I use Cloudflare Gateway on my home network, in addition to in a few other locations (when travelling and also at work). This is a fantastic technology that provides DNS level filtering so that you can reduce risks on your network (e.g. Malware) but also block categories of sites if required (e.g. Adult themes). The service is (at the time of writing this article) free for a small number of sites (and up to 50 users).

What is DNS and DNS Filtering?

For those who are not aware, the Domain Name System (DNS) is a technology that powers the internet, every internet connected server has a numerical (ip4) or hexadecimal (ip6) address, ip4 addresses are usually in the format of x.x.x.x (e.g. 203.12.34.25) whilst IP6 addresses are much more complicated however if you wanted to go to Google you might struggle to remember the numerical address which is where DNS comes in. DNS is like the phonebook of the internet which says that the address for example.com is 93.184.216.34. This means that in your browser when you type in example.com, your browser can ask your specified DNS name server what the server IP for example.com is (meaning you don't need to remember the address), it returns the IP4 or IP6 address (e.g. IP4 93.184.216.34) and then your browser asks 93.184.216.34 for the page for example.com.

DNS level filtering is an adaption of the DNS system, whereby the DNS nameserver deliberately gives the wrong address, so instead of giving the right address for a malicious server, the DNS level filtering checks to see if the address is on a block list, and if so it gives an IP address (which it usually controls) which will show the page could not be accessed because it is blocked (a block page), this prevents the malicious content from being loaded, and also lets the user know the site was blocked.

CloudFlare has a number of DNS servers and filtering services, there is the standard 1.1.1.1 (unfiltered) server, the 1.1.1.2 (Malware Filtered) server, and the 1.1.1.3 (Malware and Adult filtered) server. There is also third service which I discuss in this post which is the Cloudflare Gateway service: this differs from the others in that you can pick and choose what is blocked, and you can also have multiple block policies, so you could turn on blocking malware and social media during the day to get things done, then change the policy (manually) at night to allow social media.

What is CloudFlare Gateway?

CloudFlare Gateway is a DNS blocking service like the Malware Filtered (1.1.1.2) and The Family Filtered (1.1.1.3) service however, this offers a much greater level of control over what can be blocked, in addition to blocking specific categories of site (e.g. just social media), you can also block specific security risks (e.g. sites used in DNS tunnelling), or just block specific domains. This gives much greater control over what can be allowed through, and what can be blocked from the network. There is a caveat through, which is that for CloudFlare Gateway to be able to apply filtering, it needs to be able to identify the network the request is coming from (to work out which policies to apply). If the source of the request cant be identified as coming from your location / network, then Cloudflare Gateway is not likely going to be able to block specific categories and you might be stuck using just the Malware or Family blocks.

So how can Cloudflare Gateway identify my network? 

There are a few different ways that Cloudflare can identify your network, if you are using a static and public IP4 address then you can specify the source address of your network on setup, when requests are received from the server it will check the source address to determine where it came from and see that it came from your static IP address, compare that to the locations and then apply the specified policies. If you have IP6 accessibility you can reference a specific (unique) IP6 address which will be assigned from CloudFlare, because you are the only user of that specific address any queries that go to that address can be seen as you, it can compare that to the location and subsequently apply the policies you have set. Finally there is a third option which is to use DNS over TLS or DNS over HTTPS. This requires you to use a specifically generated hostname which consists of a random string followed by cloudflare-gateway.com (e.g. xxxxxxxxxx.cloudflare-gateway.com), when a request comes to this hostname, it notes the subdomain and compares that to a list of locations to find yours and then applies the policy.

At home, since I have static IP4 addresses, I tend to use the IP4 addresses for CloudFlare Gateway, whilst at Work I tend to use DNS over HTTPS with the hostname (I use OpenWRT and HTTPS-DNS-Proxy). I intend to use the same thing with my travel router as soon as the HTTPS-DNS-Proxy becomes available for the router (the firmware is not the current version of OpenWRT).

So why go to all this effort? 

I do this as a security precaution, Whilst I may not be blocking all sites, I can at least block some of the ones that I have a concern over to reduce the level of risk. In addition I also tend to use this service for performance reasons, as it offloads some of the work of going through blocklists off my router and onto CloudFlare Gateway (which is more performant than my router).

If you are interested in CloudFlare Gateway, you can find more information here.