I’ll link a post from another category:
HTTPSSVC (type 65) DNS queries are currently passing Gateway without filtering on Apple macOS 11 Big Sur and iOS 14 devices. Cloudflare authoritative DNS servers do reply to type 65 queries and makes possible to bypass Gateway on Cloudflare hosted domains.
If you’re a network admin and you want to avoid this then you should block DNS queries to all but Cloudflare Gateway DNS servers.
Here’s how Apple is most likely utilizing DNS record types 64 and 65:
Thanks @istenrot we’re actively working on updating Gateway to apply policies on HTTPS record types.
I believe this should now be resolved.
I recently started using Cloudflare and applied the DNS setting on my router. My Linux PCs are properly blocking pornography sites but Mac and iPhone keep bypassing it. When I looked at the Zero Trust analysis tab looks like MacOs and IOS sending some encrypted domain names and that is why they are being bypassed
@gowerdhan.anant It is possible your browsers are configured with private DoH (non-Cloudflare) resolvers. Navigate to 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver to confirm you’re actually using CF.