Serious Discussion Cloudflare Gateway Free Plan

[SeriousHoax]

I think what happened is Cloudflare had issues on their end, that's why filtering briefly stopped and issues with dashboard made logs disappear. They are 100% doing changes to Free plan and dashboard which is that weird behavior I'm seeing.

"Last 24 hours" graph is being reset every two hours, but logs are kept for full 24 hours. Both "Last hour" and "Last 24 hour", "View all" link leads to same page DNS logs for last hour, not 24 hours.

Btw no one responded to support ticket; probably because it's weekend and free plan doesn't have priority. I'll see if they'll reply in the next 5 days; if don't I'll be writing on their forum. Because I'm genuinely interested what exactly happened.

Oh. So blocking is working fine? That's the most important thing. If it works I don't worry too much about dashboard. I have the query log page bookmarked so I check it sometimes. Though the dashboard is a good way to know whether there were any disruption or not.

 

[Andy Ful]

NextDNS and AdGuard (with account) also have NRD blocking.

Are you sure? I did not see any such option (except in-browser DNS config).

 

[Andy Ful]

One must be careful with the option below:

It will block most application downloads.
This caused the example block from my previous post.

 

[rashmi]

I bet they are changing something. Or could be because we have WARP enrolled into Zero Trust and you don't.

I haven't used WARP, but the Cloudflare console changes often; I see, "A new version of the page is available."

Are you sure? I did not see any such option (except in-browser DNS config).

Like the WARP client, one can use the NextDNS app, which would apply your settings systemwide.

 

[Marko :)]

Oh. So blocking is working fine? That's the most important thing. If it works I don't worry too much about dashboard. I have the query log page bookmarked so I check it sometimes. Though the dashboard is a good way to know whether there were any disruption or not.

Yeah, filtering works normally. It still boggles my mind what happened though. I don't care about dashboard honestly, but filtering is what I care about and what I simply can't explain. Now I have phobia of filtering stopping again.

I haven't used WARP, but the Cloudflare console changes often; I see, "A new version of the page is available."

I saw that only once. Eagerly waiting for it to happen again as that would mean they probably fixed something.

 

[Andy Ful]

Like the WARP client, one can use the NextDNS app, which would apply your settings systemwide.

Yes. I forgot about this one. However, I could not find a similar option in AdGuard.

 

[Andy Ful]

It seems that YogaDNS (full version) can be an interesting option to combine several DNS resolvers system-wide:

The free version is limited to one DNS resolver.

 

[rashmi]

I saw that only once. Eagerly waiting for it to happen again

Sounds just like my first time... exciting, surprising, and already planning the next round!

 

[Marko :)]

Sounds just like my first time... exciting, surprising, and already planning the next round!

Are we still talking about Cloudflare or...?

 

[rashmi]

It seems that YogaDNS (full version) can be an interesting option to combine several DNS resolvers system-wide:

Yes, I'm using the Pro version in Windows Service mode; it works well and is very stable.

 

[Andy Ful]

CloudflareWarp can apply truly system-wide Zero Trust. It configures DNS server addresses for IPv6.
The NextDNS application is not truly system-wide. It does not change the DNS server addresses.
Although it can somehow restrict Chrome web browsers, it cannot restrict Firefox, CMD (ping command), etc.

 

[Trident]

CloudflareWarp can apply truly system-wide Zero Trust. It configures DNS server addresses for IPv6.
The NextDNS application is not truly system-wide. It does not change the DNS server addresses.
Although it can somehow restrict Chrome web browsers, it cannot restrict Firefox, CMD (ping command), etc.

But you can change your DNS manually without relying on the app.

Most of the attacks will use direct to ip communications anyway, the DNS in most cases won’t really help.

It also won’t help in the cases where trusted infrastructure is being abused or in the cases where unknown or already well mature domains are going rogue just now.

It can be one additional layer though.

I still keep on using my Control D, but knowing Cloudflare speeds and using a ton of other Cloudflare products and services, I’ll be trying this out.

 

[Marko :)]

The point of WARP app isn't just to set DNS servers system-wide, it's also to forward and encrypt traffic through Cloudflare's servers with all firewall policies applying to it. In simpler terms, it's a encrypted VPN with your own set of rules.

