{"slug": "your-ai-agent-can-delete-your-dns-records", "title": "Your AI Agent Can Delete Your DNS Records", "summary": "Cloudflare's official MCP server gives AI agents access to 30 tools including DNS record deletion, which can cause production outages. A developer introduced Intercept, a policy engine that sits between agents and the MCP server to block dangerous operations like DNS deletions and rate-limit others. The tool uses YAML policies to deny or throttle tool calls, preventing runaway agents from disrupting services.", "body_md": "Your AI agent just deleted the A record for your production domain. It was trying to \"clean up stale DNS entries\" after you asked it to audit your Cloudflare zone. Thirty seconds later, your site is unreachable. Customers see nothing. Your uptime monitor fires. And the agent has already moved on to the next record.\n\nDNS propagation means even after you recreate the record, some resolvers won't see it for hours. One tool call, minutes of downtime, and there's no undo button.\n\nCloudflare's official [MCP server](https://github.com/cloudflare/mcp-server-cloudflare) gives agents access to 30 tools spanning DNS, Workers, KV, R2, D1, and zone management. The read operations are harmless — listing zones, querying Workers observability, searching documentation. The dangerous ones:\n\n`dns_records_delete`\n\n`dns_records_create`\n\n`dns_records_update`\n\n`workers_create_worker`\n\n`workers_delete_worker`\n\n`zones_create`\n\n`zones_update`\n\n`kv_namespace_delete`\n\n`r2_bucket_delete`\n\n`d1_database_delete`\n\nMCP provides no built-in controls. Every tool is available, every call goes straight through.\n\n[Intercept](https://github.com/policylayer/intercept) sits between your agent and the Cloudflare MCP server. Every `tools/call`\n\nis evaluated against a YAML policy before it reaches Cloudflare. Violating calls are blocked and the agent receives a clear denial message — not a silent failure.\n\nThe first thing to lock down: DNS deletions. There is almost never a reason for an AI agent to delete a DNS record. Block it outright:\n\n```\nversion: \"1\"\ndescription: \"Policy for cloudflare/mcp-server-cloudflare\"\ndefault: \"allow\"\ntools:\n    dns_records_delete:\n        rules:\n            - name: \"block dns deletion\"\n              action: \"deny\"\n              on_deny: \"DNS record deletion is not permitted via AI agents. Delete records manually in the Cloudflare dashboard.\"\n```\n\nThe `action: \"deny\"`\n\nrule is unconditional. No rate limit, no conditions — the tool is simply unavailable. The agent gets back the `on_deny`\n\nmessage and can tell the user to handle it manually.\n\nFor tools that agents legitimately need, rate limits prevent runaway loops. DNS creates and updates are capped at 10 per hour. Worker deployments and zone changes get 5 per hour — tight enough to stop a misfiring agent, generous enough for real work:\n\n```\n    dns_records_create:\n        rules:\n            - name: \"rate limit dns creates\"\n              rate_limit: 10/hour\n              on_deny: \"DNS record creation rate limit reached (10/hour). Try again later.\"\n    dns_records_update:\n        rules:\n            - name: \"rate limit dns updates\"\n              rate_limit: 10/hour\n              on_deny: \"DNS record update rate limit reached (10/hour). Try again later.\"\n    workers_create_worker:\n        rules:\n            - name: \"rate limit worker deploys\"\n              rate_limit: 5/hour\n              on_deny: \"Worker deployment rate limit reached (5/hour). Try again later.\"\n    zones_update:\n        rules:\n            - name: \"rate limit zone updates\"\n              rate_limit: 5/hour\n              on_deny: \"Zone update rate limit reached (5/hour). Try again later.\"\n```\n\nA global backstop catches everything — including read tools — at 60 calls per minute:\n\n```\n    \"*\":\n        rules:\n            - name: \"global rate limit\"\n              rate_limit: 60/minute\n              on_deny: \"Global rate limit reached (60/minute). Try again later.\"\n```\n\nThe `rate_limit`\n\nshorthand expands into a stateful counter that tracks calls per window and resets automatically. For more on how this works under the hood, see [Rate Limiting MCP Tool Calls](https://policylayer.com/blog/rate-limiting-mcp-tool-calls).\n\nInstall Intercept and point it at the Cloudflare MCP server:\n\n```\nnpm install -g @policylayer/intercept\n```\n\nThen run it with the Cloudflare policy:\n\n```\nintercept -c cloudflare.yaml -- npx -y @cloudflare/mcp-server-cloudflare\n```\n\nEvery tool call now passes through the policy engine. DNS deletions are blocked entirely. The 11th DNS change in an hour gets denied. The 61st call in a minute hits the global limit. Your infrastructure stays intact.\n\nAdjust the limits to match your workflow. A platform team managing dozens of zones might raise DNS limits to 30/hour. A solo developer might drop worker deploys to 2. The point is that the enforcement is deterministic, transport-level, and impossible for the model to override.", "url": "https://wpnews.pro/news/your-ai-agent-can-delete-your-dns-records", "canonical_source": "https://dev.to/policylayer/your-ai-agent-can-delete-your-dns-records-4gh7", "published_at": "2026-06-16 13:19:06+00:00", "updated_at": "2026-06-16 13:48:29.137636+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "ai-safety", "ai-infrastructure"], "entities": ["Cloudflare", "MCP server", "Intercept", "PolicyLayer", "DNS"], "alternates": {"html": "https://wpnews.pro/news/your-ai-agent-can-delete-your-dns-records", "markdown": "https://wpnews.pro/news/your-ai-agent-can-delete-your-dns-records.md", "text": "https://wpnews.pro/news/your-ai-agent-can-delete-your-dns-records.txt", "jsonld": "https://wpnews.pro/news/your-ai-agent-can-delete-your-dns-records.jsonld"}}