I checked everything, but somehow missed these two options.
Cloudflare Gateway Free Plan
- Thread starter rashmi
- Start date
How do you interpret the result from my post?
I tested on the same phishing URL:
OpenDNS (in browser) + Cloudflare WARP Zero Trust:
Only OpenDNS (in browser)...
I interpreted this as follows:
- WARP redirects the computer traffic (including the web browser traffic) to the Cloudflare server.
- Cloudflare checks the web browser DOH domain in Zero Trust.
- If the web browser DOH domain is allowed in Zero Trust, Cloudflare sends the DOH request to the DOH server. The user's IP is hidden.
- DOH server checks URLs (including phishing URL). In the example from my post, the phishing URL is undetected.
- DOH server sends back the information about undetected URLs to Cloudflare.
- Cloudflare Zero Trust checks the URLs and detects that one of them is a phishing URL.
- Cloudflare sends back the block screen to the user's web browser.
WARP works in this way only if it is set to log into Zero Trust.
Last edited:
Under Device profiles, there is "Default" and the profiles you add. I believe the "Default" applies to all profiles you add. I change only the specific profile's settings.I checked everything, but somehow missed these two options.
For example,
1. I use Google DNS in Chrome (allowed in Cloudflare Gateway).
2. I use ok.xxx for testing (Google DNS allows it, but Cloudflare Gateway has a policy to block it.)
Should Gateway with WARP block ok.xxx?
For some reason, I couldn't make my laptop and phone use default profile, so I had to create entire new one with settings exact to the ones in default profile. Now I deleted created profile and it started using default one automatically.
Cloudflare seems to create a default profile when you add your first device. It then uses the default profile for new profiles you create; the new profiles inherit the settings from the default profile. Changing the settings in the default profile affects only new profiles you create, not those you already have.
I deleted my post with a " yes " answer, because I got inconsistent results. I will post soon.
Ok, but I tried what you posted, and I could access maxim.com. I've tested this multiple times, and I could access blocked websites every time.I deleted my post with a " yes " answer, because I got inconsistent results. I will post soon.
It was an irritating test for me, because the configured settings were triggered after some time.
Furthermore, the WARP alerts were misleading (browsing still worked):
Finally, I could confirm your observation. If the web browser DOH domain is not blocked by Zero Trust, all traffic via DOH is allowed by Zero Trust.
Last edited:
How do you interpret the result from my post?
I tested on the same phishing URL:
OpenDNS (in browser) + Cloudflare WARP Zero Trust:
Only OpenDNS (in browser)...
I interpreted this as follows (as @rashmi suggested):
Cloudflare can check the URL in Zero Trust only if the DOH DNS allows it. If not, then the DOH block screen is returned to the web browser.
- WARP redirects the computer traffic (including the web browser traffic) to the Cloudflare server.
- Cloudflare checks the web browser DOH domain in Zero Trust.
- If the web browser DOH domain is allowed in Zero Trust, Cloudflare sends the DOH request to the DOH server. The user's IP is hidden.
- DOH server checks URLs (including phishing URL). In the example from my post, the phishing URL is undetected.
- DOH server sends back the information about undetected URLs to Cloudflare.
- Cloudflare Zero Trust checks the URLs and detects that one of them is a phishing URL.
- Cloudflare sends back the block screen to the user's web browser.
WARP works in this way only if it is set to log into Zero Trust.
The situation noted in the above post was possible because the configured settings were not activated properly by the web browser. For some reason, they were activated after restarting the web browser.
It seems that WARP with Zero Trust + DOH configured in the web browser works as follows:
- WARP redirects the computer traffic (including the web browser traffic) to the Cloudflare server.
- Cloudflare checks in Zero Trust the DOH domain configured in the web browser (WB_DOH).
- If the WB_DOH domain is allowed in Zero Trust, Cloudflare allows all WB_DOH traffic. The user's IP is hidden.
- The traffic outside the web browser (non WEB_DOH) is checked by Zero Trust. If blocked, WARP shows an alert.
- If WB_DOH blocks something, Cloudflare sends the block screen to the user's web browser.
Post updated and corrected.
Edit 1.
This can require some tests with other DNS resolvers.
There are some interesting consequences. One can use very strict DNS restrictions outside the web browser to block malware connections and usable DOH (like NextDNS) for the web browser.
