Cloudflare DNS

Overview

The Cloudflare DNS integration allows Praetorian Guard Platform (PGP) to automatically discover and import assets from your Cloudflare DNS records. Once connected, PGP enumerates DNS records across all zones accessible by your API token and ingests them as assets for continuous monitoring.

What It Does

When the integration runs, PGP performs the following steps:

  1. Lists all zones accessible by the provided API token.
  2. Fetches DNS records for each zone using paginated API requests.
  3. Imports supported DNS record types as PGP assets:
    • A records — Maps a domain name to an IPv4 address. Imported as an asset with the record name and IP content.
    • AAAA records — Maps a domain name to an IPv6 address. Imported identically to A records.
    • CNAME records — Maps an alias to a canonical domain name. Both the alias and target are normalized before import.

Note: Only A, AAAA, and CNAME records are imported. Other DNS record types (MX, TXT, SRV, NS, etc.) are not ingested by this integration.

Pagination

The integration automatically paginates through all DNS records and zones. It increments the page number on each request and stops when the Cloudflare API returns zero results for a page.

Prerequisites

  • A Cloudflare account with one or more active zones.
  • A Cloudflare API token with the following permissions:
    • Zone > DNS > Read — Required to list DNS records in each zone.
    • Zone > Zone > Read — Required to list available zones.

Creating a Cloudflare API Token

  1. Log in to the Cloudflare Dashboard.
  2. Navigate to My Profile > API Tokens.
  3. Click Create Token.
  4. Use the Custom Token template and configure the following permissions:
    • Zone > DNS > Read
    • Zone > Zone > Read
  5. Under Zone Resources, select which zones the token can access (all zones, or specific ones).
  6. Click Continue to summary, then Create Token.
  7. Copy the token immediately — it will not be shown again.

For more details, see the Cloudflare documentation on creating API tokens.

Setup in PGP

  1. In PGP, navigate to Settings > Integrations.
  2. Find Cloudflare DNS in the integrations list and click it.
  3. Enter your API Token in the token field.
  4. Click Save to connect the integration.
  5. PGP will validate your token by listing zones and reading DNS records from the first zone. If validation fails, you will see an error message indicating the issue.

Field Reference

FieldRequiredDescription
API TokenYes Your Cloudflare API token with Zone DNS Read and Zone Read permissions.

Troubleshooting

"Invalid API token"

The token you provided was rejected by Cloudflare. This typically means the token is incorrect, expired, or revoked. Generate a new token and try again.

"No Zones configured for this token"

The token is valid but has no zone access. Edit the token in Cloudflare to grant access to at least one zone, or create a new token with the correct zone resources.

"Failed to validate Zone Ruleset Read permissions"

The token can list zones but cannot read DNS records. Ensure the token has Zone > DNS > Read permission.

General API Errors

If you see an error like API error: (code) message, this is a Cloudflare API error. Check that your token permissions match the requirements above.