Cloudflare Access DNS Gateway Policies not working

I am unable to get any DNS Gateway Polices to work.

Using Cloudflare WARP client on macOS 11.6. I am logged into my Team in the WARP client.

I created a Gateway Policy in DNS called “Block Casino” and set “Domain is” to block. It does not block. In fact no policies I create work, whether I create them as domain or Content Categories.

I followed all the steps I could find in the Documentation. I am seeing in the Analytics that it is picking up and seeing DNS requests for my user.

When reviewing my DNS settings, my server is set to the lo0 adapter at

Am I missing something?


I think I found a bug. I was able to get this working by adding a location to my policy (as was stated in another post) even though it is supposed to work when no location is applied.
Steps to reproduce:

  1. Brand new instance of access
  2. Create a new DNS Gateway Policy with no location and just block a domain or category or anything.
  3. WARP and location users DNS is not filtered. No DNS Gateway policies work for anyone. Even though documentation states when no location is selected it applies globally.
  4. Add a location to the policy
  5. Location users DNS is now filtered
  6. Remove location from the policy
  7. WARP and location users DNS now is filtered and all policies now seem to work with no location added. All new policies with no location now work as well and are applied to everyone as the documentation states.
  8. Issue corrected

I think there is a bug with new accounts and new DNS Gateway policies and locations.

1 Like

Indeed, it worked for me after following your steps, I guess there is a bug

Hello everyone, having the same problem… almost.

DNS gateway policy not working, i have made a test policy to block everything from
However, even though i see in the logs some *** blocked, the page seems to be working without any issue on the computer. Basically, apart from the logs, you would say it is not working.
I have a simple home setup with only one location.

If you do a dig or nslookup from the command line is it blocked? It is possible your browser is set to fallback to DoH provider if a lookup fails (Chrome and Firefox both have this option IORC). You can disable that option in the browser