Cloudflare v6.1.2, Apr 28 25

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

cloudflare.DnsFirewall

Explore with Pulumi AI

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

Example Usage

Coming soon!

Coming soon!

Coming soon!

Coming soon!

Coming soon!

resources:
  exampleDnsFirewall:
    type: cloudflare:DnsFirewall
    name: example_dns_firewall
    properties:
      accountId: 023e105f4ecef8ad9ca31a8372d0c353
      name: My Awesome DNS Firewall cluster
      upstreamIps:
        - 192.0.2.1
        - 198.51.100.1
        - 2001:DB8:100::CF
      attackMitigation:
        enabled: true
        only_when_upstream_unhealthy: false
      deprecateAnyRequests: true
      ecsFallback: false
      maximumCacheTtl: 900
      minimumCacheTtl: 60
      negativeCacheTtl: 900
      ratelimit: 600
      retries: 2

Create DnsFirewall Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new DnsFirewall(name: string, args: DnsFirewallArgs, opts?: CustomResourceOptions);

@overload
def DnsFirewall(resource_name: str,
                args: DnsFirewallArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def DnsFirewall(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                account_id: Optional[str] = None,
                name: Optional[str] = None,
                upstream_ips: Optional[Sequence[str]] = None,
                attack_mitigation: Optional[DnsFirewallAttackMitigationArgs] = None,
                deprecate_any_requests: Optional[bool] = None,
                ecs_fallback: Optional[bool] = None,
                maximum_cache_ttl: Optional[float] = None,
                minimum_cache_ttl: Optional[float] = None,
                negative_cache_ttl: Optional[float] = None,
                ratelimit: Optional[float] = None,
                retries: Optional[float] = None)

func NewDnsFirewall(ctx *Context, name string, args DnsFirewallArgs, opts ...ResourceOption) (*DnsFirewall, error)

public DnsFirewall(string name, DnsFirewallArgs args, CustomResourceOptions? opts = null)

public DnsFirewall(String name, DnsFirewallArgs args)
public DnsFirewall(String name, DnsFirewallArgs args, CustomResourceOptions options)

type: cloudflare:DnsFirewall
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args DnsFirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args DnsFirewallArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args DnsFirewallArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args DnsFirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args DnsFirewallArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var dnsFirewallResource = new Cloudflare.DnsFirewall("dnsFirewallResource", new()
{
    AccountId = "string",
    Name = "string",
    UpstreamIps = new[]
    {
        "string",
    },
    AttackMitigation = new Cloudflare.Inputs.DnsFirewallAttackMitigationArgs
    {
        Enabled = false,
        OnlyWhenUpstreamUnhealthy = false,
    },
    DeprecateAnyRequests = false,
    EcsFallback = false,
    MaximumCacheTtl = 0,
    MinimumCacheTtl = 0,
    NegativeCacheTtl = 0,
    Ratelimit = 0,
    Retries = 0,
});

example, err := cloudflare.NewDnsFirewall(ctx, "dnsFirewallResource", &cloudflare.DnsFirewallArgs{
	AccountId: pulumi.String("string"),
	Name:      pulumi.String("string"),
	UpstreamIps: pulumi.StringArray{
		pulumi.String("string"),
	},
	AttackMitigation: &cloudflare.DnsFirewallAttackMitigationArgs{
		Enabled:                   pulumi.Bool(false),
		OnlyWhenUpstreamUnhealthy: pulumi.Bool(false),
	},
	DeprecateAnyRequests: pulumi.Bool(false),
	EcsFallback:          pulumi.Bool(false),
	MaximumCacheTtl:      pulumi.Float64(0),
	MinimumCacheTtl:      pulumi.Float64(0),
	NegativeCacheTtl:     pulumi.Float64(0),
	Ratelimit:            pulumi.Float64(0),
	Retries:              pulumi.Float64(0),
})

var dnsFirewallResource = new DnsFirewall("dnsFirewallResource", DnsFirewallArgs.builder()
    .accountId("string")
    .name("string")
    .upstreamIps("string")
    .attackMitigation(DnsFirewallAttackMitigationArgs.builder()
        .enabled(false)
        .onlyWhenUpstreamUnhealthy(false)
        .build())
    .deprecateAnyRequests(false)
    .ecsFallback(false)
    .maximumCacheTtl(0)
    .minimumCacheTtl(0)
    .negativeCacheTtl(0)
    .ratelimit(0)
    .retries(0)
    .build());

dns_firewall_resource = cloudflare.DnsFirewall("dnsFirewallResource",
    account_id="string",
    name="string",
    upstream_ips=["string"],
    attack_mitigation={
        "enabled": False,
        "only_when_upstream_unhealthy": False,
    },
    deprecate_any_requests=False,
    ecs_fallback=False,
    maximum_cache_ttl=0,
    minimum_cache_ttl=0,
    negative_cache_ttl=0,
    ratelimit=0,
    retries=0)

