Cloudflare’s DNS Firewall is an advanced firewall for DNS infrastructure— keeping your DNS infrastructure online no matter what attacks are fired at your servers. DNS Firewall also improves your global DNS performance by giving you access to Cloudflare’s robust DNS cache in over 200 cities on 6 continents around the world.
Contact our team
Under DDoS attack?
Rate limit the number of queries per second that hit your DNS servers.
Save bandwidth to origin nameservers by serving cached DNS responses.
DDoS Mitigation for DNS
Advanced DDoS mitigation is baked right into the core of DNS Firewall.
Always Available DNS
By stale serving stored DNS responses when origin nameservers are down your DNS is always online.
Lightning-Fast DNS Lookups
By caching DNS responses on Cloudflare’s global network, responses are just milliseconds away from any visitor, anywhere.
Just point your nameserver IP’s to Cloudflare.
DNS Firewall makes running reliable DNS easy by protecting and accelerating any organization’s DNS infrastructure. With DNS Firewall enabled, DNS queries for your
nameservers get sent to the nearest Cloudflare data center where the legitimacy of the requests are checked and malicious traffic is blocked.
If the proper DNS response is available in Cloudflare's cache, Cloudflare will return the response to the visitor. If the DNS response is not
available in cache, Cloudflare will query the provider's nameservers in the background to fetch the DNS response and send it back to the visitor.
Onboarding DNS Firewall is easy, with a simple change of your nameservers’ IP addresses, your DNS infrastructure can be protected in as little as 5 minutes.
Because DNS Firewall sits in front of your DNS nameservers, it shields your infrastructure, and only sends you
the traffic that you want to get. With the ability to rate limit traffic to your servers, you can specify
how much traffic Cloudflare should send to your nameservers. Rate limits are configurable over API, so you can
configure them dynamically based on your origin health.
DDoS attacks on DNS infrastructure are becoming increasingly more common. Cloudflare’s DNS Firewall has DDoS
mitigation at its core, leveraging the the same DDoS protection that has mitigated some of the largest DDoS
attacks to date. When malicious traffic is aimed at your origin nameservers, Cloudflare’s DDoS protection
reroutes that traffic and absorbs it across its global network.
DNS Firewall also masks the true origin IP addresses of providers’ nameservers behind Cloudflare’s IP addresses,
keeping them safe from being targeted by attackers.
With DNS Firewall, Cloudflare caches DNS records at the edge of our globally distributed network, ensuring that queries are resolved
lightning-fast on every continent and in every major city regardless of origin server location.
Even if your DNS servers are down, DNS Firewall can answer on your behalf by serving a stale answer from cache. That means your website
will be available and traffic continues to flow, even when your origin nameservers are compromised.
In addition to stopping attack traffic at the Cloudflare edge, DNS Firewall saves bandwidth to the origin nameservers.
Both services offer advanced security and performance improvements for DNS infrastructure. Cloudflare Authoritative DNS is a fully
managed and hosted DNS service. On the other hand, DNS Firewall allows you to continue to run your own infrastructure
and your DNS records stay on your own nameservers. DNS Firewall is great for hosting and cloud providers, DNS providers,
SaaS providers, registrars, registries, ISP’s and others running large authoritative DNS infrastructure.
Cache DNS Responses at the Edge
DNS Firewall is sold as a separate product, regardless of plan type. For more information, contact our sales team.
Sorry, your browser doesn't support embedded videos,
but don't worry, you can download it
and watch it with your favorite video player!
Set up DNS Firewall in minutes with no code changes required.