Analytics and logs
Consider the sections below to learn how to access analytics and logs for your DNS Firewall.
DNS Firewall analytics allow you to evaluate data about DNS queries to your account.
The historical data available covers 62 days and the maximum time interval you can get data for is also 62 days.
For a quick summary, view your DNS Firewall analytics on the dashboard. The DNS analytics dashboard contains four main panels. The filters and time frame that you specify at the top of the page apply to all of them.
- Log in to the Cloudflare dashboard ↗ and select your account.
- Go to DNS Firewall > Analytics.
- Cluster
- Query name
- Query type (same as DNS record type)
- Response code
- Cluster IP
- Source IP
- Upstream nameserver IP
- Query response source (cache, upstream nameserver, stale cache)
- Response reason
- Protocol used (UDP or TCP)
- IP version (IPv4 or IPv6)
The filters and time frame that you specify at the top of the page apply to all of the available panels.
-
Query summary: the number of queries and their distribution over time. This information is segmented by each of the available dimensions and the graph displays the top five values. You can select the dimensions through the different tabs above the graph and quickly filter for or exclude a certain value from the results by hovering over it and selecting Filter or Exclude.
-
Query statistics: an overview of query metrics. Namely, Total queries, Cached queries, Uncached queries, and Stale cache queries.
Processing time refers to the total time taken to handle a query within DNS Firewall, meaning cached queries served directly from Cloudflare's servers. For uncached queries, the metric used is response time, which considers the time to get the answers from your upstream nameservers. The processing and response times are displayed in milliseconds.Processing time and response time
Aside from the average for both processing and response times,90th percentile (p90)
p90values show you the maximum time that 90% of queries took to resolve. For example, if the p90 is 1 millisecond, it means 90% of the queries were resolved in 1 millisecond or less. -
DNS queries by data center: a map indicating which Cloudflare data centers have handled DNS queries to your account. You can also find a list of the ten top results and quickly filter for or exclude a certain data center from the results by hovering over it and selecting Filter or Exclude.
-
Top query statistics: a breakdown of the top queries grouped by the available dimensions. You can expand each card to list more results and search for specific values.
Use the GraphQL API to access DNS Firewall analytics. Refer to the GraphQL Analytics API documentation for guidance on how to get started.
The DNS Firewall analytics has two schemas:
dnsFirewallAnalyticsAdaptive: Retrieve information about individual DNS Firewall queries.dnsFirewallAnalyticsAdaptiveGroups: Get reports on aggregate information only.
You can also use the DNS Firewall API reports endpoint.
You can set up Logpush to deliver DNS Firewall logs to a storage service, SIEM, or log management provider.
When analyzing why Cloudflare DNS Firewall responded in one way or another to a specific query, consider the responseReason log field.
The following table provides a description for each of the values that might be returned as a response reason:
| Value | Description |
|---|---|
success | Response was successfully served, either from Cloudflare cache or forwarded from the upstream. |
upstream_failure | Response could not be fetched from the upstream due to the upstream failing to respond. |
upstream_servfail | Response could not be fetched from the upstream due to the upstream responding with SERVFAIL. |
invalid_query | Query is invalid and cannot be processed. |
any_type_blocked | Query of type ANY was blocked according to your DNS Firewall settings (RFC 8482 ↗). |
rate_limit | Query was rate limited according to your DNS Firewall settings. |
chaos_success | Response for Chaos class ↗ was successfully served. |
attack_mitigation_block | Query was blocked as part of random prefix attack mitigation. |
unknown | There was an unknown error. |
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark