diff --git a/products/gateway/src/content/about/how-gateway-works.md b/products/gateway/src/content/about/how-gateway-works.md index e62f90526386181..d864692575cb463 100644 --- a/products/gateway/src/content/about/how-gateway-works.md +++ b/products/gateway/src/content/about/how-gateway-works.md @@ -21,7 +21,7 @@ For example, if you are using Cloudflare Gateway, and send a DNS query to `examp ### DNS over HTTPS -Gateway currently supports DNS over HTTPS (DoH), and will also support DNS over TLS in the future. You can use **cloudflared** to setup your device and start sending DNS queries to Gateway in an encrypted fashion. It will also support other DNS over HTTPS clients, as long as you can change the hostname in your preferred DNS over HTTPS client. Here’s how DNS over HTTPS for Cloudflare Gateway works: +You can use **cloudflared** to setup your device and start sending DNS queries to Gateway in an encrypted fashion. It will also support other DNS over HTTPS clients, as long as you can change the hostname in your preferred DNS over HTTPS client. Here’s how DNS over HTTPS for Cloudflare Gateway works: ![How Encrypted DNS Works](../static/encrypted-dns-gateway.png) @@ -29,6 +29,13 @@ The DNS over HTTPS client encrypts the DNS request and sends it to the closest C By encrypting your DNS queries you will make sure that ISPs cannot snoop on your DNS queries, and at the same time you will be able to filter DNS requests that are malicious. +### DNS over TLS + +Gateway also supports DNS-over-TLS encryption. This enables you to apply security policies for clients that don’t support DNS-over-HTTPS. The DNS client on a device that talks to the DNS resolver initiates a TLS connection with the resolver. Then, it establishes a TCP connection with `cloudflare-dns.com:853`, and initiates a TLS handshake. +In the TLS handshake, `cloudflare-dns.com` presents its TLS certificate. Once the TLS connection is established, the DNS client can send DNS over an encrypted connection, preventing eavesdropping and tampering. + +All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP. + ## L7 Cloud Firewall Cloudflare Gateway includes a Layer 7 (L7) firewall that allows our customers to apply security and content policies to HTTP traffic. Users connect to Gateway with the Cloudflare for Teams client, which sends all internet-bound traffic from a user’s device to the Cloudflare Gateway. Administrators configure both DNS and HTTP policies--DNS policies are enforced at the Gateway DNS filtering service within the recursive resolver, and HTTP policies are enforced at the L7 firewall within the HTTP forward proxy. diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/browser.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/browser.md index 66b46eb493d826d..d0eaa80cd1d6586 100644 --- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/browser.md +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/browser.md @@ -1,5 +1,6 @@ --- order: 0 +hidden: true --- # Browser Setup diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-https.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-https.md new file mode 100644 index 000000000000000..050326905d84ec2 --- /dev/null +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-https.md @@ -0,0 +1,54 @@ +--- +order: 1 +--- + +# DNS over HTTPS + +## Browser + +### Firefox + + + +With Firefox, you can send DNS queries using the DNS over HTTPS protocol. + +1. Open **Preferences** and scroll to the bottom. + +2. Click on **Network Settings**. + +3. Click on **Settings**. + +4. Check **Enable DNS over HTTPS**. + +5. Choose **Custom** from the drop-down for **Use Provider**. + +6. Enter `https://YOUR_UNIQUE_SUBDOMAIN.cloudflare-gateway.com/dns-query` in the **Custom** field. In place of `YOUR_UNIQUE_SUBDOMAIN`, include your **unique ID**. + +7. Click **OK**. + +8. Enter **about:config** in the address bar. + +9. Click on **Accept the risk!** if you see a prompt from Firefox. + +10. Set network.trr.bootstrapAddress to `162.159.36.5`. + +11. Set network.trr.mode to **3**. + +You should now be able to send queries through the DNS over HTTPS protocol. + +### Google Chrome / Microsoft Edge / Brave + +1. Open **Settings**. +2. In your address bar, type the following and hit **Enter**: + `chrome://flags/#dns-over-https`. This will take you to Secure DNS lookups. +4. Click on the **Secure DNS lookups** radio button to enable DoH. + +Read more about [enabling DNS over HTTPS](https://www.chromium.org/developers/dns-over-https) on Chrome. + +### Safari + +As of today, Safari does not support DNS over HTTPS. diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-tls.