cloudflare · ptzimmerman · Nov 13, 2020 · Nov 11, 2020 · Nov 12, 2020 · Nov 12, 2020
@@ -21,14 +21,21 @@ For example, if you are using Cloudflare Gateway, and send a DNS query to `examp
 
 ### DNS over HTTPS
 
-Gateway currently supports DNS over HTTPS (DoH), and will also support DNS over TLS in the future. You can use **cloudflared** to setup your device and start sending DNS queries to Gateway in an encrypted fashion. It will also support other DNS over HTTPS clients, as long as you can change the hostname in your preferred DNS over HTTPS client. Here’s how DNS over HTTPS for Cloudflare Gateway works:
+You can use **cloudflared** to setup your device and start sending DNS queries to Gateway in an encrypted fashion. It will also support other DNS over HTTPS clients, as long as you can change the hostname in your preferred DNS over HTTPS client. Here’s how DNS over HTTPS for Cloudflare Gateway works:
 
 ![How Encrypted DNS Works](../static/encrypted-dns-gateway.png)
 
 The DNS over HTTPS client encrypts the DNS request and sends it to the closest Cloudflare’s data center. Upon receiving the encrypted DNS request, it will decrypt it and send it to Cloudflare Gateway. Cloudflare Gateway will log the request, apply the required security policies, and return the response to our edge. Our edge will encrypt the response and send it back to the DNS over HTTPS client.
 
 By encrypting your DNS queries you will make sure that ISPs cannot snoop on your DNS queries, and at the same time you will be able to filter DNS requests that are malicious.
 
+### DNS over TLS
+
+Gateway also supports DNS-over-TLS encryption. This enables you to apply security policies for clients that don’t support DNS-over-HTTPS. The DNS client on a device that talks to the DNS resolver initiates a TLS connection with the resolver. Then, it establishes a TCP connection with `cloudflare-dns.com:853`, and initiates a TLS handshake.
+In the TLS handshake, `cloudflare-dns.com` presents its TLS certificate. Once the TLS connection is established, the DNS client can send DNS over an encrypted connection, preventing eavesdropping and tampering.
+
+All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP.
+
 ## L7 Cloud Firewall
 
 Cloudflare Gateway includes a Layer 7 (L7) firewall that allows our customers to apply security and content policies to HTTP traffic. Users connect to Gateway with the Cloudflare for Teams client, which sends all internet-bound traffic from a user’s device to the Cloudflare Gateway. Administrators configure both DNS and HTTP policies--DNS policies are enforced at the Gateway DNS filtering service within the recursive resolver, and HTTP policies are enforced at the L7 firewall within the HTTP forward proxy.

@@ -1,5 +1,6 @@
 ---
 order: 0
+hidden: true
 ---
 
 # Browser Setup

@@ -0,0 +1,54 @@
+---
+order: 1
+---
+
+# DNS over HTTPS
+
+## Browser
+
+### Firefox
+
+<Aside>
+
+<b>Before you start</b>. <a href="/getting-started/troubleshooting-policies/#find-a-location-doh-subdomain"> Obtain a location DoH subdomain (previously known as a unique id)</a>
+
+</Aside>
+
+With Firefox, you can send DNS queries using the DNS over HTTPS protocol.
+
+1. Open **Preferences** and scroll to the bottom.
+
+2. Click on **Network Settings**.
+
+3. Click on **Settings**.
+
+4. Check **Enable DNS over HTTPS**.
+
+5. Choose **Custom** from the drop-down for **Use Provider**.
+
+6. Enter `https://YOUR_UNIQUE_SUBDOMAIN.cloudflare-gateway.com/dns-query` in the **Custom** field. In place of `YOUR_UNIQUE_SUBDOMAIN`, include your **unique ID**.
+
+7. Click **OK**.
+
+8. Enter **about:config** in the address bar.
+
+9. Click on **Accept the risk!** if you see a prompt from Firefox.
+
+10. Set network.trr.bootstrapAddress to `162.159.36.5`.
+
+11. Set network.trr.mode to **3**.
+
+You should now be able to send queries through the DNS over HTTPS protocol.
+
+### Google Chrome / Microsoft Edge / Brave
+
+1. Open **Settings**.
+2. In your address bar, type the following and hit **Enter**:
+ `chrome://flags/#dns-over-https`. This will take you to Secure DNS lookups.
+4. Click on the **Secure DNS lookups** radio button to enable DoH.
+
+Read more about [enabling DNS over HTTPS](https://www.chromium.org/developers/dns-over-https) on Chrome.
+
+### Safari
+
+As of today, Safari does not support DNS over HTTPS.
@@ -0,0 +1,52 @@
+---
+order: 2
+---
+
+# DNS over TLS
+
+By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications.
+
+Cloudflare supports DoT on standard port `853` and is compliant with [RFC7858](https://tools.ietf.org/html/rfc7858).
+
+## Configuration
+
+### Obtain your DoT hostname
+
+Each Gateway location has a unique DoT hostname. Locations and corresponding DoT hostnames have policies associated with them.
+
+1. Visit your [Teams dashboard](https://dash.teams.cloudflare.com/).
+1. Navigate to the **Locations** page to visualize your location.
+
+ ![Go to teams dash](../../../static/go-to-teams-dashboard.png)
+
+1. If you have more than one location set up, you will see a list of all your locations.
+
+ ![Go to locations page](../../../static/go-to-locations-page.png)
+
+3. Expand the location card for the location whose DoT hostname you'd like to retrieve.
+
+ ![Expand location card](../../../static/locations-doh-dot.png)
+
+4. Get the **DoT hostname** for the location.
+
+ In the example below, the DoT hostname is: `9y65g5srsm.cloudflare-gateway.com`.
+
+ ![Get unique subdomain](../../../static/locations-dot-complete.png)
+
+5. Take note of the **DoT hostname**.
+
+
+### Configure your DoT client
+
+Depending on your operating system, you can choose from a variety of standalone DoT clients. Alternatively, stub resolvers (e.g. BIND) support DoT natively.
+
+To configure your DoT client, use the following IP address and hostname:
+
+```text
+Hostname: DoT hostname for a chosen location (above this is 9y65g5srsm.cloudflare-gateway.com)
+IP address: 162.159.36.5
+```
+
+## Supported TLS versions
+
+Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2.
@@ -4,9 +4,8 @@ order: 0
 