const dnsFirewallResource = new cloudflare.DnsFirewall("dnsFirewallResource", {
    accountId: "string",
    name: "string",
    upstreamIps: ["string"],
    attackMitigation: {
        enabled: false,
        onlyWhenUpstreamUnhealthy: false,
    },
    deprecateAnyRequests: false,
    ecsFallback: false,
    maximumCacheTtl: 0,
    minimumCacheTtl: 0,
    negativeCacheTtl: 0,
    ratelimit: 0,
    retries: 0,
});

type: cloudflare:DnsFirewall
properties:
    accountId: string
    attackMitigation:
        enabled: false
        onlyWhenUpstreamUnhealthy: false
    deprecateAnyRequests: false
    ecsFallback: false
    maximumCacheTtl: 0
    minimumCacheTtl: 0
    name: string
    negativeCacheTtl: 0
    ratelimit: 0
    retries: 0
    upstreamIps:
        - string

DnsFirewall Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The DnsFirewall resource accepts the following input properties:

AccountId string: Identifier.
Name string: DNS Firewall cluster name
UpstreamIps List<string>
AttackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
DeprecateAnyRequests bool: Whether to refuse to answer queries for the ANY type
EcsFallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
MaximumCacheTtl double: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
MinimumCacheTtl double: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
NegativeCacheTtl double: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
Ratelimit double: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
Retries double: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

AccountId string: Identifier.
Name string: DNS Firewall cluster name
UpstreamIps []string
AttackMitigation DnsFirewallAttackMitigationArgs: Attack mitigation settings
DeprecateAnyRequests bool: Whether to refuse to answer queries for the ANY type
EcsFallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
MaximumCacheTtl float64: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
MinimumCacheTtl float64: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
NegativeCacheTtl float64: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
Ratelimit float64: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
Retries float64: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

accountId String: Identifier.
name String: DNS Firewall cluster name
upstreamIps List<String>
attackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
deprecateAnyRequests Boolean: Whether to refuse to answer queries for the ANY type
ecsFallback Boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl Double: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl Double: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
negativeCacheTtl Double: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit Double: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries Double: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

accountId string: Identifier.
name string: DNS Firewall cluster name
upstreamIps string[]
attackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
deprecateAnyRequests boolean: Whether to refuse to answer queries for the ANY type
ecsFallback boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl number: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl number: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
negativeCacheTtl number: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit number: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries number: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

account_id str: Identifier.
name str: DNS Firewall cluster name
upstream_ips Sequence[str]
attack_mitigation DnsFirewallAttackMitigationArgs: Attack mitigation settings
deprecate_any_requests bool: Whether to refuse to answer queries for the ANY type
ecs_fallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximum_cache_ttl float: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimum_cache_ttl float: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
negative_cache_ttl float: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit float: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries float: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

accountId String: Identifier.
name String: DNS Firewall cluster name
upstreamIps List<String>
attackMitigation Property Map: Attack mitigation settings
deprecateAnyRequests Boolean: Whether to refuse to answer queries for the ANY type
ecsFallback Boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl Number: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl Number: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
negativeCacheTtl Number: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit Number: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries Number: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)

Outputs

All input properties are implicitly available as output properties. Additionally, the DnsFirewall resource produces the following output properties:

DnsFirewallIps List<string>
Id string: The provider-assigned unique ID for this managed resource.
ModifiedOn string: Last modification of DNS Firewall cluster

DnsFirewallIps []string
Id string: The provider-assigned unique ID for this managed resource.
ModifiedOn string: Last modification of DNS Firewall cluster

dnsFirewallIps List<String>
id String: The provider-assigned unique ID for this managed resource.
modifiedOn String: Last modification of DNS Firewall cluster

dnsFirewallIps string[]
id string: The provider-assigned unique ID for this managed resource.
modifiedOn string: Last modification of DNS Firewall cluster

dns_firewall_ips Sequence[str]
id str: The provider-assigned unique ID for this managed resource.
modified_on str: Last modification of DNS Firewall cluster

dnsFirewallIps List<String>
id String: The provider-assigned unique ID for this managed resource.
modifiedOn String: Last modification of DNS Firewall cluster

Look up Existing DnsFirewall Resource

Get an existing DnsFirewall resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: DnsFirewallState, opts?: CustomResourceOptions): DnsFirewall