Edit 2.
Zero Trust can also put restrictions on IPs (Network restrictions instead of DNS restrictions).
You should clear the browser data or at least restart the browser when testing a DNS service, changing DNS, allowing/blocking policy/website, etc.; otherwise, you may see broken or improper results. The WARP notification is a beta feature, and it's buggy from my testing.
Do you mean 1, 2, and 3 are specific to Gateway with WARP, or do they also apply to Gateway with DoH and apps like YogaDNS and NextDNS?
4. Isn't it the same with apps like YogaDNS? If I block "Microsoft Copilot" in Cloudflare and use Cloudflare DoH in YogaDNS, I see the Cloudflare block page in the Copilot app (I tested it in the past). Yes, Gateway with WARP may have extended capabilities as it tunnels the traffic.
5. This is not true; I don't see a WARP alert for ok.xxx with the Clean Browsing Family Filter in Chrome. (If this is not true, I've doubts about 1, 2, and 3—did you test these?)
I did not testGateway with DOH. Yoga DNS and NextDNS applications normally do not redirect all traffic. I did not test them much, so I am unsure if they can be tweaked to intercept also the traffic generated by LOLBins.
This follows from point 4. You can see WARP alerts only for non-WB_DOH traffic.
You're focusing on non-WB DoH traffic and malware. I'm discussing browsers' DoH traffic bypassing Cloudflare's "Gateway with WARP" mode. I thought "Gateway with WARP" would redirect and resolve DoH traffic from browsers. AdGuard's feature does this for selected DNS within the app.
If there is WARP, all the traffic (including web browser DOH-related traffic) goes first to the Cloudflare servers. Isn't it the redirection?
If I correctly understand, Zero Trust cannot see the details and sends all the DOH traffic to the DOH DNS resolver.
I don't use the WARP app so I don't think I will do it. The ZeroTrust via the WARP app uses the default location and its policies by default. So, when I need the WARP app, I can use it normally without changing anything.
I'm actually trying to find a way to block the WARP app for users of my router's Guest Wi-Fi. Basically, want to block it for everyone but me. But it seems to be simply impossible with any DNS providers to block WARP, at least impossible to block the phone's 1.1.1.1 app.
Zero Trust permanently whitelists some Cloudflare WARP domains by default which cannot be blocked. So, blocking it via ZeroTrust is out of the question. But even with other DNS providers I cannot freaking block WARP. Even if I block all the IPs required by WARP in my router's firewall, it still finds a way to connect
Have you tried blocking everything mentioned in this?I don't use the WARP app so I don't think I will do it. The ZeroTrust via the WARP app uses the default location and its policies by default. So, when I need the WARP app, I can use it normally without changing anything.
I'm actually trying to find a way to block the WARP app for users of my router's Guest Wi-Fi. Basically, want to block it for everyone but me. But it seems to be simply impossible with any DNS providers to block WARP, at least impossible to block the phone's 1.1.1.1 app.
Zero Trust permanently whitelists some Cloudflare WARP domains by default which cannot be blocked. So, blocking it via ZeroTrust is out of the question. But even with other DNS providers I cannot freaking block WARP. Even if I block all the IPs required by WARP in my router's firewall, it still finds a way to connect
WARP with firewall
If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect.
developers.cloudflare.com
Yeah, this is what I followed to know which IPs to block but Cloudflare probably has secret fallback IPs that are not mentioned there. I will do more experiments later.Have you tried blocking everything mentioned in this?
WARP with firewall
If your organization uses a firewall or other policies to restrict or intercept Internet traffic, you may need to exempt the following IP addresses and domains to allow the WARP client to connect.
Unfortunately, I believe in order to block WARP successfully you'd need to block ports it uses to operate.
I even tried that. Blocked all ports it uses except port 443. Blocking port 443 is, of course, not viable. So it's tricky to block WARP. Later, I will try some other things that I have in mind.
Redirection, in the sense... AdGuard's feature redirects the DoH traffic to the selected DNS within the app, which means the selected DNS resolves the traffic.
You may also like...
-
Need guidance and advice from those knowledgeable about ad blocking
- Started by rashmi
- Replies: 55
-
Google Cloud and Cloudflare hit by widespread service outages- Started by Gandalf_The_Grey
- Replies: 22
-
