SECURITY PROGRAM // ACTIVE ENGAGEMENT
DNS & Web Filtering
2026-03-17 // V1.0
IMPL
IMPLEMENTATION_RECORD
DNS & Web Filtering
Cloudflare Gateway DNS filtering across all enrolled endpoints. DoH enforcement via WARP client. Category-based blocking for malicious domains.
QUICKSTARTDEPLOYED // STABLEIaC // TERRAFORM
SERVICEDNS & Web Filtering
PACKAGEQUICKSTART
DEPLOYED2026-03-17
STATUSDEPLOYED // STABLE
THREAT_VECTOR //
Malware, ransomware, and command-and-control traffic rely on DNS resolution to reach attacker infrastructure — this control blocks those connections before they establish.
DEPLOYMENT_CHECKLIST
100% endpoint enrollment on Gateway DNSPASS
DoH enforcement activePASS
Malicious category blocking enabledPASS
DNS query logging enabledPASS
CONFIGURATION
| SETTING | VALUE |
|---|---|
| DNS Provider | Cloudflare Gateway |
| Protocol | DNS-over-HTTPS (DoH) |
| Blocked Categories | Malware, Phishing, C2, Cryptomining |
| Logging | All queries retained 30 days |
FRAMEWORK_MAPPING
SOC_2_READINESSTRUST SERVICES CRITERIA SATISFIED
CC6.6Logical access controls restricting access via network connections
CC6.8Controls preventing introduction of unauthorized or malicious software
CC7.1Detection and monitoring of configuration changes and new vulnerabilities
These controls form part of the evidence base for your SOC 2 Type II audit.
NIST_CSFSECURITY FRAMEWORK FUNCTION
ProtectImplement safeguards to limit the impact of potential events
DetectIdentify when security events occur
BASELINE_DELTA
BEFORE // BASELINE STATE
- DNS queries unfiltered — malicious domains reachable from all endpoints
- No C2 communication blocking
- Filtering not enforced off-network (remote workers unprotected)
- No DNS query visibility or logging
AFTER // CURRENT STATE
- Cloudflare Gateway deployed — 10 threat categories blocked
- C2, malware, phishing, cryptomining, ransomware domains blocked
- DoH profile enforced on all 18 endpoints via WARP client (on and off network)
- 287 malicious queries blocked in first month
- Full DNS query logging enabled for audit and review
CURRENT_HEALTH
DNS_BLOCKS_THIS_MONTH1,187
ENDPOINTS_ON_CLOUDFLARE_GATEWAY_DNS100%TARGET: 100%
CONTROL_HISTORY
EVIDENCE_REFERENCES
| ARTIFACT | TYPE | LOCATION | REF | DATE | WHAT THIS PROVES | |
|---|---|---|---|---|---|---|
| Cloudflare Gateway Policy | SCREENSHOT | Cloudflare Dashboard | cf-gateway-policy-2026-03-17.svg | 2026-03-17 | Proves filtering policies are active and configured to block required threat categories — evidence for CC6.8 malware defense criteria | VIEW |
| Device Enrollment Export | CONFIG EXPORT | Cloudflare Dashboard | cf-enrolled-devices-2026-03-17.csv | 2026-03-17 | Proves all devices are enrolled and routing DNS through the gateway — confirms coverage completeness | VIEW |
| Terraform Plan Output | TERRAFORM | https://github.com/ThreatUnknown/meridian-security-baseline | pr-16-terraform-plan.txt | 2026-03-17 | Confirms filtering configuration is code-managed with full change history | VIEW |