Some apps have hardcoded DNS servers and simply won't use the DNS servers you or any app specified, but they can't evade WARP because all device traffic goes through it.

Basically;
NextDNS app — sets DNS system-wide (that apps don't have to use)
Cloudflare WARP app — sets DNS + creates secure and encrypted VPN connection (which all apps have to use)

 

[Sampei.Nihira]

I will also continue to use my personal NextDNS account.
Although there is too much emphasis on DNS, this discussion is very interesting.

 

[Marko :)]

I will also continue to use my personal NextDNS account.
Although there is too much emphasis on DNS, this discussion is very interesting.

There's nothing wrong with using NextDNS. The only reason why I use Cloudflare Zero Trust is because it doesn't limit the number of queries for free accounts.

 

[Andy Ful]

But you can change your DNS manually without relying on the app.

Yes. But it will be highly inefficient.

Most of the attacks will use direct to ip communications anyway, the DNS in most cases won’t really help.

Many can use direct IP (especially when connecting C2 servers), but most of the initial attack vectors use DNS (like in ClickFix attacks).

It also won’t help in the cases where trusted infrastructure is being abused or in the cases where unknown or already well mature domains are going rogue just now.

No one can deny this.

It can be one additional layer though.
I still keep on using my Control D, but knowing Cloudflare speeds and using a ton of other Cloudflare products and services, I’ll be trying this out.

It has some interesting potential.

 

[SeriousHoax]

CloudflareWarp can apply truly system-wide Zero Trust. It configures DNS server addresses for IPv6.
The NextDNS application is not truly system-wide. It does not change the DNS server addresses.
Although it can somehow restrict Chrome web browsers, it cannot restrict Firefox, CMD (ping command), etc.

There are multiple ways to force DNS system-wide. For example, my router settings for DNS are very strict. Port 53 is redirected to router DNS, no one can use any other DNS provider except what I have set on the router (Zero Trust), every DoH providers are blocked, iCloud Private Relays are blocked, popular DNS IPs are blocked. So basically, system wide DNS on any connected devices. Only my PC and phone are whitelisted by MAC so that I can use other providers if needed.

 

[Andy Ful]

There are multiple ways to force DNS system-wide. For example, my router settings for DNS are very strict. Port 53 is redirected to router DNS, no one can use any other DNS provider except what I have set on the router (Zero Trust), every DoH providers are blocked, iCloud Private Relays are blocked, popular DNS IPs are blocked. So basically, system wide DNS on any connected devices. Only my PC and phone are whitelisted by MAC so that I can use other providers if needed.

I know. However, do you know a way to do this without reconfiguring the router (system-wide but not network-wide) and for popular DNS resolvers with personal settings (like NextDNS, paid Control D, etc.)? This can probably be done by an application similar to Cloudflare WARP (but not by applications similar to YogaDNS or NextDNS).

 

[SeriousHoax]

I know. However, do you know a way to do this without reconfiguring the router (system-wide but not network-wide) and for popular DNS resolvers with personal settings (like NextDNS, paid Control D, etc.)? This can probably be done by an application similar to Cloudflare WARP (but not by applications similar to YogaDNS or NextDNS).

Can you clarify what you previously meant by system-wide WARP not working on Firefox? Did you mean Firefox's DoH can bypass WARP?

 

[Andy Ful]

Can you clarify what you previously meant by system-wide WARP not working on Firefox? Did you mean Firefox's DoH can bypass WARP?

I posted this regarding the NextDNS application (which is also true for the YogaDNS application).
Both applications are installed in the system (not configured in the web browser). They can apply the NextDNS personal DOH configuration (previously done on the NextDNS website with an account). Next, this personal configuration can block URLs in Chrome web browsers (no need to configure DOH directly in the web browser).
However, the URL can still be accessed outside the web browser (tested in CMD console with a ping command). Furthermore, the URLs blocked in Chrome could be accessed in Firefox.

Cloudflare WARP can block URLs outside the web browser as well (in the CMD console, the ping command triggers the WARP alert).