Cloudflare Docs
Learning Paths
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)

Test a policy

  1 min read

It is common for a misconfigured Gateway policy to accidentally block traffic to benign sites. To ensure a smooth deployment, we recommend testing a simple policy before deploying DNS filtering to your organization.

​​ Test a policy in the browser

  1. Go to Gateway > Firewall policies.
  2. Disable all existing DNS policies.
  3. Re-enable or create a policy to block all security categories:
    Selector Operator Value Action
    Security categories in All security risks Block
  4. Ensure that your browser is not configured to use an alternate DNS resolver. For example, Chrome has a Use secure DNS setting that will cause the browser to send requests to and bypass your DNS policies.
  5. In the browser, go to You should see a generic Gateway block page.
  1. In Logs > Gateway > DNS, verify that you see the blocked domain.
  2. Slowly re-enable or add other policies to your configuration.
  3. When testing against frequently-visited sites, you may need to clear the DNS cache in your browser or OS. Otherwise, the DNS lookup will return the locally-cached IP address and bypass your DNS policies.

You have now validated DNS filtering on a test device.