Creating a DNS filter

Written by

Yandex Cloud

Updated at May 20, 2026

To create a DNS filter:

CLI

Terraform

To create a new DNS filter and apply it at the cloud level:

See the description of the CLI command for creating a DNS zone:
```
yc dns firewall create --help
```
Create a DNS filter in the folder with a cloud-level action:
```
yc dns firewall create --name filter-1 \
  --description 'DNS Filter #1' \
  --folder-id b1g23..........4kpv3 \
  --enabled \
  --cloud-ids 'b1g38..........qg4nl' \
  --whitelist-fqdns 'dom1.net.,*.dom5.net.,*.ru.' \ 
  --blacklist-fqdns 'www.dom1.net.,info.dom5.net.' 
```
Where:
- --name: Filter name. It must be unique within a folder.
- --description: Filter description.
- --folder-id: ID of the folder where you want to create your filter.
- --enabled: Filter status, enabled or disabled. If not specified, the new filter will be disabled.
- --whitelist-fqdns, --blacklist-fqdns: List of FQDNs. How to use DNS filters.
- --cloud-ids: List of cloud IDs whose resources are subject to this filter.
- --folder-ids: List of folder IDs whose resources are subject to this filter.
- --network-ids: List of network (VPC) IDs whose resources are subject to this filter.
- --lock-resources: Centralized filter management mode.
Result:
```
 id: dnscmtk2r6neivr20q2l
 folder_id: b1g23..........4kpv3
 created_at: "2026-04-29T04:53:06.591Z"
 name: filter-1
 description: 'DNS Filter #1'
 enabled: true
 resource_config:
 type: CLOUD
 resource_ids:
     - b1g38..........qg4nl
 whitelist_fqdns:
 - dom1.net.
 - '*.dom5.net.'
 - '*.ru.'
 blacklist_fqdns:
 - www.dom1.net.
 - info.dom5.net.
```
Once the filter has been created, you can check the availability of the whitelisted and blacklisted FQDNs using the dig and ping commands from relevant cloud resources (VMs).

Result:

dig www.dom1.net 

; <<>> DiG 9.18.39-0ubuntu0.24.04.3-Ubuntu <<>> www.dom1.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 50976
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.dom1.net.INA				

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Apr 28 13:44:20 UTC 2026
;; MSG SIZE  rcvd: 40

ping www.dom1.net
ping: www.dom1.net: Temporary failure in name resolution

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the configuration file, describe the resources you want to create:
```
resource "yandex_dns_firewall" "filter1" {
  name        = "filter-1"
  description = "DNS Filter #1"
  folder_id   = "b1g27..........pe3fg"

  labels = {
    label1 = "label-1-value"
  }

  enabled         = true
  whitelist_fqdns = ["dom1.net.","*.dom5.net.","*.ru."]
  blacklist_fqdns = ["www.dom1.net.","info.dom5.net."]

  resource_config = {
    type           = "CLOUD"
    resource_ids   = ["b1g38..........qg4nl"]
    lock_resources = false
  }

   deletion_protection = false
}
```
Where:
- name: Filter name. It must be unique within a folder.
- description: Filter description.
- folder_id: ID of the folder you want to create the filter in.
- enabled: Filter status, enabled or disabled. If not specified, the new filter will be disabled.
- deletion_protection: Enables deletion protection for the new resource.
- whitelist_fqdns, blacklist_fqdns: List of FQDNs. How to use DNS filters.
- resource_config: Block of attributes of the resource subject to the filter:
  - type: Resource type. Valid values: CLOUD, FOLDER, NETWORK.
  - resource_ids: List of resource IDs of a given type.
  - lock_resources: Centralized filter management mode.
Create the resources:
1. In the terminal, navigate to the configuration file directory.
2. Make sure the configuration is correct using this command:
```
terraform validate
```
  If the configuration is valid, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
4. Apply the configuration changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources in the management console or using this CLI command:
```
yc dns firewall get <filter-name>
```

Creating a DNS filter

Was the article helpful?