Org: Restricted Resolver

Restrict a device to only respond to queries from authorized IPs.


Organizations Only

A business account is required to use this feature.

What is Restricted Resolver

Under normal circumstances, your personal DNS resolvers for each Device are accessible from any IP. This means that any IP on the Internet can query against your Secure DNS resolver, if they know your secret Resolver ID, and be subject to the rules of the enforced Profile.

The Restricted Resolver setting locks down your Device's resolver to only allow queries from IPs you've explicitly allowed. This is effectively the opposite of Auto Authorize IP setting. Any IP that is not seen in the IP Management section will get a REFUSED query response.

How to Enable

Create a new Device, or edit an existing one and toggle this option ON.

Next, head over to the IP Management section and add IPs that are explicitly allowed to use this Device.

Additional Notes

If you're using ctrld DNS daemon, and it's running on a WAN addressable IP, DNS query Analytics will not be logged unless Restricted Resolver is enabled.