Test a policy
It is common for a misconfigured Gateway policy to accidentally block traffic to benign sites. To ensure a smooth deployment, we recommend testing a simple policy before deploying DNS filtering to your organization.
- Go to Gateway > Firewall policies.
- Turn off all existing DNS policies.
- Turn on any existing security policies or create a policy to block all security categories:
Selector Operator Value Action Security Categories in All security risks Block - Ensure that your browser is not configured to use an alternate DNS resolver. For example, Chrome has a Use secure DNS setting that will cause the browser to send requests to 1.1.1.1 and bypass your DNS policies.
- In the browser, go to
malware.testcategory.com. Your browser will display:- The Gateway block page, if your device is connected through the WARP client in Gateway with WARP mode.
- A generic error page, if your device is connected through another method, such as Gateway with DoH mode.
- In Logs > Gateway > DNS, verify that you see the blocked domain.
- Slowly turn on or add other policies to your configuration.
- When testing against frequently-visited sites, you may need to clear the DNS cache in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies.
You have now validated DNS filtering on a test device.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark