Skip to content

Codex CLI Complete Guide

Fixing Claude's Cloudflare Challenge Loop with a DNS Switch

Key Points

  • At 20:00 JST on 18 Nov 2025 a global Cloudflare Turnstile outage caused numerous sites to show "Please unblock challenges.cloudflare.com" errors.1
  • Japanese users reported the identical Claude error on Yahoo! Chiebukuro and confirmed it disappeared a few minutes later without any client-side action.2
  • On a standard Windows 11 desktop (home network) the DNS setting was left on "automatic," and Cloudflare's challenge never completed until we manually pointed the adapter to Google DNS (8.8.8.8); the change restored Claude login instantly.
  • Cloudflare’s official postmortem4 clarifies the root cause: a Bot Management feature file doubled in size, causing HTTP 5xx errors throughout Cloudflare’s network until the rollout was reversed at 14:30 UTC. Changing local DNS only helps when the issue is client-side; during the core outage many Cloudflare-protected sites remained unreachable regardless of DNS.

Facts collected within 24 hours

Evidence that the problem started upstream at Cloudflare

Daily Pakistan described how Cloudflare's Turnstile and CAPTCHA services failed globally, producing HTTP 500 responses on X and other major sites on 18 Nov.1 Because Claude invokes Turnstile before showing the workspace, any outage on Cloudflare's side leaves end users with no immediate workaround.

Matching symptoms confirmed inside Japan

Yahoo! Chiebukuro captured a question titled "I get 'Please unblock challenges.cloudflare.com' on Claude" at 20:36 JST, and the poster stated it resolved itself roughly three minutes later.2 That aligns with the upstream outage and demonstrates why we must still eliminate local DNS or proxy filtering after the incident subsides.

What Cloudflare's postmortem clarifies

Cloudflare’s own postmortem4 outlines the exact chain of events:

  • At 11:20 UTC, a Bot Management “feature file” doubled in size, causing HTTP 5xx to spike globally. For a time the network oscillated between working and failing every five minutes depending on whether a good or bad file propagated.
  • This was not a DNS issue; the entire frontline proxy failed, so Turnstile, Workers KV, Access, and dashboard logins were all impacted.
  • Cloudflare rolled back the bad file at 14:30 UTC and declared all systems healthy by 17:06 UTC. Until that recovery, HTTP 5xx persisted regardless of local tuning.

Therefore, changing DNS only helped when the local environment was blocking Turnstile assets after Cloudflare had recovered. During the core outage window, most Cloudflare-backed sites remained unreachable even with 8.8.8.8 configured.

What “Please unblock challenges.cloudflare.com” really means

  • Regardless of language, the string appears whenever Cloudflare's Turnstile assets cannot load inside the browser.
  • In practice an extension, DNS filter, VPN, or SWG is preventing the client from downloading the JavaScript or iframe under challenges.cloudflare.com, so the bot verification never finishes.
  • Therefore “unblocking” simply means restoring connectivity to that hostname—via a public DNS resolver, by disabling the offending extension, or by requesting an allow list entry on the corporate SWG.
  • Keep in mind that during the 18 Nov Cloudflare outage, HTTP 5xx errors were served globally from their edge; in that window, no amount of DNS tweaking would restore service for most Cloudflare-backed sites. DNS fixes only solve the local “Turnstile asset blocked” scenario once Cloudflare’s own network is healthy again.

Why DNS filtering broke the challenge and how to bypass it

What exactly failed

Cloudflare returns this message whenever the browser cannot load the JavaScript or iframe served from challenges.cloudflare.com. A technical blog highlighted that privacy extensions, disabled JavaScript, outdated browsers, VPNs, or security tools frequently block those assets.3 DNS filters that label the domain as "tracking" create the same effect: Turnstile never reaches the "Verified" state.

Switching to Google DNS restored Claude instantly

Our reproduction did not involve a corporate VPN. Simply changing the Windows 11 adapter from automatic DNS to Google DNS solved the problem. Run this command and reload Claude; the Turnstile challenge should complete immediately.

netsh interface ip set dns name="Wi-Fi" source=static address=8.8.8.8 register=primary
  • After flipping DNS, run nslookup challenges.cloudflare.com to ensure a Cloudflare IP is returned before retrying the login.
  • If DNS overrides are blocked by device policy, temporarily route traffic through a tethered mobile hotspot or file an allow-list request for challenges.cloudflare.com on the secure web gateway.
3 quick isolation steps
  1. Open another Cloudflare-protected site (for example, an overseas news portal) to see if the same challenge message appears.
  2. Use a private/incognito window with every browser extension disabled to eliminate client add-on side effects.
  3. When nslookup challenges.cloudflare.com times out or returns NXDOMAIN, temporarily switch to a public DNS resolver such as 8.8.8.8 or 1.1.1.1.

Checklist to prevent another surprise

Monitor the upstream side first

  • Watch Cloudflare Status and X (Twitter) for updates on Turnstile incidents; if the outage is ongoing, waiting is the only safe option.
  • Ask teammates whether they can reproduce the same Claude error so you can prove it is not a single endpoint misconfiguration.

Harden the local environment afterward

ItemGoalNotes
DNS filteringAllow challenges.cloudflare.comTemporarily use Google/Cloudflare DNS or ask the SWG team to allow-list the domain
Browser extensionsEnsure JS assets are not blockedPrivacy Badger, uBlock Origin, and similar tools can strip the challenge script3
JavaScript settingLet Turnstile runTurnstile hangs forever when JS is disabled
Network pathDetect VPN/WARP interferenceSwitching to a tethered mobile network is the fastest confirmation

Takeaways

Even when Cloudflare's outage is resolved, Claude stays broken if your DNS or proxy continues to filter challenges.cloudflare.com. Keep a standard operating procedure that checks incident feeds first, then cycles through DNS, browser extensions, and network paths. In many cases, forcing a public DNS resolver such as 8.8.8.8 is all it takes to recover in seconds.

  1. "X, Websites, and Turnstile down amid major Cloudflare Outage", Daily Pakistan, 18 Nov 2025, https://en.dailypakistan.com.pk/18-Nov-2025/x-websites-and-turnstile-down-amid-major-cloudflare-outage 

  2. Yahoo! Chiebukuro question, 18 Nov 2025 20:36 JST, https://detail.chiebukuro.yahoo.co.jp/qa/question_detail/q14322381729 

  3. "Unblock challenges.cloudflare.com to Proceed Error Fix", seminarsonly.com, 18 Nov 2025, https://www.seminarsonly.com/news/unblock-challenges-cloudflare-com-to-proceed-error-fix/ 

  4. "Cloudflare outage on November 18, 2025", Cloudflare Blog, 18 Nov 2025, https://blog.cloudflare.com/18-november-2025-outage/