Free Cloudflare DNS for CMMC Level 1 Control

Secure FCI & meet CMMC Level 1 (AC.L1-b.1.iii) with free Cloudflare DNS filtering. Easy step-by-step guide for non-tech users to control external websites.

Free Cloudflare DNS for CMMC Level 1 Control
Published on May 9, 2025·10 min read
#CMMCLevel1 #AC.L1-b.1.iiiGuide #CloudflareforCMMC #CMMCDNSFiltering #FreeCMMCTools #FCIProtectionMethods #ControlExternalSystemsCMMC #DNSSecurityforSmallBusiness #CMMCComplianceGuide

Simplifying CMMC AC.L1-b.1.iii with Cloudflare's Free DNS

If you're figuring out how to control external websites for CMMC Level 1 as part of your DoD compliance efforts, requirement AC.L1-b.1.iii (Verify and control/limit connections to and use of external information systems) is a key hurdle that might seem intimidating. This access control measure is crucial for reducing accidental data exposure. In simple terms, you need proof that your personnel are not using unauthorized websites or cloud services (like personal email or file storage) to handle sensitive Federal Contract Information (FCI), thereby protecting sensitive data.

For CMMC Level 1 compliance, just having a written policy isn't sufficient. You must implement the necessary technical controls to achieve compliance. Don't worry! You can implement a solid, verifiable technical control using a free service called Cloudflare Gateway, even if you're not an IT expert.

This guide provides simple, step-by-step instructions. We'll set up Cloudflare's free DNS filtering to block risky website categories, helping you meet this key CMMC requirement and strengthen your cybersecurity practices.

Understanding DNS Filtering: A Simple Website Gatekeeper

Every time you visit a website (like www.example.com), your computer needs its specific internet address (called an IP address). Normally, a system called DNS finds this address for you automatically.

DNS Filtering adds a security step to this process. Think of it like a security guard or gatekeeper for website addresses.

Here's how it works:

  1. Your computer asks for a website's address.
  2. The DNS Filter (the gatekeeper, like Cloudflare) checks if that website is allowed based on the rules you set.
  3. These rules can block known dangerous sites (like those with viruses) or types of sites you don't want used for handling work information (such as personal email or file sharing).
  4. If the website is on the block list, the gatekeeper prevents your computer from getting the address. No address means no connection, and the site is blocked.

This is an efficient way to control your personnel's access to external websites and online services, helping you meet this CMMC requirement's access control objective.

Why Cloudflare Gateway's Free Plan is a Great Fit

Cloudflare is a major, reputable internet security and performance company, widely recognized as a leading Content Delivery Network (CDN) and security provider. Their "Zero Trust Free Plan" offers powerful and reliable DNS Gateway filtering, managed through a user-friendly website dashboard. It's an excellent free tool to demonstrate control for CMMC, providing foundational cybersecurity for contractors and small businesses without significant upfront cost. Adopting even parts of a Zero Trust model, like DNS filtering, improves your overall security posture.

Setting Up Your Free Cloudflare Protection: Step-by-Step

Ready? Let's walk through it. Remember, it's mostly clicking options on a website.

Step 1: Sign Up for Your Free Cloudflare Account

  • Go to the Cloudflare website: dash.cloudflare.com/sign-up
  • Enter your email, create a strong password, and click "Sign Up".
Cloudflare account sign-up screen showing email and password fields.
  • Quick Note: Cloudflare might ask about adding a website. For this purpose, you can skip that step and look for options to go directly to the "Zero Trust" dashboard or main account area.

Step 2: Navigate to the Zero Trust Dashboard

  • Once logged into your Cloudflare account, locate the Zero Trust section. This might be a prominent option on your dashboard or in a menu on the left side. Click it.
Cloudflare main dashboard with the Zero Trust option highlighted in the left sidebar.
  • If you encounter a setup wizard, follow the prompts, making sure to select the Free Plan.

Step 3: Locate DNS Policies

  • You're now in the Zero Trust control center. On the left-hand menu, find and click Gateway.
  • Under the Gateway options, click Firewall Policies.
  • Ensure the DNS tab is selected at the top of the Policies page. This is where we'll set our blocking rules.
Cloudflare Zero Trust dashboard showing Gateway > Firewall Policies section with the DNS tab active.

Step 4: Block Basic Security Threats (Essential Protection)

First, let's block known dangerous destinations. This helps with other CMMC requirements too!

  • Click the blue Add a policy button.
  • Give the policy a simple name, like Block Known Threats.
  • In the "Traffic" section, select Security categories from the dropdown.
  • For the selector, choose in as the operator.
  • In the value field, select the following security categories:
    • Malware
    • Phishing
    • Command and Control & Botnet
    • Spyware
    • Cryptomining
Cloudflare DNS policy configuration screen for blocking security categories like Malware and Phishing.
  • Ensure the "Action" dropdown is set to Block.
  • Click the blue Create policy button.

Step 5: Block Risky Content Categories (Except Approved Domains)

This is the core step for AC.L1-b.1.iii. We'll create one policy to block risky categories like personal webmail and file sharing, unless the website domain is one you specifically approve for business use.

