Why does the Private IP Address category not match nip.io?

Domain categories · Cloudflare Zero Trust docs explains that Cloudflare Gateway can block “Domains that resolve to private IP Addresses”.

My Gateway policy blocks that category, so querying privateipaddress.testcategory.com returns the blocking page IP as expected.

However, the Gateway logs show “Allowed On No Policy Match” for these queries:

  1. a. resolves to
  2. gwallcheck.api-alliance.com resolves to

While I expected those queries to return a blocking page, Gateway instead resolved them to internal IPv4 addresses. What is this category supposed to block?

So you can check the category for a domain via radar:


In those cases where you find the category is wrong, you can click Domain Categorization Feedback on radar to submit a correction.

Ok, I have submitted the domain categorization feedback for gwallcheck.api-alliance.com.
However, the nip.io domains are dynamic, so there are millions of combinations, and I can’t submit categorization feedback for them all. I expected that Gateway looks if the response IP is in subnet instead of having a hard coded list of domains in this category.

Got it - let me mention this internally and see if we have plans to change this.

1 Like

What is any category supposed to block? Categorization on a domain level is inexact at best. Take Reddit for example.

If your goal is to block DNS queries which resolve to private IP addresses, the most reliable path for achieving that is likely to be by creating a list of IP address ranges you wish to block and then using the selector Resolved IP with the in list operator and selecting the IP address list you’ve created.


When I read the documentation saying that this category matches ‘domains that resolve to private IP Addresses’, I expected that it would prevent DNS rebinding attacks to private IP addresses.

Indeed, @cscharff’s solution with the Resolved IP selector works because you can enter subnets like ‘’ there.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.