>DNS Firewall<\/strong>\u00a0proxies DNS requests and protects DNS servers similar to how CloudFlare proxies web requests and protects web servers. \u00a0The\u00a0<strong>DNS Firewall<\/strong>\u00a0protects upstream nameservers from DDoS attack and reduces load on upstream nameservers by caching DNS responses in Cloudflare&#8217;s\u00a0global points of presence.<\/p><p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-2628\" src=\"https:\/\/www.mondoze.com\/guide\/wp-content\/uploads\/2021\/03\/dns-300x84.png\" alt=\"\" width=\"300\" height=\"84\" \/><\/p><p>DNS queries destined for the provider&#8217;s nameservers are handled as follows:<\/p><p>1. \u00a0 \u00a0Queries are sent to the Cloudflare point-of-presence closest to the website visitor.<\/p><p>2. \u00a0 \u00a0Cloudflare will attempt to return the response to the visitor from DNS cache.<\/p><p>3. \u00a0 \u00a0If cache is not available, Cloudflare will query the provider&#8217;s nameservers.<\/p><p>4. \u00a0 \u00a0Cloudflare will temporarily cache the response for subsequent DNS queries.<\/p><p>Cloudflare can block malicious requests before those requests reach the provider&#8217;s nameservers.<\/p><hr \/><h3><strong>How does DNS Firewall\u00a0choose a backend nameserver to query upstream?<br \/><\/strong><\/h3><p><strong>DNS Firewall<\/strong>\u00a0round robins between a customer&#8217;s nameservers. \u00a0Additionally, the\u00a0<strong>DNS Firewall<\/strong>\u00a0determines the fastest server from the group of nameservers and factors in this information via an algorithm.<\/p><hr \/><h3><strong>How long does the DNS Firewall cache a stale object?<\/strong><\/h3><p>DNS cache longevity is defined by a set allocated memory. \u00a0Also, Cloudflare doesn&#8217;t push out anything from cache forcefully, even when the TTL expires. \u00a0This allows Cloudflare to serve stale objects from cache if the origin nameservers are offline.<\/p><hr \/><h3><strong>Does the DNS Firewall cache SERVFAIL?<\/strong><\/h3><p>No. If the customer&#8217;s nameservers respond with a SERVFAIL, the\u00a0<strong>DNS Firewall<\/strong>\u00a0will try again on the next request.<\/p><hr \/><h3><strong>Does the\u00a0DNS Firewall support EDNS-Client-Subnet?<\/strong><\/h3><p>Yes. Often, DNS providers want to see a client&#8217;s IP via EDNS-Client-Subnet because they serve geographically specific DNS answers based on the client&#8217;s IP. With EDNS-Client-Subnet enabled, the DNS Firewall will send the client&#8217;s IP subnet along with the DNS query to the origin nameserver.<\/p><p>The DNS Firewall\u00a0does not set the EDNS header, it just forwards EDNS.<\/p><p>When EDNS is enabled, the\u00a0<strong>DNS Firewall<\/strong>\u00a0gives out the geographically correct answer in cache based on the client IP subnet. To do this, the DNS Firewall segments its cache. For example:<\/p><ol><li>A resolver says it&#8217;s looking for an answer for client 1.2.3.0\/24.<\/li><li>The\u00a0<strong>DNS Firewall\u00a0<\/strong>will\u00a0proxy the request to the origin for the answer.<\/li><li>The\u00a0<strong>DNS Firewall<\/strong>\u00a0will cache the answer from the origin, but only for that \/24.<\/li><li>1.2.9.0\/24 now asks the same DNS question and the answer is again returned from the origin instead of the cache.<\/li><\/ol><p>EDNS limits the effectiveness of the DNS cache.<\/p><hr \/><h3><strong>How do I enable\u00a0EDNS-Client-Subnet?\u00a0<\/strong><\/h3><p>Enable EDNS at your origin DNS servers. \u00a0If the\u00a0<strong>DNS Firewall\u00a0<\/strong>sees a query sent with EDNS-Client-Subnet and the\u00a0<strong>DNS Firewall<\/strong>\u00a0knows the origin supports it, the\u00a0<strong>DNS Firewall<\/strong>\u00a0will let the DNS request through. \u00a0To determine if an origin supports EDNS-Client-Subnet, the\u00a0<strong>DNS Firewall<\/strong>\u00a0lets such a request through once an hour.<\/p><p>To disable EDNS-Client-Subnet, disable it at your origin DNS servers. The\u00a0<strong>DNS Firewall<\/strong>\u00a0will detect this change.<\/p><hr \/><h3><strong>How do I enable the DNS Firewall?<\/strong><\/h3><p>The\u00a0<strong>DNS Firewall<\/strong>\u00a0is an Enterprise product that is available for both existing and new Cloudflare customers.<\/p>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>What is the DNS Firewall? DNS Firewall (previously known as Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.\u00a0 Cloudflare&#8217;s\u00a0DNS Firewall\u00a0provides the following benefits while allowing organizations total control over their DNS: DDoS mitigation High availability Reliability Global distribution &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/www.mondoze.com\/guide\/kb\/understanding-dns-firewall\"> <span class=\"screen-reader-text\">Understanding DNS Firewall<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[53],"kbtag":[110],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2626"}],"collection":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/comments?post=2626"}],"version-history":[{"count":7,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2626\/revisions"}],"predecessor-version":[{"id":18344,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2626\/revisions\/18344"}],"wp:attachment":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/media?parent=2626"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=2626"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtag?post=2626"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=2626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}