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        attack_mitigation: Optional[DnsFirewallAttackMitigationArgs] = None,
        deprecate_any_requests: Optional[bool] = None,
        dns_firewall_ips: Optional[Sequence[str]] = None,
        ecs_fallback: Optional[bool] = None,
        maximum_cache_ttl: Optional[float] = None,
        minimum_cache_ttl: Optional[float] = None,
        modified_on: Optional[str] = None,
        name: Optional[str] = None,
        negative_cache_ttl: Optional[float] = None,
        ratelimit: Optional[float] = None,
        retries: Optional[float] = None,
        upstream_ips: Optional[Sequence[str]] = None) -> DnsFirewall

func GetDnsFirewall(ctx *Context, name string, id IDInput, state *DnsFirewallState, opts ...ResourceOption) (*DnsFirewall, error)

public static DnsFirewall Get(string name, Input<string> id, DnsFirewallState? state, CustomResourceOptions? opts = null)

public static DnsFirewall get(String name, Output<String> id, DnsFirewallState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:DnsFirewall    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: Identifier.
AttackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
DeprecateAnyRequests bool: Whether to refuse to answer queries for the ANY type
DnsFirewallIps List<string>
EcsFallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
MaximumCacheTtl double: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
MinimumCacheTtl double: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
ModifiedOn string: Last modification of DNS Firewall cluster
Name string: DNS Firewall cluster name
NegativeCacheTtl double: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
Ratelimit double: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
Retries double: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
UpstreamIps List<string>

AccountId string: Identifier.
AttackMitigation DnsFirewallAttackMitigationArgs: Attack mitigation settings
DeprecateAnyRequests bool: Whether to refuse to answer queries for the ANY type
DnsFirewallIps []string
EcsFallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
MaximumCacheTtl float64: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
MinimumCacheTtl float64: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
ModifiedOn string: Last modification of DNS Firewall cluster
Name string: DNS Firewall cluster name
NegativeCacheTtl float64: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
Ratelimit float64: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
Retries float64: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
UpstreamIps []string

accountId String: Identifier.
attackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
deprecateAnyRequests Boolean: Whether to refuse to answer queries for the ANY type
dnsFirewallIps List<String>
ecsFallback Boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl Double: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl Double: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
modifiedOn String: Last modification of DNS Firewall cluster
name String: DNS Firewall cluster name
negativeCacheTtl Double: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit Double: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries Double: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
upstreamIps List<String>

accountId string: Identifier.
attackMitigation DnsFirewallAttackMitigation: Attack mitigation settings
deprecateAnyRequests boolean: Whether to refuse to answer queries for the ANY type
dnsFirewallIps string[]
ecsFallback boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl number: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl number: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
modifiedOn string: Last modification of DNS Firewall cluster
name string: DNS Firewall cluster name
negativeCacheTtl number: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit number: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries number: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
upstreamIps string[]

account_id str: Identifier.
attack_mitigation DnsFirewallAttackMitigationArgs: Attack mitigation settings
deprecate_any_requests bool: Whether to refuse to answer queries for the ANY type
dns_firewall_ips Sequence[str]
ecs_fallback bool: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximum_cache_ttl float: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimum_cache_ttl float: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
modified_on str: Last modification of DNS Firewall cluster
name str: DNS Firewall cluster name
negative_cache_ttl float: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit float: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries float: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
upstream_ips Sequence[str]

accountId String: Identifier.
attackMitigation Property Map: Attack mitigation settings
deprecateAnyRequests Boolean: Whether to refuse to answer queries for the ANY type
dnsFirewallIps List<String>
ecsFallback Boolean: Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
maximumCacheTtl Number: Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
minimumCacheTtl Number: Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
modifiedOn String: Last modification of DNS Firewall cluster
name String: DNS Firewall cluster name
negativeCacheTtl Number: Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
ratelimit Number: Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
retries Number: Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
upstreamIps List<String>

Supporting Types

DnsFirewallAttackMitigation, DnsFirewallAttackMitigationArgs

Enabled bool: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
OnlyWhenUpstreamUnhealthy bool: Only mitigate attacks when upstream servers seem unhealthy

Enabled bool: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
OnlyWhenUpstreamUnhealthy bool: Only mitigate attacks when upstream servers seem unhealthy

enabled Boolean: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
onlyWhenUpstreamUnhealthy Boolean: Only mitigate attacks when upstream servers seem unhealthy

enabled boolean: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
onlyWhenUpstreamUnhealthy boolean: Only mitigate attacks when upstream servers seem unhealthy

enabled bool: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
only_when_upstream_unhealthy bool: Only mitigate attacks when upstream servers seem unhealthy

enabled Boolean: When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers
onlyWhenUpstreamUnhealthy Boolean: Only mitigate attacks when upstream servers seem unhealthy

Import

$ pulumi import cloudflare:index/dnsFirewall:DnsFirewall example '<account_id>/<dns_firewall_id>'

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

pulumi/pulumi-cloudflare

cloudflare.DnsFirewall

On this page

On this page

Example Usage

Create DnsFirewall Resource

Constructor syntax

Parameters

Constructor example

DnsFirewall Resource Properties

Inputs

Outputs

Look up Existing DnsFirewall Resource

Supporting Types

DnsFirewallAttackMitigation, DnsFirewallAttackMitigationArgs

Import

Package Details

On this page

On this page