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-tls.md new file mode 100644 index 000000000000000..2f7d70763f01fc1 --- /dev/null +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/dns-over-tls.md @@ -0,0 +1,52 @@ +--- +order: 2 +--- + +# DNS over TLS + +By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. + +Cloudflare supports DoT on standard port `853` and is compliant with [RFC7858](https://tools.ietf.org/html/rfc7858). + +## Configuration + +### Obtain your DoT hostname + +Each Gateway location has a unique DoT hostname. Locations and corresponding DoT hostnames have policies associated with them. + +1. Visit your [Teams dashboard](https://dash.teams.cloudflare.com/). +1. Navigate to the **Locations** page to visualize your location. + + ![Go to teams dash](../../../static/go-to-teams-dashboard.png) + +1. If you have more than one location set up, you will see a list of all your locations. + + ![Go to locations page](../../../static/go-to-locations-page.png) + +3. Expand the location card for the location whose DoT hostname you'd like to retrieve. + + ![Expand location card](../../../static/locations-doh-dot.png) + +4. Get the **DoT hostname** for the location. + + In the example below, the DoT hostname is: `9y65g5srsm.cloudflare-gateway.com`. + + ![Get unique subdomain](../../../static/locations-dot-complete.png) + +5. Take note of the **DoT hostname**. + + +### Configure your DoT client + +Depending on your operating system, you can choose from a variety of standalone DoT clients. Alternatively, stub resolvers (e.g. BIND) support DoT natively. + +To configure your DoT client, use the following IP address and hostname: + +```text +Hostname: DoT hostname for a chosen location (above this is 9y65g5srsm.cloudflare-gateway.com) +IP address: 162.159.36.5 +``` + +## Supported TLS versions + +Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2. diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/index.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/index.md index 72463a4483c2058..7955f25294ca217 100644 --- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/index.md +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/index.md @@ -4,9 +4,8 @@ order: 0 # Configure DNS -Cloudflare Gateway supports a variety of client configurations and operating systems as well as DNS over HTTPS. +Cloudflare Gateway supports a variety of client configurations and operating systems. It also allows you to send private, encrypted queries over both DNS over HTTPS (DoH) and DNS over TLS (DoT). -- [Browser Setup](/connecting-to-gateway/without-client/DNS/browser) -- [Mac Setup](/connecting-to-gateway/without-client/DNS/mac) -- [Windows Setup](/connecting-to-gateway/without-client/DNS/windows) -- [Linux Setup](/connecting-to-gateway/without-client/DNS/linux) +- [DNS over HTTPS](/connecting-to-gateway/without-client/DNS/dns-over-https) +- [DNS over TLS](/connecting-to-gateway/without-client/DNS/dns-over-tls) +- [Native Operating System Integration](/connecting-to-gateway/without-client/DNS/native-os) diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md index 68833013f6aa6f0..e3c89c4af231fbe 100644 --- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/linux.md @@ -1,5 +1,6 @@ --- order: 2 +hidden: true --- # Linux diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/mac.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/mac.md index c2ff30702cf3eb4..6f491e48b38cba8 100644 --- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/mac.md +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/mac.md @@ -1,5 +1,6 @@ --- order: 1 +hidden: true --- # Mac diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/native-os.