Skip to content

[ZT] DNS in WARP tunnel #22030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: production
Choose a base branch
from
Open

[ZT] DNS in WARP tunnel #22030

wants to merge 5 commits into from

Conversation

ranbel
Copy link
Contributor

@ranbel ranbel commented Apr 28, 2025
edited
Loading

PCX-15895
relates to #21991

@ranbel ranbel requested review from kkrum and a team as code owners April 28, 2025 17:59
@hyperlint-ai Hyperlint AI
Copy link
Contributor

hyperlint-ai bot commented Apr 28, 2025

Howdy and thanks for contributing to our repo. The Cloudflare team reviews new, external PRs within two (2) weeks. If it's been two weeks or longer without any movement, please tag the PR Assignees in a comment.

We review internal PRs within 1 week. If it's something urgent or has been sitting without a comment, start a thread in the Developer Docs space internally.

PR Change Summary

Enhanced DNS functionality within the WARP tunnel and clarified related configurations.

  • Updated documentation to reflect that DoH requests are sent inside the WARP tunnel.
  • Clarified firewall requirements for Gateway with DoH mode.
  • Reorganized installation instructions for better clarity.

Modified Files

  • src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx
  • src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx
  • src/content/partials/learning-paths/zero-trust/install-agent.mdx
How can I customize these reviews?

Check out the Hyperlint AI Reviewer docs for more information on how to customize the review.

If you just want to ignore it on this PR, you can add the hyperlint-ignore label to the PR. Future changes won't trigger a Hyperlint review.

Note specifically for link checks, we only check the first 30 links in a file and we cache the results for several hours (for instance, if you just added a page, you might experience this). Our recommendation is to add hyperlint-ignore to the PR to ignore the link check for this PR.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 28, 2025
edited
Loading

Preview URL: https://38faa624.preview.developers.cloudflare.com
Preview Branch URL: https://ranbel-dns-in-tunnel.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/ https://ranbel-dns-in-tunnel.preview.developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/ https://ranbel-dns-in-tunnel.preview.developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/

ranbel
ranbel commented Apr 30, 2025
View reviewed changes
...lare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx
N --> O[(Application)]
```

Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [DoH endpoint](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#doh-ip) and [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint do not obey Split Tunnel rules, since those connections always operate outside of the WARP tunnel.
Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what IP traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint does not obey Split Tunnel rules since the connection always operates outside of the WARP tunnel.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do Split Tunnel rules affect DoH traffic now that DoH is in the tunnel?

ranbel
ranbel commented Apr 30, 2025
View reviewed changes
...lare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx
N --> O[(Application)]
```

Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [DoH endpoint](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#doh-ip) and [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint do not obey Split Tunnel rules, since those connections always operate outside of the WARP tunnel.
Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what IP traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint does not obey Split Tunnel rules since the connection always operates outside of the WARP tunnel.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does Doh in tunnel change anything about this flowchart? https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkrum kkrum Awaiting requested review from kkrum

At least 1 approving review is required to merge this pull request.

Assignees

@kkrum kkrum

Labels
product:cloudflare-one size/s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ranbel @kkrum