  • Click Add a policy again.
  • Name it clearly, example: Block Risky Content Except Approved.
  • Configure the first condition (Risky Content):
    • In the traffic section, select Content categories from the selector dropdown.
    • Choose in as the operator.
    • In the value field, select the categories to block (these are often restricted as they represent common vectors for accidental data leakage or malware introduction):
      • Webmail: Check this box. (Blocks Gmail, Yahoo Mail, etc.)
      • File Sharing: Check this box. (Blocks Dropbox, Google Drive, Box, etc.)
      • (Consider Also Blocking: Adult Themes, Gambling, or others based on your company policies.)
Cloudflare DNS policy configuration screen selecting Content Categories like Webmail and File Sharing to block.
  • Add the second condition (Approved Domain Exception):
    • Click the + Add button.
    • For this new condition, select Domain from the selector dropdown.
    • Choose not in as the operator.
    • In the value box, enter the website domain names for only your approved business services.
Cloudflare DNS policy configuration screen adding a Domain 'not in' condition for approved exceptions.
  • Set the Action:
    • Ensure the action dropdown for the entire policy is set to Block.
  • Click the blue Create policy button.

Step 6: Get Your Custom Cloudflare DNS Addresses

Cloudflare assigns unique DNS server addresses linked to your account configuration, which tell your computers to use the policies you just created. You need to inform Cloudflare about your network traffic's origin by setting up a "DNS Location."

  • In the Zero Trust dashboard menu, navigate to Gateway > DNS Locations.
  • Click the Add a location button.
  • Give your location a clear name, like Office Network or Main Office.
  • Select IPv4 and click Continue.
Cloudflare Gateway 'Add a location' screen for setting up a new DNS location.
  • Click Continue and then Done until you receive your configuration. You will then be returned to the DNS Locations page, where your new location will be visible.
  • Click on the name of your new location and copy the IPv4 endpoint addresses (will be two addresses).
Cloudflare DNS Locations page showing the assigned IPv4 endpoint addresses for a configured location.

Step 7: Point Each Windows Computer to Cloudflare DNS

Now, configure each computer handling FCI to use the Cloudflare DNS addresses you copied in Step 6. It takes just a minute per PC using the Control Panel:

  • Press and hold the Windows key on your keyboard, then press R. This opens the Run dialog. Type control and press Enter.
  • Click on Network and Internet then click on Network and Sharing Center.
  • Click on Change Adapter Settings on the left side.
  • Right-click on the Wi-Fi or Ethernet network connection you are currently using.
  • Click Properties.
  • Scroll down and select Internet Protocol Version 4 (TCP/IPv4) from the list and click Properties.
Windows Network Connection Properties window highlighting the 'Internet Protocol Version 4 (TCP/IPv4)' option.
  • Click the option Use The Following DNS Server Addresses.
  • In Preferred DNS server, type the first Cloudflare IPv4 address from Step 6.
  • In Alternate DNS server, type the second Cloudflare IPv4 address from Step 6.
  • Click OK on the TCP/IPv4 Properties window.
  • Click Close on the adapter Properties window.

A brief internet reconnect is normal after saving.

Step 7: Point Each Mac Computer to Cloudflare DNS

Here's how to set it up on macOS, similar to the Windows process:

  • Open System Settings. (You can quickly find it using Spotlight: press Command + Space, type System Settings, and press Enter).
  • Click on icon called Network.
  • Select your active network connection (like Wi-Fi or Ethernet) from the list.
  • Click the Details button.
  • In the window that appears, click the DNS tab.
  • If any addresses are listed under the DNS Servers list on the right, select each one and click the "-" button below the list to remove them.
  • Click the "+" button below the DNS Servers list.
  • Type the first Cloudflare IPv4 address you obtained in Step 6 into the field that appears, then press Enter.
  • Click the "+" button again.
  • Type the second Cloudflare IPv4 address from Step 6, then press Enter.
  • Click the OK button at the bottom right of the DNS settings window.
  • Click the Apply button if it appears in the main Network settings window (it might save automatically).

Your Mac will briefly reconnect to the network.

Success! You've Implemented Basic Website Control!

Well done! By following these steps, you've configured the computers handling FCI to use Cloudflare's free DNS filtering. This system now actively helps block access to risky website categories (unless specifically approved) and known malicious sites. Implementing DNS filtering this way is a recognized practice that provides a tangible technical control supporting CMMC requirement AC.L1-b.1.iii and positively contributes to your DoD compliance evidence.

Keep These Quick Reminders in Mind:

  • Apply Per Computer: Unless you configure your network router (which is more technical), repeat Step 7 on every computer handling FCI to ensure consistent protection.
  • Policy Still Matters: Note that a user could revert these settings. Your company policy, user training, and emphasizing FCI protection and responsible use remain critical components of your information system security.
  • It's a Strong Layer: DNS filtering is effective but doesn't stop all threats or methods. It's one key part of your overall cybersecurity strategy.
  • Update Your Approved List: If you later approve a new online service for FCI, update the domain list in your Cloudflare policy (Step 5) to maintain accurate access control.

Need Help Managing Your Full CMMC Level 1 Compliance?

Implementing controls like DNS filtering is vital, but CMMC Level 1 has 15 requirements in total. If you're looking for a simple, affordable way to manage the entire process - track your progress, store evidence for all controls, generate policies, and stay organized - we can help!

Check out CMMC Resources - designed specifically to make CMMC Level 1 achievable for businesses like yours.

Further Reading & Official Resources

DoD CMMC Official Site: https://dodcio.defense.gov/cmmc/About/

DoD CMMC Level 1 Assessment Guide: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1.pdf

Cloudflare Zero Trust Services: https://www.cloudflare.com/plans/zero-trust-services/