Documentation

Require Authorized IPs

📘

Organizations Only

A business account is required to use this feature.

What is Require Authorized IPs

Under normal circumstances, your personal DNS resolvers for each Endpoint are accessible from any IP. This means that any IP on the Internet can query against your Secure DNS resolver, if they know your secret Resolver ID, and be subject to the rules of the enforced Profile.

The Require Authorized IPs setting locks down your Endpoint's resolver to only allow queries from IPs you've explicitly allowed. This is effectively the opposite of Authorize by Secure DNS. Any IP that is not seen in the IP Management section will get a REFUSED query response.

How to Enable

Create a new Endpoint, or edit an existing one and toggle Require Authorized IPs ON.

Next, head over to the IP Management section and add IPs that are explicitly allowed to use this Endpoint.

Additional Notes

If you're using ctrld DNS daemon, and it's running on a WAN addressable IP, DNS query Analytics will not be logged unless Require Authorized IPs is enabled. But you should definitely not runctrld on a publicly accessible IP.