Internet safety with Cloudflare DNS (for KeeneticOS versions 3.5.1 to 3.7.4)

NOTE: This article is valid for versions of KeeneticOS from 3.5.1 to 3.7.4. For configuration on the current software version, see article Сontent filtering and ad blocking options.

The Cloudflare DNS service ( for Families) is designed to protect home devices connected to the router from dangerous sites and ensure safe Internet surfing. The service offers DNS filtering to help parents ensure the safety of their children on the Internet by automatically blocking dangerous sites. This tool makes it easy for parents to protect against malware and adult content throughout their home network. You can learn more about the Cloudflare DNS service at the developer's website.

NOTE: Important! It is not possible to use SafeDNS, Cloudflare DNS and AdGuard DNS content filtering services simultaneously. Only one of the services can be used.

The 'Cloudflare DNS' system component must be installed in your Keenetic to apply the Internet safety service. You can do this on the 'General system settings' page in the 'Component options' section by clicking the 'Component options' button.


Before setting up the service, register your devices according to the instructions: Connected devices registration.

On the 'Internet safety' page, select 'Cloudflare DNS' in the 'Service' field.


There are three modes (policies) that define access to a particular category of sites:

  • 'Standard' — Cloudflare DNS servers are used (address — standard profile).
  • 'No malware' — protects against malicious sites and blocks resources containing viruses (address — malware profile).
  • 'Family-friendly' — Cloudflare DNS servers are used to block malicious resources + block adult sites + safe search (address — family profile).
  • 'No protection' — no traffic filtering is provided.

The section 'Assignment of protection policies to devices' will appear. The setting in this section is to assign a policy described above to regular home network devices (registered on the router) and to periodically appearing devices (guest network and unregistered devices).


In the 'Default policy' field, you can specify the policy that will be applied to all unregistered devices, including devices connected to the guest network.

From a registered device through a web browser, we will try to access a resource that may contain prohibited content.


Access to this resource will be blocked, and the corresponding message will be displayed.

NOTE: Note: If the Cloudflare DNS is not blocking a site, you can report it directly to Cloudflare support.
Besides Internet filtering, Cloudflare DNS supports DoT and DoH protocols for additional privacy.
You can check DoT/DoH support from the command line interface (CLI) of the router; enter the command: show cloudflare-dns availability
For more information, see the instructions DNS-over-TLS and DNS-over-HTTPS proxy servers for DNS requests encryption.

When Cloudflare DNS is enabled, the service status check fails on the page When you turn on the Internet filter, DoT/DoH transit traffic blocking is enabled by default.

TIP: Tip: If Cloudflare DNS is not blocking a site, you can report it directly to Cloudflare support.

Starting with KeeneticOS 3.9, support for Internet filters with IPv6 has been implemented.

Was this article helpful?

43 out of 45 found this helpful