Skip to content

Local Domain Fallback

By default, Cloudflare Zero Trust excludes common top-level domains, used for local resolution, from being sent to Gateway for processing. These top-level domains are resolved by the local DNS resolver configured for the device on its primary interface.

You can add additional domains to the Local Domain Fallback list and specify a DNS server to use in place of the Gateway resolver. The WARP client proxies these requests directly to the configured fallback servers.

Limitations

Local Domain Fallback only applies to devices running the WARP client.

Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use resolver policies. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.

Manage local domains

View domains

To view the domains subject to Local Domain Fallback:

  1. In Zero Trust, go to Settings > WARP Client.

  2. Under Device settings, locate the device profile you would like to view or modify and select Configure.

  3. Scroll down to Local Domain Fallback and select Manage.

On this page, you will see a list of domains excluded from Gateway. You can add or remove domains from the list at any time.

Add a domain

  1. In Zero Trust, go to Settings > WARP Client.

  2. Under Device settings, locate the device profile you would like to view or modify and select Configure.

  3. Scroll down to Local Domain Fallback and select Manage.

4. In Domain, enter the domain that you want to exclude from Gateway. All prefixes under the domain are subject to the local domain fallback rule (in other words, example.com is interpreted as *.example.com).

  1. In DNS Servers, enter the IP address of the DNS server that should resolve that domain name.

    • WARP tries all servers and always uses the fastest response, even if that response is no records found.
    • We recommend specifying at least one DNS server for each domain. If a value is not specified, the WARP client will try to identify the DNS server (or servers) used on the device before it started, and use that server for each domain in the Local Domain Fallback list.
  2. Enter an optional description and select Save domain.

  3. DNS traffic to the local domain fallback server is routed according to your Split Tunnel configuration. To ensure that queries can reach your private DNS server:

    • If your DNS server is only reachable outside of the WARP tunnel (for example, via a third-party VPN), exclude the server’s IP.
    • If your DNS server is only reachable through the WARP tunnel (for example, if it is connected to Cloudflare via cloudflared or Magic WAN), include the server’s IP.

Learn more about how WARP handles DNS requests.

Delete a domain

  1. In Zero Trust, go to Settings > WARP Client.

  2. Under Device settings, locate the device profile you would like to view or modify and select Configure.

  3. Scroll down to Local Domain Fallback and select Manage.

  1. Find the domain in the list and select Delete.

The domain will no longer be excluded from Gateway DNS policies, effective immediately.