Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Check that a policy is working

Once you have created a policy to block a domain, you can use either dig or nslookup on your to see if the policy is working as intended.

If you are using a policy to block, you can do the following to see if Gateway is blocking

  1. Open your terminal.

  2. Type dig (nslookup if you are using Windows) and press enter.

  3. If the Block page is disabled for the policy, then you should see REFUSED in the answer section:

Blocked when block page disabled

If the Block page is enabled for the policy, then you should see NOERROR in the answer section and and as the answers when the domain is successfully blocked.

Blocked when block page enabled

Test a DNS policy

If you are blocking a security threat or content category, you can test that the policy is working by using the test domain associated with each category.

Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return REFUSED when you perform dig using the command-line interface.

Test domains

One-word categories

Test domains use the following format for categories with one-word names:
CategoryTest domain

Multi-word categories

If the category has multiple words in the name (for example, Parked & For Sale Domains) then the test domain uses the following format:

  • Remove any spaces between the words
  • Replace & with and
  • All letters are lowercase
CategoryTest domain
Parked & For Sale
Private IP
Command and Control &

Common test domains

CategoryTest domain
Command and Control &
Parked & For Sale
Private IP