 # Configure DNS
 
-Cloudflare Gateway supports a variety of client configurations and operating systems as well as DNS over HTTPS.
+Cloudflare Gateway supports a variety of client configurations and operating systems. It also allows you to send private, encrypted queries over both DNS over HTTPS (DoH) and DNS over TLS (DoT).
 
-- [Browser Setup](/connecting-to-gateway/without-client/DNS/browser)
-- [Mac Setup](/connecting-to-gateway/without-client/DNS/mac)
-- [Windows Setup](/connecting-to-gateway/without-client/DNS/windows)
-- [Linux Setup](/connecting-to-gateway/without-client/DNS/linux)
+- [DNS over HTTPS](/connecting-to-gateway/without-client/DNS/dns-over-https)
+- [DNS over TLS](/connecting-to-gateway/without-client/DNS/dns-over-tls)
+- [Native Operating System Integration](/connecting-to-gateway/without-client/DNS/native-os)
@@ -1,5 +1,6 @@
 ---
 order: 2
+hidden: true
 ---
 
 # Linux

@@ -1,5 +1,6 @@
 ---
 order: 1
+hidden: true
 ---
 
 # Mac

@@ -0,0 +1,95 @@
+---
+order: 3
+---
+
+# Native OS
+
+## Linux
+
+### Ubuntu
+
+#### IPv4
+1. Click **System** > **Preferences** > **Network Connections**.
+2. Click on the **Wireless** tab, then choose the Wi-Fi network you are currently connected to.
+3. Click **Edit**.
+4. Click **IPv4**.  
+Remove any IP addresses that may already be listed.
+6. Add the following IP addresses:
+    * **172.64.36.1**
+    * **172.64.36.2**
+7. Click **Apply**.
+
+#### IPv6
+1. Click **System** > **Preferences** > **Network Connections**.
+2. Click on the **Wireless** tab, then choose the Wi-Fi network you are currently connected to.
+3. Click **IPv6**.
+4. Add the IPv6 address from that we listed based on your location configuration
+5. Click **Apply**.
+
+### Debian
+
+#### IPv4
+1. In the command line, type: `sudo vim /etc/resolv.conf`
+2. Press the **i** key on your keyboard to edit the document
+3. Replace the nameserver lines with:
+    * **172.64.36.1**
+    * **172.64.36.2**
+4. Press the **ESC** key on your keyboard to save and exit vim. 
+5. Type `:wq`.
+
+### IPv6
+1. In the command line, type: `sudo vim /etc/resolv.conf`
+2. Add the IPv6 address from that we listed based on your location configuration.
+3. Press the **ESC** key on your keyboard to save and exit vim. 
+4. Type `:wq`.
+
+## Mac
+
+### IPv4
+1. Go to **System Preferences** > **Network**.
+2. Click **Advanced**.
+3. Select the **DNS** tab, and remove any IP addresses that may be already listed.
+4. Add the following IP addresses:
+    * **172.64.36.1**
+    * **172.64.36.2**
+5. Click **OK**.
+6. Click **Apply**.
+
+### IPv6
+
+1. On the [Teams dashboard](https://dash.teams.cloudflare.com), navigate to the **Locations** tab.
+2. Expand your location by clicking on it.
+3. Note the **IPv6 address**.
+4. On your computer, go to **System Preferences** > **Network**.
+5. Click **Advanced**.
+6. Select the **DNS** tab, and remove any IP addresses that may already be listed.
+7. Add the **IPv6 address** you got from your location card.
+8. Click **OK**.
+9. Click **Apply**.
+
+## Windows
+
+### IPv4
+1. Click on **Start** menu, then click on Control Panel.
+2. Click on **Network and Internet**.
+3. Click on **Change Adapter Settings**.
+4. Right click on the Wi-Fi network you are connected to.
+5. Click **Properties**.
+6. Select **Internet Protocol Version 4**.
+7. Click **Properties**.
