Cloudflare Zero Trust Gateway No Traffic (DNS)

jjdub1313 · October 7, 2022, 5:27pm

As many have posted, we are in the testing phase for Cloudflare Zero Trust. Specifically, we are using a free account and starting with basic DNS filtering (i.e. OpenDNS, DNSFilter, etc.).

For testing, I am simply using the pornography category as an example. I wanted to see the differences in page loads (blocking) to a popular porno site (initials PH) with our current DNS settings (QUAD9 - no block). I then changed our gateway equipment to 1.1.1.3 to test if PH would be blocked (successfully blocked).

From that point I added our static WAN IP to the location area in the Zero Trust Dashboard. I followed the tutorial to setup the policy and changed the DNS in out gateway equipment to those provided in the dashboard. This location is set as the default and EDNS is not checked. [Setup Instructions]

It has been 48 hours and so far no joy.

I am not getting traffic in the data analytics area (i.e. it does not appear that Clouflare is seeing the traffic).
Due to the above, obviously no DNS filtering is working.
The Zero Trust help page [Zero Trust Help Page] states we are Not Protected.

As another test, I added another location using the static IP of our SAAS VPN (and changing the DNS in their system). Within minutes I am seeing data analytics for that location.

I am looking for any thoughts or ideas on why Cloudflare is not seeing the data from our IP/Gateway location? The static is from Comcast/Xfinity.

Any thoughts or ideas would be appreciated.

Thanks in advance.

cscharff · October 8, 2022, 5:30pm

The IP address is incorrect? The client/router/dns forwarder is configured incorrectly? The ISP is intercepting your DNS queries?

jjdub1313 · October 10, 2022, 1:19pm

Thanks for the reply @cscharff. I appreciate the tips.

The IP address is incorrect?
The IP address is the static IP assigned by the provider (Xfinity). It is the IP programmed into my gateway and is what is reported by whatismyip~com.

The client/router/dns forwarder is configured incorrectly?
I also thought this may be the case. That is why I tested 1.1.1.3 with a porn site after programming into the gateway. Switching between 9.9.9.9 and 1.1.1.3 in the gateway did result in correct results from the Windows endpoint I am testing with at the location (tried from a different endpoint as well). This would lead me to believe that configuration is correct.

The ISP is intercepting your DNS queries?
Also a thought, but again the 9.9.9.9 and 1.1.1.3 changes work correctly which lead me to believe that the DNS is flowing correctly.

If you see something wrong in my procedure or have any other thoughts or direction I am open to suggestions. Thank you for taking the time to post back.

system · October 25, 2022, 1:20pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.