How does Gateway limit the amount of DNS queries? For example, if a business would buy the Zero Trust Standard plan. Can they submit 100 DNS queries per second from a DNS forwarder on their LAN? Or would that exceed a limit?
Does the limit differ depending on any of these factors:
- The protocol (UDP, DoT, DoH)
- Number of Cloudflare Access seats
- Rate limit per location / source IPv4 address
- Between Standard and Enterprise plan
The only information I could find is regarding the limits of the Free plan here: https://support.cloudflare.com/hc/en-us/articles/360047356332-Billing-for-Cloudflare-for-Teams
Is the 5,000 DNS queries per day limit mentioned there also applicable to the Standard plan, and also when not using WARP?
Over the past 7 days, I ran an experiment with an average of 81 queries/second to Cloudflare Gateway. The graph has some dips, but that could be due to the test script being single-threaded and the query response times deviating. I would need to improve that script to see if this is actually throttling / rate limiting.
resperf is a better tool for benchmarking than the custom script I used previously, it can generate a constant volume of DNS traffic and report the latency and other statistics of the test.
The past 5 days, the test server ran
resperf, and the graph has been very flat with good average latency. One IP constantly sent 400 qps (queries per seconds) to one Cloudflare Gateway Location in the paid Standard plan. So, this experiment shows that Cloudflare Gateway can handle such request volume just fine.
See in this graph how stable it has been the past few weeks:
Today, I finally found https://www.cloudflare.com/supplemental-terms/
“Cloudflare Gateway is subject to an Average Monthly DNS Queries limit of 5,000 DNS queries per Seat per day”
If I interpret the terms correctly now, the free tier is allowed to make more DNS requests than a customer paying for 49 standard ‘Seats’, and I’ve been exceeding the limit for over 4 months. I’d expect to have received a warning on the dashboard or by mail, yet didn’t receive any such notification. Is Cloudflare not actively enforcing their policy, or am I missing something in the calculation?