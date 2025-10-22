Test DNS filtering
This section covers how to validate your Gateway DNS configuration.
Before you start, make sure you are connected to a network that is associated with the DNS location where the policy is applied.
Once you have created a DNS policy to block a domain, you can use either
dig or
nslookup to see if the policy is working as intended.
For example, if you created a policy to block
example.com, you can do the following to see if Gateway is successfully blocking
example.com:
-
Open your terminal.
-
Type
dig example.com(
nslookup example.comif you are using Windows) and press Enter.
-
If the block page is turned off for the policy, you should see
REFUSEDin the answer section:
If the block page is enabled for the policy, you should see
NOERRORin the answer section with
162.159.36.12and
162.159.46.12as the answers:
If you are blocking a security category or a content category, you can test that the policy is working by using the test domain associated with each category.
Once you have configured your Gateway policy to block the category, the test domain will show a block page when you attempt to visit the domain in your browser, or will return
REFUSED when you perform
dig using the command-line interface.
-
One-word category — For categories with one-word names (for example, Malware), the test domain uses the following format:
-
Multi-word category — For categories with multiple words in the name (for example, Parked & For Sale Domains), the test domain uses the following format:
- Remove any spaces between the words
- Replace
&with
and
- Lowercase all letters
|Category
|Test domain
|Anonymizer
anonymizer.testcategory.com
|Command and Control & Botnet
commandandcontrolandbotnet.testcategory.com
|compromised Domain
compromiseddomain.testcategory.com
|Cryptomining
cryptomining.testcategory.com
|Malware
malware.testcategory.com
|New Domains
newdomains.testcategory.com
|Parked & For Sale Domains
parkedandforsaledomains.testcategory.com
|Phishing
phishing.testcategory.com
|Potentially Unwanted Software
potentiallyunwantedsoftware.testcategory.com
|Private IP Address
privateipaddress.testcategory.com
|Spam
spam.testcategory.com
|Spyware
spyware.testcategory.com
|Unreachable
unreachable.testcategory.com
If you enabled EDNS client subnet for your DNS location, you can validate EDNS as follows:
-
Obtain your DNS location's DOH subdomain:
- In Zero Trust ↗, go to Gateway > DNS locations.
- Select the DNS location you are testing.
- Note the value of DNS over HTTPS.
-
Open a terminal and run the following command:
The output should contain your EDNS client subnet:
-
To verify your EDNS client subnet, obtain your source IP address:
The source IP address should fall within the /24 range specified by your EDNS client subnet.
Modern web browsers and operating systems are designed to cache DNS records for a set amount of time. When a request is made for a DNS record, the browser cache is the first location checked for the requested record. A DNS policy may not appear to work if the response is already cached.
To clear your DNS cache:
ChromeOS
- Go to
chrome://net-internals/#dns.
- Select Clear host cache.
Windows
- Open the admin command prompt or PowerShell.
- Run the following command:
macOS
- Open Terminal.
- Run the following commands:
