Skip to content

Scheduled DNS policies

Cloudflare Gateway allows you to configure any DNS policy to activate or deactivate on a regular time interval.

By default, Gateway policies are unscheduled and apply at all times. You can use the Gateway Rules API to create a new DNS policy with a schedule or add a schedule to an existing policy. To schedule a policy, send a POST or PUT request with the schedule parameter set to your desired days of the week, times of day, and an optional time zone. The schedule will appear in Zero Trust under Gateway > Firewall Policies > DNS when you expand the row for the policy.

How Gateway determines time zone

If you assign a time zone to your schedule, Gateway will always use the current time at that time zone regardless of the user’s location. This allows you to enable a policy during a certain fixed time period.

If you do not specify a time zone, Gateway will enable the DNS policy based on the user’s local time zone. The user’s time zone is inferred from the IP geolocation of their source IP address. If Gateway is unable to determine the time zone from the source IP, we will fall back to the time zone of the data center where the query was received.

Example: Fixed time zone

The following command creates a DNS policy to block facebook.com only on weekdays from 8:00 AM - 12:30 PM and 1:30 PM - 5:00 PM in the Chicago, USA time zone.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"name": "office-no-facebook-policy",
"action": "block",
"traffic": "dns.fqdn == \"facebook.com\"",
"enabled": true,
"schedule": {
"time_zone": "America/Chicago",
"mon": "08:00-12:30,13:30-17:00",
"tue": "08:00-12:30,13:30-17:00",
"wed": "08:00-12:30,13:30-17:00",
"thu": "08:00-12:30,13:30-17:00",
"fri": "08:00-12:30,13:30-17:00"
}
}'

Refer to this table for a list of all time zones.

Example: User’s time zone

The following command creates a DNS policy to block clockin.com only on weekends, in the time zone where the user is currently located.

Terminal window
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"name": "clock-in-policy",
"action": "block",
"traffic": "dns.fqdn == \"clockin.com\"",
"enabled": true,
"schedule": {
"sat": "00:00-24:00",
"sun": "00:00-24:00"
}
}'