+8. Remove any IP addresses that may be already listed and add the following IP addresses in their place:
+    * **172.64.36.1**
+    * **172.64.36.2**
+9. Click **OK**.
+
+### IPv6
+1. Click on **Start** > **Control Panel**.
+2. Click on **Network and Internet**.
+3. Click on **Change Adapter Settings**.
+4. Right click on the Wi-Fi network you are connected to.
+5. Click **Properties**.
+6. Select **Internet Protocol Version 6**.
+7. Click **Properties**.
+8. Click **Use The Following DNS Server Addresses**.
+9. Add the IPv6 address that we listed based on your location configuration
+10. Click **OK**.
@@ -1,5 +1,6 @@
 ---
 order: 0
+hidden: true
 ---
 
 # Windows

@@ -49,9 +49,6 @@ For example, if you are using Cloudflare Gateway, and send a DNS query to exampl
 ## Can I use a wildcard operator to block domains?
 You don’t need to use a wildcard operator to block domains. For example, if you want to block all the subdomains for `example.com` then you only have to block `example.com`. It will not only block dns requests to `example.com` but also all subdomains for `example.com`. You can read more about it on our [policies page](/reference/policy).
 
-## Can I block a URL using Gateway?
-Not yet. Today, Gateway only sees domain names and not the full URL. So it can only block domains.
-
 ## Does Cloudflare Gateway support IPv6 networks?
 Yes. Each location has a unique IPv6 address. You can use that IPv6 address to send DNS queries to Cloudflare Gateway.
 

@@ -2,7 +2,7 @@
 order: 5
 ---
 
-# Configuring a block page
+# Configure a block page
 
 When trying to visit a blocked website, users will see a default browser error page like this one:  
 

@@ -2,7 +2,7 @@
 order: 0
 ---
 
-# Gateway setup
+# Set up Gateway
 
 To start using Gateway, set up your first **location** and your DNS resolvers.
 

@@ -20,13 +20,13 @@ Navigate to the **Locations** page to visualize your location.
 
 3. Expand the location card for the location which you'd like to retrieve the corresponding DoH subdomain.
 
-![Expand location card](../static/expand-location-card.png)
+![Expand location card](../static/locations-doh-dot.png)
 
-4. Get the subdomain of the DNS over HTTPS hostname (previously known as a unique ID). In the example below, the ID is: `fix7p31bzg`.
+4. Get the subdomain of the DNS over HTTPS hostname (previously known as a unique ID). In the example below, the ID is: `9y65g5srsm`.
 
 5. Take note of the **DoH subdomain**.
 
-![Get unique subdomain](../static/unique-gateway-id.png)
+![Get unique subdomain](../static/locations-doh.png)
 
 ### Your source IPv4 address is taken
 ![Source IP taken](../static/source-ip-taken.png)

@@ -23,8 +23,8 @@ Gateway uses different ways to match a DNS query to locations depending on the t
 
 Here is a step by step flow of how Gateway determines the location for an incoming DNS query:
 
-### Step 1: DNS over HTTPS check and lookup based on hostname
-Check if the DNS query is using DNS over HTTPS. If yes, lookup location by the unique hostname. If not, go to step 2.
+### Step 1: Encrypted queries check and lookup based on hostname
+Check if the DNS query is using DNS over HTTPS or DNS over TLS. If yes, lookup location by the unique hostname. If not, go to step 2.
 
 ### Step 2: IPv4 check and lookup based on source IPv4 address
 Check if the DNS query is sent over IPv4. If yes, lookup location by the source IPv4 address. If no, go to step 3.