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/native-os.md new file mode 100644 index 000000000000000..f8d028e41696996 --- /dev/null +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/native-os.md @@ -0,0 +1,95 @@ +--- +order: 3 +--- + +# Native OS + +## Linux + +### Ubuntu + +#### IPv4 +1. Click **System** > **Preferences** > **Network Connections**. +2. Click on the **Wireless** tab, then choose the Wi-Fi network you are currently connected to. +3. Click **Edit**. +4. Click **IPv4**. +Remove any IP addresses that may already be listed. +6. Add the following IP addresses: + * **172.64.36.1** + * **172.64.36.2** +7. Click **Apply**. + +#### IPv6 +1. Click **System** > **Preferences** > **Network Connections**. +2. Click on the **Wireless** tab, then choose the Wi-Fi network you are currently connected to. +3. Click **IPv6**. +4. Add the IPv6 address from that we listed based on your location configuration +5. Click **Apply**. + +### Debian + +#### IPv4 +1. In the command line, type: `sudo vim /etc/resolv.conf` +2. Press the **i** key on your keyboard to edit the document +3. Replace the nameserver lines with: + * **172.64.36.1** + * **172.64.36.2** +4. Press the **ESC** key on your keyboard to save and exit vim. +5. Type `:wq`. + +### IPv6 +1. In the command line, type: `sudo vim /etc/resolv.conf` +2. Add the IPv6 address from that we listed based on your location configuration. +3. Press the **ESC** key on your keyboard to save and exit vim. +4. Type `:wq`. + +## Mac + +### IPv4 +1. Go to **System Preferences** > **Network**. +2. Click **Advanced**. +3. Select the **DNS** tab, and remove any IP addresses that may be already listed. +4. Add the following IP addresses: + * **172.64.36.1** + * **172.64.36.2** +5. Click **OK**. +6. Click **Apply**. + +### IPv6 + +1. On the [Teams dashboard](https://dash.teams.cloudflare.com), navigate to the **Locations** tab. +2. Expand your location by clicking on it. +3. Note the **IPv6 address**. +4. On your computer, go to **System Preferences** > **Network**. +5. Click **Advanced**. +6. Select the **DNS** tab, and remove any IP addresses that may already be listed. +7. Add the **IPv6 address** you got from your location card. +8. Click **OK**. +9. Click **Apply**. + +## Windows + +### IPv4 +1. Click on **Start** menu, then click on Control Panel. +2. Click on **Network and Internet**. +3. Click on **Change Adapter Settings**. +4. Right click on the Wi-Fi network you are connected to. +5. Click **Properties**. +6. Select **Internet Protocol Version 4**. +7. Click **Properties**. +8. Remove any IP addresses that may be already listed and add the following IP addresses in their place: + * **172.64.36.1** + * **172.64.36.2** +9. Click **OK**. + +### IPv6 +1. Click on **Start** > **Control Panel**. +2. Click on **Network and Internet**. +3. Click on **Change Adapter Settings**. +4. Right click on the Wi-Fi network you are connected to. +5. Click **Properties**. +6. Select **Internet Protocol Version 6**. +7. Click **Properties**. +8. Click **Use The Following DNS Server Addresses**. +9. Add the IPv6 address that we listed based on your location configuration +10. Click **OK**. \ No newline at end of file diff --git a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/windows.md b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/windows.md index b7542ac960b7c6d..49909e1fd6540be 100644 --- a/products/gateway/src/content/connecting-to-gateway/without-client/DNS/windows.md +++ b/products/gateway/src/content/connecting-to-gateway/without-client/DNS/windows.md @@ -1,5 +1,6 @@ --- order: 0 +hidden: true --- # Windows diff --git a/products/gateway/src/content/faq/index.md b/products/gateway/src/content/faq/index.md index cb698717bfaa6ce..72427fc034c816f 100644 --- a/products/gateway/src/content/faq/index.md +++ b/products/gateway/src/content/faq/index.md @@ -49,9 +49,6 @@ For example, if you are using Cloudflare Gateway, and send a DNS query to exampl ## Can I use a wildcard operator to block domains? You don’t need to use a wildcard operator to block domains. For example, if you want to block all the subdomains for `example.com` then you only have to block `example.com`. It will not only block dns requests to `example.com` but also all subdomains for `example.com`. You can read more about it on our [policies page](/reference/policy). -## Can I block a URL using Gateway? -Not yet. Today, Gateway only sees domain names and not the full URL. So it can only block domains. - ## Does Cloudflare Gateway support IPv6 networks? Yes. Each location has a unique IPv6 address. You can use that IPv6 address to send DNS queries to Cloudflare Gateway. diff --git