After you blocked a domain using a policy, you can use either
nslookup to see if it's working.
Before you test if the domain is blocked, please make sure that you are connected to a network that is associated with the location where the policy is applied.
If you are using a policy to block
example.com, you can do the following to see if Gateway is blocking
Open your terminal
dig example.com (
nslookup example.com) if you are using Windows) and press enter
If the Block page is disabled for the policy, then you should see
REFUSED in the answer section like below
If the Block page is enabled for the policy, then you should see
NOERROR in the answer section and 18.104.22.168 and 22.214.171.124 as the answers when the domain is successfully blocked.
It takes about 60 seconds for the policy to be updated across all of our data centers around the world.
If you are still seeing responses from the DNS queries for a domain that you blocked. The answers may be cached by your browser from anywhere between 5 minutes to a few hours.
No. The IP addresses are NAT-ed behind a public IP address. Activity log will only show the public Source IP address.
The primary difference between 126.96.36.199 and Gateway is that 188.8.131.52 does not block any DNS query. When a browser requests for example.com, 184.108.40.206 simply looks up the answer either in cache or by performing a full recursive DNS query.
On the contrary, Gateway analyzes every single DNS query and checks against access policies setup by you to decide if the query should be blocked or not.
For example, if you are using Cloudflare Gateway, and send a DNS query to example.com, Gateway checks if the DNS query matches with any of the policies you set up earlier to block domains. The policy could be a domain that you are manually blocking or it could be part of a broader security category that you enabled. If the domain matches one of those cases, Gateway will return REFUSED. The browser will think this website does not exist. As a result, it will not take the customer to the blocked website.
You don’t need to use a wildcard operator to block domains. For example, if you want to block all the subdomains for
example.com then you only have to block
example.com. It will not only block dns requests to
example.com but also all subdomains for
example.com. You can read more about on our blocking subdomains page.
Not yet. Today, Gateway only sees domain names and not the full URL. So it can only block domains.
Yes. Each location has a unique IPv6 address. You can use that IPv6 address to send DNS queries to Cloudflare Gateway.
No. Gateway’s premium features are not included in Cloudflare Pro and Biz plan. If you are an enterprise customer and want to use Cloudflare Gateway’s premium features, please contact your Customer Success Manager.
If you have multiple policies and both policies are applied to a single location, Gateway will arbitrarily choose one of the policies and apply them to the location.
Assuming the location is configured correctly, Gateway will log the DNS queries and show them in the analytics dashboard. As there are no policies assigned to the location, Gateway will not block any DNS queries.
Your Ad-Blocker is hiding the checkbox for the 'Advertisements' category. To view the checkbox and enable the content category, please disable your Ad-Blocker when you are visiting dash.teams.cloudflare.com
Visit the SafeSearch page to see how you can test if SafeSearch is working.
Visit the Order of operations page to see in what order Gateway applies it's rules inside a policy.