How to Use Cloudflare Zero Trust Gateway as a DNS Ad Blocker
Personally, I am a big fan of NextDNS, a DNS service that (similar to PiHole) allows you to block traffic to advertising circuits, tracking and telemetry systems.
This is why I have always been fascinated by the possibility of reproducing a similar service using free tools, in particular the gateway functionality of Cloudflare’s Zero-Trust platform.
Zero-Trust Gateway does indeed allow you to create blocking rules at the DNS level, but it has a limitation that makes it difficult to use as an adblocker: the lists can only contain 1000 entries, whereas the blocking lists used by NextDNS can usually contain up to 100,000 domains.
So I tried to put together some Python code with the following goal
- download the blacklists
- divide them into sets of 1000 entries and create the corresponding lists on Cloudflare, via API.
- create a block rule and link the lists created in the previous step.
The result was lean enough to be packaged into a GitHub action to be run periodically to keep the lists up to date.
A first working draft is available on GitHub, the use is quite simple:
- Create a Cloudflare API token, from https://dash.cloudflare.com/profile/api-tokens, with 3 permissions
Account.Zero Trust : Edit
Account.Account Firewall Access Rules : Edit
Account.Access: Apps and Policies : Edit
- Get your Account ID from : https://dash.cloudflare.com/?to=/:account/workers
- Clone the repository.
- Configure action secrets:
CF_IDENTIFIER
with Account IDCF_API_TOKEN
with API Token
- Modify
config.ini
with your preferred blocking lists - Enable action
I hope it is useful!