Cloudflare for teams - securing my DNS further

Cloudflare Gateway DNS requests
Cloudflare Gateway DNS requests.

I've mentioned elsewhere that I'm a fan of cloudflare's services and recently came across their teams service. The thing I like about cloudflare's services is they always tend to offer a free tier aimed at smaller networks and/or startups. These free services are ideal for home networks so game on!

Their teams services (update: now renamed Cloudflare Zero Trust) is basically split into two services; Access and Gateway. Access is their version of a VPN service and at the moment I'm not interested in that element. It's the Gateway service that piqued my interest.

Gateway in a nutshell is a next-gen firewall that can provide protection from malware, ransomware, phishing, command & control etc via a DNS filtering service. The documentation you need is here but all I had to do was add my home network as a location. Cloudflare then provides you with a unique DNS-over-HTTPS endpoint - add this as the DNS resolver to your router (or pi-holes in my case) and job is a good 'un'.

You can then create a DNS policy to take advantage of cloudflare's filtering service. I know the pi-holes are filtering to some extent but their filtering capabilities are only as good as the lists I'm making use of so a belt and braces approach makes sense. Within the cloudflare policies I've turned on blocking for all the 'bad' security categories as defined by cloudflare,, these include C&C, botnets, malware, phishing domains, known spam domains etc etc. If a host on my network tries to access a site that is in cloudflare's block list the domain just won't resolve.

Your cloudflare dashboard will also give you a nice little breakdown of the DNS requsts that have been resolved:

Cloudflare Gateway stats

I'm quite happy with my DNS provision now. My network clients (and guest users) use the pi-holes for DNS resolution, they block or allow access and strip out all the ads, they also resolve via cloudflare using DoH and cloudflare also blocks or allows depending on the security risk of the destination domain.