Cloudflare Docs
Cloudflare-One
Cloudflare Docs
Cloudflare Zero Trust
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Locations

Locations are usually physical entities like offices, homes, retail stores, movie theatres, or data centers. The fastest way to start sending DNS queries from a location and protect it from security threats is by changing the DNS resolvers at the router.

  • If you have an IPv6 network, you can change your DNS resolvers to the dedicated IPv6 address for your location.

  • If you don’t have an IPv6 network, you can set up a location by changing the DNS resolvers to:

    • 172.64.36.1
    • 172.64.36.2

If you want to send your DNS queries over an encrypted connection, you can use the hostname that we provide in the dashboard to send queries using DNS over HTTPS.

How Gateway matches queries to locations

Gateway uses different ways to match a DNS query to locations depending on the type of request and network. This is how Gateway determines the location of a DNS query:

Determine location

  1. Step 1: Gateway checks whether the query was sent using DNS over HTTPS. If yes, Gateway looks up the location by its unique hostname.

  2. Step 2: if the query wasn’t sent with DNS over HTTPS, Gateway checks whether it was sent over IPv1. If yes, it looks up the location by the source IPv4 address.

  3. Step 3: If the query wasn’t sent over IPv4, it means it was sent over IPv1. Gateway will look up the location associated with the DNS query based on the destination IPv6 address.

Location attributes

The only requirement for a location is its name. All other fields are optional if the location you are sending requests from is only using IPv6 or sending all DNS requests using DNS over HTTPS.

Source IPv4 address

Gateway uses the public source IPv4 address of your network to identify your location, apply policies and log DNS requests. When creating a location, the Zero Trust dashboard automatically identifies the public source IP address.

Users on the Enterprise plan have the option of manually entering one or more IP addresses of their choice. This enables them to protect networks even if they’re not connecting from any of those networks' IP addresses when creating the location on the Zero Trust dashboard.

Editable IP address

IPv6 address

When you create a location, your location will receive a unique IPv6 address. Cloudflare Gateway will identify your location based on this unique IPv6 address.

On your router/device/forwarder/daemon forward DNS queries to the corresponding IPv6 address for the location.

See how you can start sending DNS queries by visiting the setup instructions .

DNS over TLS

Each location has a unique hostname for DNS over TLS.

Cloudflare Gateway will identify your location based on the DNS over TLS hostname.

Get unique subdomain

DNS over HTTPS

Each location has a unique hostname for DNS over HTTPS.

Cloudflare Gateway will identify your location based on the DNS over HTTPS hostname.

DNS over HTTPS hostname

DoH subdomain

Each location in Cloudflare Zero Trust has a unique DoH subdomain (previously known as unique ID). If your organization uses DNS policies, you can enter your location’s DoH subdomain as part of the WARP client settings.

In the example below, the DoH subdomain is: 9y65g5srsm.

DNS over HTTPS hostname DoH subdomain
https://9y65g5srsm.cloudflare-gateway.com/dns-query 9y65g5srsm