Permissions
- Account - DNS Views - Edit
- Zone - DNS - Edit
- Account - Account Settings - Edit
- Zone - DNS Settings - Edit
- Zone - Zone - Edit
Account Resources
- Include - (Your account)
Zone Resources
- Include - All zones
Follow this guide to get started with Internal DNS.
API token configuration
Permissions
Account Resources
Zone Resources
In the Cloudflare dashboard, go to the Internal DNS page.
Go to Internal DNSSelect Create an internal zone.
Give your internal zone a name.
Internal zone configuration conditions
xyz.local), if it is created on the TLD itself (local), or even if on the root (.).Logical groupings of internal DNS zones that are referenced by Gateway resolver policies to define how a specific query should be resolved. ↩
type to internal.Internal zone configuration conditions
xyz.local), if it is created on the TLD itself (local), or even if on the root (.).Logical groupings of internal DNS zones that are referenced by Gateway resolver policies to define how a specific query should be resolved. ↩
Example
Required API token permissions
Zone Zone EditZone DNS Editcurl "https://api.cloudflare.com/client/v4/zones" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "account": {        "id": "<ACCOUNT_ID>"    },    "name": "<ZONE_NAME>",    "type": "internal"  }'/batch, to manage DNS records. Refer to Batch record changes for details.During an internal DNS query resolution, if no internal record is found within a matching internal zone, Cloudflare will check if the matching internal zone is referencing another internal zone. Successive references can be followed with a maximum of five references in a chain.
For details, refer to reference zones.
In the Cloudflare dashboard, go to the Internal DNS page.
Go to Internal DNSSelect a zone.
Within the selected zone, go to Reference zone.
Select Add reference zone.
Find the zone you want to use as reference and choose Select in the respective row.
--json, specify the internal_dns object with the parameter reference_zone_id.
In the following example, internal zone A (ID 8a904aeb565c42cfa207d98f6edea2f3) is referencing internal zone B (ID 8e64c6fb4b514f3faf64de81efc11e51).
Required API token permissions
Zone DNS Settings WriteDNS Writecurl "https://api.cloudflare.com/client/v4/zones/8a904aeb565c42cfa207d98f6edea2f3/dns_settings" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "internal_dns": {        "reference_zone_id": "8e64c6fb4b514f3faf64de81efc11e51"    }  }'Since the resolver policy will require a DNS view, you must have at least one view to be able to route requests to internal zones.
In the Cloudflare dashboard, go to the Internal DNS page.
Go to Internal DNSGo to Internal DNS Views.
Select Create a view.
Give your view a descriptive name.
DNS view configuration conditions
DNS zones that contain public DNS records and are accessible by public resolvers. ↩
DNS view configuration conditions
DNS zones that contain public DNS records and are accessible by public resolvers. ↩
Besides selecting an internal DNS view when setting up your resolver policies, you can also enable the fallback through public DNS option.
Use the API endpoints under Zero Trust > Gateway > Rules to set up resolver policies. For guidance about selectors, operators, and values, refer to Gateway.
Use the rule settings object to define resolve_dns_internally, specifying view_id and fallback option. The fallback options behave as follows:
none: Gateway DNS resolver returns the response as-is to the client.public_dns: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.Once you add the Gateway resolver policy, it will be listed in the respective internal view under Resolver policies referencing this view.