a/products/gateway/src/content/getting-started/configuring-block-page.md b/products/gateway/src/content/getting-started/configuring-block-page.md index 80d3be9f34cbf73..41f216340972125 100644 --- a/products/gateway/src/content/getting-started/configuring-block-page.md +++ b/products/gateway/src/content/getting-started/configuring-block-page.md @@ -2,7 +2,7 @@ order: 5 --- -# Configuring a block page +# Configure a block page When trying to visit a blocked website, users will see a default browser error page like this one: diff --git a/products/gateway/src/content/getting-started/onboarding-gateway.md b/products/gateway/src/content/getting-started/onboarding-gateway.md index dcf376563558381..559780f9105d8d5 100644 --- a/products/gateway/src/content/getting-started/onboarding-gateway.md +++ b/products/gateway/src/content/getting-started/onboarding-gateway.md @@ -2,7 +2,7 @@ order: 0 --- -# Gateway setup +# Set up Gateway To start using Gateway, set up your first **location** and your DNS resolvers. diff --git a/products/gateway/src/content/getting-started/troubleshooting-policies.md b/products/gateway/src/content/getting-started/troubleshooting-policies.md index a8efdfc7663dc1d..cb191af89c07dd6 100644 --- a/products/gateway/src/content/getting-started/troubleshooting-policies.md +++ b/products/gateway/src/content/getting-started/troubleshooting-policies.md @@ -20,13 +20,13 @@ Navigate to the **Locations** page to visualize your location. 3. Expand the location card for the location which you'd like to retrieve the corresponding DoH subdomain. -![Expand location card](../static/expand-location-card.png) +![Expand location card](../static/locations-doh-dot.png) -4. Get the subdomain of the DNS over HTTPS hostname (previously known as a unique ID). In the example below, the ID is: `fix7p31bzg`. +4. Get the subdomain of the DNS over HTTPS hostname (previously known as a unique ID). In the example below, the ID is: `9y65g5srsm`. 5. Take note of the **DoH subdomain**. -![Get unique subdomain](../static/unique-gateway-id.png) +![Get unique subdomain](../static/locations-doh.png) ### Your source IPv4 address is taken ![Source IP taken](../static/source-ip-taken.png) diff --git a/products/gateway/src/content/reference/location.md b/products/gateway/src/content/reference/location.md index c4a33daa8506fe4..47aa19106695e56 100644 --- a/products/gateway/src/content/reference/location.md +++ b/products/gateway/src/content/reference/location.md @@ -23,8 +23,8 @@ Gateway uses different ways to match a DNS query to locations depending on the t Here is a step by step flow of how Gateway determines the location for an incoming DNS query: -### Step 1: DNS over HTTPS check and lookup based on hostname -Check if the DNS query is using DNS over HTTPS. If yes, lookup location by the unique hostname. If not, go to step 2. +### Step 1: Encrypted queries check and lookup based on hostname +Check if the DNS query is using DNS over HTTPS or DNS over TLS. If yes, lookup location by the unique hostname. If not, go to step 2. ### Step 2: IPv4 check and lookup based on source IPv4 address Check if the DNS query is sent over IPv4. If yes, lookup location by the source IPv4 address. If no, go to step 3. diff --git a/products/gateway/src/content/static/locations-doh-dot.png b/products/gateway/src/content/static/locations-doh-dot.png new file mode 100644 index 000000000000000..2f3aa1b5d87381e Binary files /dev/null and b/products/gateway/src/content/static/locations-doh-dot.png differ diff --git a/products/gateway/src/content/static/locations-doh.png b/products/gateway/src/content/static/locations-doh.png new file mode 100644 index 000000000000000..2c058ba940bcd72 Binary files /dev/null and b/products/gateway/src/content/static/locations-doh.png differ diff --git a/products/gateway/src/content/static/locations-dot-complete.png b/products/gateway/src/content/static/locations-dot-complete.png new file mode 100644 index 000000000000000..7eed99349bfb815 Binary files /dev/null and b/products/gateway/src/content/static/locations-dot-complete.png differ diff --git a/products/gateway/src/content/static/locations-dot.png b/products/gateway/src/content/static/locations-dot.png new file mode 100644 index 000000000000000..ed9860e797b9753 Binary files /dev/null and b/products/gateway/src/content/static/locations-dot.png differ