Configure Local Domain Fallback
Feature availability
| Operating Systems | WARP mode required | Zero Trust plans |
|---|---|---|
| All systems | WARP with Gateway | All plans |
By default, Cloudflare Zero Trust excludes common top level domains used for local resolution from being sent to Gateway for processings. Excluded domains are listed on the Zero Trust dashboard under Settings > Network > Local Domain Fallback . All domains in that list rely on the local DNS resolver configured for the device on its primary interface or the DNS server specified when you add a new local domain. Domains added to this list are not subject to Gateway DNS policies or DNS logging. The WARP Client proxies these requests directly to the configured fallback servers.
You can add or remove domains from the Local Domains list at any time.
Add a domain
On the Zero Trust dashboard, navigate to Settings > Network.
Under Local Domain Fallback, click Manage.
Enter the Domain you want to exclude from Gateway. All prefixes under the domain are subject to the local domain fallback rule (for example, all entries are interpreted as
\*.example.com).Enter the DNS server(s) that should resolve that domain name. It is best to always specify at least one DNS server that Local Domain Fallback should use for any domain you add. If a value is not specified, the WARP client will try to identify the DNS server (or servers) used on the device before it started, and use that server for each domain in the Local Domain Fallback list.
Enter an optional description and click Save domain.
The domain will appear in the list of Local Domain entries.
Delete a domain
On the Zero Trust dashboard, navigate to Settings > Network.
Under Local Domain Fallback, click Manage. On this page, you will find a list of domains Cloudflare Zero Trust excludes.
To remove a domain from the list, locate the domain and then click Delete.
The domain will no longer be excluded from Gateway DNS policies, effective immediately.