Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Traffic routing with WARP

When the WARP client is deployed on a device, Cloudflare processes all DNS requests and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS requests or network traffic from WARP.

There are three settings you can configure:

  • Use Local Domain Fallback to instruct the WARP client to proxy DNS requests for a specified domain to a resolver that is not Cloudflare Gateway. This is useful when you have private hostnames that would not otherwise resolve on the public Internet.
  • Use the Split Tunnels Exclude mode to instruct the WARP client to ignore traffic to a specified set of IP addresses or domains. Any traffic that is destined to an IP address or domain defined in the Split Tunnels Exclude configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you want the majority of your traffic encrypted and processed by Gateway, but need to exclude certain routes due to app compatibility, or if you need WARP to run alongside a VPN.

  • Use the Split Tunnels Include mode mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource.

​​ How the WARP client handles DNS requests

When you use the WARP client together with cloudflared Tunnels or third-party VPNs, Cloudflare evaluates each request and routes it according to the following traffic flow.

WARP traffic is evaluated and routed through various parts of the Cloudflare network
Domain does not match Local Domain Fallback
Domain matches Local Domain Fallback
Resolver IP included in Tunnel per Split Tunnel configuration
Resolver IP not included in Tunnel per Split Tunnel configuration
Matches CF Gateway block policy
Passes CF Gateway network policies (allowed or unblocked)
Tunnel routes do not include resolver IP
Tunnel routes include resolver IP
WARP User requests resource
WARP client resolves query according to Gateway DNS policies
WARP client proxies DNS traffic to specified fallback server
Query sent via WARP Tunnel to be resolved
Query sent to resolver IP outside WARP Tunnel
Traffic blocked by CF
Evaluated by Cloudflare Tunnel routes
CF Gateway proxies query to resolver IP via normal WARP egress route
Cloudflare Tunnel advertises route that includes Resolver IP
Private resolver returns IP address to WARP client