Domain categories · Cloudflare Zero Trust docs explains that Cloudflare Gateway can block “Domains that resolve to private IP Addresses”.
My Gateway policy blocks that category, so querying privateipaddress.testcategory.com returns the blocking page IP 184.108.40.206 as expected.
However, the Gateway logs show “Allowed On No Policy Match” for these queries:
a.10.1.2.3.nip.io resolves to 10.1.2.3
gwallcheck.api-alliance.com resolves to 192.168.99.1
While I expected those queries to return a blocking page, Gateway instead resolved them to internal IPv4 addresses. What is this category supposed to block?
So you can check the category for a domain via radar:
In those cases where you find the category is wrong, you can click Domain Categorization Feedback on radar to submit a correction.
Ok, I have submitted the domain categorization feedback for gwallcheck.api-alliance.com.
However, the nip.io domains are dynamic, so there are millions of combinations, and I can’t submit categorization feedback for them all. I expected that Gateway looks if the response IP is in subnet 10.0.0.0/8 instead of having a hard coded list of domains in this category.
Got it - let me mention this internally and see if we have plans to change this.
What is any category supposed to block? Categorization on a domain level is inexact at best. Take Reddit for example.
If your goal is to block DNS queries which resolve to private IP addresses, the most reliable path for achieving that is likely to be by creating a list of IP address ranges you wish to block and then using the selector
Resolved IP with the
in list operator and selecting the IP address list you’ve created.
When I read the documentation saying that this category matches ‘domains that resolve to private IP Addresses’, I expected that it would prevent DNS rebinding attacks to private IP addresses.
Indeed, @cscharff’s solution with the
Resolved IP selector works because you can enter subnets like ‘10.0.0.0/8’ there.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.