Your AI Agent Can Delete Your DNS Records

Cloudflare's official MCP server gives AI agents access to 30 tools including DNS record deletion, which can cause production outages. A developer introduced Intercept, a policy engine that sits between agents and the MCP server to block dangerous operations like DNS deletions and rate-limit others. The tool uses YAML policies to deny or throttle tool calls, preventing runaway agents from disrupting services.

Your AI agent just deleted the A record for your production domain. It was trying to "clean up stale DNS entries" after you asked it to audit your Cloudflare zone. Thirty seconds later, your site is unreachable. Customers see nothing. Your uptime monitor fires. And the agent has already moved on to the next record. DNS propagation means even after you recreate the record, some resolvers won't see it for hours. One tool call, minutes of downtime, and there's no undo button. Cloudflare's official MCP server https://github.com/cloudflare/mcp-server-cloudflare gives agents access to 30 tools spanning DNS, Workers, KV, R2, D1, and zone management. The read operations are harmless — listing zones, querying Workers observability, searching documentation. The dangerous ones: dns records delete dns records create dns records update workers create worker workers delete worker zones create zones update kv namespace delete r2 bucket delete d1 database delete MCP provides no built-in controls. Every tool is available, every call goes straight through. Intercept https://github.com/policylayer/intercept sits between your agent and the Cloudflare MCP server. Every tools/call is evaluated against a YAML policy before it reaches Cloudflare. Violating calls are blocked and the agent receives a clear denial message — not a silent failure. The first thing to lock down: DNS deletions. There is almost never a reason for an AI agent to delete a DNS record. Block it outright: version: "1" description: "Policy for cloudflare/mcp-server-cloudflare" default: "allow" tools: dns records delete: rules: - name: "block dns deletion" action: "deny" on deny: "DNS record deletion is not permitted via AI agents. Delete records manually in the Cloudflare dashboard." The action: "deny" rule is unconditional. No rate limit, no conditions — the tool is simply unavailable. The agent gets back the on deny message and can tell the user to handle it manually. For tools that agents legitimately need, rate limits prevent runaway loops. DNS creates and updates are capped at 10 per hour. Worker deployments and zone changes get 5 per hour — tight enough to stop a misfiring agent, generous enough for real work: dns records create: rules: - name: "rate limit dns creates" rate limit: 10/hour on deny: "DNS record creation rate limit reached 10/hour . Try again later." dns records update: rules: - name: "rate limit dns updates" rate limit: 10/hour on deny: "DNS record update rate limit reached 10/hour . Try again later." workers create worker: rules: - name: "rate limit worker deploys" rate limit: 5/hour on deny: "Worker deployment rate limit reached 5/hour . Try again later." zones update: rules: - name: "rate limit zone updates" rate limit: 5/hour on deny: "Zone update rate limit reached 5/hour . Try again later." A global backstop catches everything — including read tools — at 60 calls per minute: " ": rules: - name: "global rate limit" rate limit: 60/minute on deny: "Global rate limit reached 60/minute . Try again later." The rate limit shorthand expands into a stateful counter that tracks calls per window and resets automatically. For more on how this works under the hood, see Rate Limiting MCP Tool Calls https://policylayer.com/blog/rate-limiting-mcp-tool-calls . Install Intercept and point it at the Cloudflare MCP server: npm install -g @policylayer/intercept Then run it with the Cloudflare policy: intercept -c cloudflare.yaml -- npx -y @cloudflare/mcp-server-cloudflare Every tool call now passes through the policy engine. DNS deletions are blocked entirely. The 11th DNS change in an hour gets denied. The 61st call in a minute hits the global limit. Your infrastructure stays intact. Adjust the limits to match your workflow. A platform team managing dozens of zones might raise DNS limits to 30/hour. A solo developer might drop worker deploys to 2. The point is that the enforcement is deterministic, transport-level, and impossible for the model to override.