After confirming twice with Cloudflare, there does not seem to exist a feature that restricts the IPs that can query a DNS zone. Currently, the only way to do that would be to own the DNS servers and put an ACL in front of them. When it comes to public domains, managed cloud solutions such as Cloudflare are great but these come with a drawback; in this instance, less management power.
It would be good to be able to allow specific IP addresses to query a specific DNS zone, should this zone need to exist publicly (for multiple reasons) and contain records pointing to internal resources.
IP addresses not in a whitelist, in this scenario, would be returned a 403 Forbidden - or such - error.
I guess that would be somewhat beyond the scope of what Cloudflare is trying to offer with their DNS services.
Also (particularly in the case of Cloudflare’s own public resolver) you could only filter by the querying resolver and not by the IP address of the actual client.
What are you actually trying to accomplish and why cant you block that on an HTTP level with firewall rules?
What we are trying to achieve is to prevent anyone in the Internet to query the records of a particular DNS zone, so that only authorized clients can resolve DNS queries for that zone and not others.
E.g. Suppose we owned the domain Contoso.com and that this was hosted in Cloudflare. We would like IP X.X.X.X to be able to resolve www.contoso .com but not IP Y.Y.Y.Y . IP Y.Y.Y.Y would receive an error when performing a DNS query to any contoso.com record
I understand that, but you could only block the resolver machine not the client itself. For example, if someone is using 1.1.1.1 you wouldnt know if the client is authorised or not.
Cloudflare generally targets public services, hence my original statement about the service scope. Why wouldnt whitelisting authorised clients on an HTTP level work for you?
It wouldnt help with DNS queries, it would blacklist, respectively whitelist, these clients on an HTTP level. DNS would be difficult for aforementioned reasons.
Perhaps I see your point now. If I understand correctly, your question is more to do with blocking connections to resources after they have been resolved by the DNS server by anyone.
We’re already doing that, but the initial question was formulated with preventing information disclosure in mind, given that some of the public domain records would be internal resources.
I understand your issue, but having internal resources on a public service, generally is not the best idea and DNS blocking is not reliable in principle.
All you could block on a DNS level would be the resolver (to a certain extent client subnets) but “authorised clients” wouldnt really exist as concept in that context.
You’re correct. That isn’t something that exists today in the Cloudflare product suite. It is possible that we may build something like that in the future, but AFAIK it’s not part of any specific roadmap today.