DNS Filtering has the following requirements:
Domain Requirements
The DNS Filtering module only supports Fully Qualified Domain Names or Partially Qualified Domains name for the allow and block list. Single-Label Domains are not supported.
- Fully Qualified Domain Name - mail.google.com
- Partially Qualified Domain Name - google.com
- Single-label Domain - google
Feature Requirements
- An active subscription to Incident Response, Endpoint Protection, or Endpoint Detection and Response.
- An active subscription to the DNS Filtering module.
Endpoint Requirements
Endpoints must be running one of the following operating systems to filter network traffic with the DNS Filtering module. For our Endpoint Protection requirements, see System requirements for Nebula.
-
Windows: 11, 10 version 1607 or later.
- In late August 2025, DNS Filtering support for Windows 10 version 1511 or older ended.
- Windows ARM: 11
-
macOS: Tahoe 26, Sequoia 15, Sonoma 14, Ventura 13, Monterey 12, Big Sur 11.
- macOS devices require a system extension and certificate to be allowed. For more information, see Allow DNS system extension and Cloudflare certificate on Mac devices - Nebula.
CAUTION - DNS Filtering is not recommended on internet information or web servers as it can block communications.
-
Windows Server: 2025, 2022, 2019, 2016.
- In late August 2025, DNS Filtering support for Windows Server 2012 and 2012 R2 ended.
Network Requirements
- Endpoints running DNS Filtering need to allow HTTPS outbound connections that resolve DNS lookups to https://*.cloudflare-gateway.com
- Only User Datagram Protocol (UDP) network traffic is supported.
Browser and system requirements
DNS over HTTPS (DoH) or Secure DNS must be disabled for browsers and operating systems to allow DNS filtering to operate properly. See the following articles for managing Windows and browser DoH settings via Group Policy.
Note: Look up instructions for your specific browser if DoH needs to be disabled manually on an endpoint.
Return to Nebula DNS Filtering guide.