DNS Policy Not Blocking Websites

Additional information

DNS policies

What is the issue you’re encountering

I’m using Cloudflare Zero Trust and have set up a block rule under Firewall policies for both DNS and HTTP traffic. However, it’s not blocking any websites. I’ve tested this with both Wi-Fi and mobile data, and the rule isn’t working in either case. I would appreciate any assistance you can provide.

May I ask if you’re using WARP Client or rather only the assigned DNS server IP addresses? :thinking:

Have you updated your location IP address as well? Is it static/fixed or dynamic/changing for your site (location)?

Could you share the screenshot of the created Firewall Policy as well here with us?

Is it the only one on the list, or you’ve got some other as well?

I’m using WARP client both on computer and mobile device. What IP address location are you referring to? Do you mean my ISP IP address? If so, it’s dynamic and it doesn’t change as often.

I have two Firewall Policies under DNS.

Somehow, the firewall policies are working fine when using Wi-Fi on both my computer and mobile device. However, when I switch to a data plan on my mobile device, the policies are not being applied.

Does anyone know if it’s by design that the firewall policies don’t work while connected to a data plan?

Policies are applied based on the DNS resolver resolving your queries. Are you using the Warp client on your mobile device?

When does it work?

Yes, I’m using WARP on my mobile device.

It only works when I’m using Wi-Fi. Once I switch to data plan it doesn’t work.

I’d check to see if another DNS resolve is taking over for those requests. While on the data plan do you see these queries in the logs on Cloudflare? If not that’s a pretty good indication something else (like the browser or a group policy) is handling DNS requests instead of the Warp client.

While connected through my data plan, I checked the Gateway activity logs on Cloudflare. I found logs for Network and HTTP but none for DNS. In the Cloudflare app, under Diagnostics > Debug Logs > DNS Logs, clicking on one of the DNS logs shows my ISP IP address in the “Resolver address,” which explains the absence of DNS logs in the Gateway activity logs. When connected through my Wi-Fi network, the Resolver address is “XXXX.cloudflare-gateway.com.”

I thought that when you’re connected to Warp, it would use the Cloudflare DNS IP address regardless of whether you’re on Wi-Fi or using a data plan.

I am sorry to hear this.
However, I cannot replicate on my mobile data plan network type (A1 Hrvatska).

I tested and using my Android device.
Once I installed the WARP app, I was asked to allow to create/add the “VPN profile” at first.
After succeed, in the “settings” menu I selected “WARP” for the connection.
The returned IP was IPv4 and IPv6 from Cloudflare Zagreb.
If I select 1.1.1.1 instead of WARP in the “settings” menu, then my IP is only from the provider (mobile data) and IPv4 only (since 1.1.1.1 is DNS-only).

If I login to my Zero Trust team, with “Gateway with WARP” I again get IPv4 and IPv6 from Cloudflare Zagreb, otherwise “Gateway with 1.1.1.1” again my provider’s IP shown.

The only thing which I have had to disable for testing was TLS decryption, because I hadn’t had the installed CA certificate on my Android device.

Are you using any of the configured fallback? Or maybe the Resolver policy?

What is your “Service mode” for your “Default” profile under WARP Client at Zero Trust Dashboard? :thinking:

I have got Firewall policies in place (DNS, Network and HTTP) for testing.

Note: For the testing purpose I’ve used WARP, not WARP+ (paid)

In the Local Domain Fallback and Split Tunnels settings, all IPs and domains are set to their defaults, and no changes were made in this area. However, I was able to get it to work on my mobile device by configuring the private DNS to point to xxxx.cloudflare-gateway.com on my Android device:

To enable private DNS on your Android phone:

  1. Open “Settings.”
  2. Tap “Connections.”
  3. Select “More connection settings.”
  4. Tap “Private DNS.”
  5. Choose “Private DNS provider hostname.”
  6. Enter xxxx.cloudflare-gateway.com as the DNS provider hostname and then tap “Save.”

I’m not sure why this was necessary for it to work.

Como puedo saber si los DNS de mi sitio web está funcionando correctamente? (Tengo una CDN conectada para que la web sea mas rapida) leadsandseo.es