Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Private DNS

By default, the WARP client sends DNS requests to, Cloudflare’s public DNS resolver, for resolution. With Cloudflare Tunnel, you can connect an internal DNS resolver to Cloudflare and use it to resolve non-publicly routed domains.

​​ Configure private DNS

  1. Connect your private network with Cloudflare Tunnel.

  2. Under Networks > Routes, verify that the IP address of your internal DNS resolver is included in the tunnel.

  3. Enable the Gateway proxy for TCP and UDP.

  4. Next, create a Local Domain Fallback entry that points to the internal DNS resolver. For example, you can instruct the WARP client to resolve all requests for myorg.privatecorp through an internal resolver at rather than attempting to resolve this publicly.

  1. Finally, ensure that your tunnel uses QUIC as the default transport protocol. This will enable cloudflared to proxy UDP-based traffic which is required in most cases to resolve DNS queries.

The WARP client will now resolve requests through the internal DNS server you set up in your private network.

​​ Test the setup

For testing, run a dig command for the internal DNS service:

dig AAAA www.myorg.privatecorp

The dig command will work because myorg.privatecorp was configured above as a fallback domain. If you skip that step, you can still force dig to use your private DNS resolver:

dig @ AAAA www.myorg.privatecorp

Both dig commands will fail if the WARP client is disabled on your end user’s device.

​​ Troubleshooting

Use the following troubleshooting strategies if you are running into issues while configuring your private network with Cloudflare Tunnel.

  • Ensure that cloudflared is connected to Cloudflare by visiting Networks > Tunnels in Zero Trust.

  • Ensure that cloudflared is running with the quic protocol (search for Initial protocol quic in its logs).

  • Ensure that the machine where cloudflared is running is allowed to egress via UDP to port 7844 to talk out to Cloudflare.

  • Ensure that end-user devices are enrolled into WARP by visiting

  • Double-check the precedence of your application policies in the Gateway Network policies tab. Ensure that a more global Block or Allow policy will not supersede the application policies.

  • Check the Gateway Audit Logs Network tab to see whether your UDP DNS resolutions are being allowed or blocked.

  • Ensure that your Private DNS resolver is available over a routable private IP address. You can check that by trying the dig commands on your machine running cloudflared.

  • Check your set up by using dig ... +tcp to force the DNS resolution to use TCP instead of UDP.