If your Content Policy rules aren't being applied as you would expect and you've confirmed that your device is correctly connected to Cloudflare DNS, here's how to narrow down the issue.
Use the Content Policy Debug View
Go to the Test Rules section of your Content Policy to simulate how the content policy should be applied.
Examine DNS Traffic Logs
Traffic logs can help you find domains and categories that should be allowed or blocked based on your actual web browsing.
We recommend filtering your DNS Logs to make them easier to read.
If a website or app is being blocked and you want to ensure it's allowed, you can open the rule responsible directly from the Traffic Logs page:
Enable Block Page
Enabling Block pages makes it much easier to troubleshoot which rule could be the problem. The name of the rule is listed on the Block page like this:
Learn how to enable Block pages here.
Check Rule Order
Rules can conflict with each other if they have overlapping content, so you might need to re-order your rules or remove overlapping content between rules. Learn more: ordering rules to customize blocking behavior
SafeSearch rules should be ordered above overlapping allow rules
If an allow rule has overlapping content with your SafeSearch rule, and the Allow rule is ordered above the SafeSearch rule, it will override SafeSearch completely. Make sure that your SafeSearch rule is above any conflicting allow rules or remove the overlapping content selection in the allow rule.
Allow rules should be ordered above overlapping block rules when specifying exceptions
If you have a block rule that blocks a category, but you want to add an exception for a website within that category, your Allow rule should be ordered above the block rule.
Check Cloudflare Radar to see if a Domain is incorrectly categorized
It's possible that a website could be categorized incorrectly. Use Cloudflare Radar to see Domain information for the website.
If necessary, add the website's domain to an Allow rule to make an exception.
Specify an App Instead of a Domain When Possible
If you're trying to allow or block a specific platform, like Gmail, you might need to specify several different domains. The best way to do this is to specify an app within the rule content selector. This will automatically detect the related domains. If the app isn't listed, you can use your DNS Traffic Logs to determine which domains are associated with the platform and then manually add each domain.
Switch to DNS Only Mode in the Cloudflare App
If you are troubleshooting on a device that is connected using either the Cloudflare WARP or Cloudflare One app, you might need to enable DNS only mode.
Some websites or apps won't accept connections from a VPN. You can switch to DNS only mode and see if they work as expected.
You can switch to DNS only mode using the Tech Lockdown dashboard in Settings > App Preferences. Set the Filtering Mode to "DoH (DNS only)" and save changes. Allow 5 minutes for the filter to update. This change will automatically sync with the Cloudflare app on your device.