Route traffic

When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's public DNS resolver.

Cloudflare recommends Enterprise users configure Gateway resolver policies to resolve traffic with custom resolvers. WARP will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies.

Additionally, there are three options you can configure to exclude traffic from WARP:

• Local Domain Fallback: Use Local Domain Fallback to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet.

  Warning

  Gateway will not encrypt, monitor, or apply DNS policies to DNS queries to domain names entered in Local Domain Fallback.

• Split Tunnels Exclude mode: Use Exclude mode to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN.
• Split Tunnels Include mode: Use Include mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by an IP address or domain defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource.

  Warning

  Gateway will not encrypt, manage, or monitor traffic excluded from WARP by a Split Tunnel configuration.

How the WARP client handles DNS requests

When you use the WARP client together with cloudflared Tunnels or third-party VPNs, Cloudflare evaluates each request and routes it according to the following traffic flow:

flowchart TD
    D["WARP client proxies DNS traffic to specified fallback server"] -- Resolver IP included in Tunnel per Split Tunnel configuration --> E["Query sent via WARP Tunnel to be resolved"]
    D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F["Query sent to resolver IP outside WARP Tunnel"]
    E -- Blocked by Gateway --> G["Traffic blocked by Cloudflare"]
    E -- Allowed by Gateway --> H["Evaluated by Cloudflare Tunnel routes"]
    H -- Tunnel routes do not include resolver IP --> I["Gateway proxies query to resolver IP via normal WARP egress route"]
    H -- Tunnel routes include resolver IP --> J["Cloudflare Tunnel advertises route that includes Resolver IP"]
    J --> L["Private resolver returns IP address to WARP client"]
    n1["Local Domain Fallback"] -- Matches domain --> C["WARP client resolves query according to Gateway policies"]
    n1 -- Does not match domain --> D
    A["WARP user requests resource"] --> n2["Gateway resolver policies"]
    n2 -- Does not match traffic --> n1
    n2 -- Matches traffic --> C

    D@{ shape: rect}
    E@{ shape: hex}
    F@{ shape: terminal}
    G@{ shape: terminal}
    H@{ shape: hex}
    I@{ shape: terminal}
    L@{ shape: terminal}
    n1@{ shape: hex}
    C@{ shape: terminal}
    A@{ shape: in-out}
    n2@{ shape: proc}