Skip to main content

User Manual

Internet safety with Cloudflare DNS

Cloudflare's public DNS holds the top among public DNS services for response time and query speed while providing complete privacy protection. The service is a cloud-based DNS server built on a massive worldwide network. It offers reliable protection against malware and adult content on the Internet.

Using the Cloudflare DNS service on your Keenetic requires no account or external settings. All you need is an Internet connection and a KeeneticOS Cloud-based content filtering and ad blocking component installed (refer to the KeeneticOS components installation/removal guide for detailed instructions).


From the Internet Safety menu in the Network Rules section of your Keenetic's Web Interface, open the Content Filter tab. Select the Public DNS resolvers & custom DNS profiles option for Filter mode.


You cannot set up content filtering with a subscription-based service, such as NextDNS, on your Keenetic after selecting the Public DNS resolvers & custom DNS profiles filtering mode. You can still set up any DNS service on devices on the network using local DNS resolution profiles or on-device configuration (requires Transit requests to be enabled in the device's DNS resolution profile).

You will see a list of available public content filter presets and the filtering settings for your network segments and registered devices.


By default, Keenetic sets all network devices to resolve Internet resource addresses using the system DNS profile. Typically, the System profile only uses your ISP's DNS resolver and does not provide any protection or content filtering.

The Default Content Filtering Profiles associations will work for any unregistered device on each local network. Registered devices set to the Segment default profile will also use these associations.

If you select the Public DNS resolvers & custom DNS profiles filtering mode, you can assign public Cloudflare profiles to devices individually or based on the network segment of their connection.

The Cloudflare public DNS offers three different filtering profiles:

  • Cloudflare - Adult content filtering. Assigning this profile provides malware and adult content blocking together.

  • Cloudflare - Automatic malware protection. Use this profile to block malware only.

  • Cloudflare - Unfiltered, Fast and Private. You can assign this profile when no filtering is required. It provides fast, reliable and secure resolution of all DNS queries.


Where possible, public Cloudflare DNS profiles will use the DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols to protect DNS traffic from interception and ensure the privacy of request data. For more information about protecting DNS requests, please refer to the topic DoT and DoH proxy servers for DNS requests encryption.

For example, the following configuration explicitly assigns the iPhone-Apple device to use the Cloudflare - Adult content filtering profile in any network segment. The Main PC device's requests are processed according to the segment it is connecting to, i.e. using the Cloudflare - Unfiltered, Fast and Private profile in the Guests segment and the Cloudflare - Automatic malware protection in the Home segment.


The Cloudflare public content filtering does not provide block pages that display instead of the banned resource. When trying to visit an undesirable site you will see your browser's This site can’t be reached notification for the ERR_CONNECTION_REFUSED connection error.

You can test if the content filtering works as intended by visiting the malware test or the adult content test resources.

To disable the Cloudflare public DNS filtering on your Keenetic, you can select any other option for the Filter mode or clear the Cloudflare profiles for segments and registered devices. Removing the Cloud-based content filtering and ad blocking component from your Keenetic will also remove all associated settings from the configuration.

If you find that Cloudflare DNS does not block prescribed content or are experiencing problems with a website or application, please refer to the FAQ or contact support.