Resolve private DNS
By default, all DNS requests on the user device are resolved by Cloudflare's public DNS resolver except for common top level domains used for local resolution (such as localhost). To allow users to connect to internal server names or domains that do not resolve on the public Internet, you have two options:
Local Domain Fallback tells the WARP client to send specific DNS requests to your private DNS resolver instead of to Cloudflare's public DNS resolver. This method was the primary delivery mechanism for private DNS for a long time, and is the simplest option, but it has two shortcomings: you cannot deterministically route private DNS queries to different resolvers based on specific attributes, and you cannot apply Gateway DNS policies to this traffic because Cloudflare is not resolving it.
To learn more about how Local Domain Fallback works, refer to How the WARP client handles DNS requests.
To add a domain to the Local Domain Fallback list:
- 
In Zero Trust ↗, go to Settings > WARP Client. 
- 
Under Device settings, locate the device profile you would like to view or modify and select Configure. 
- 
Scroll down to Local Domain Fallback and select Manage. 
- 
In Domain, enter the apex domain ( example.com) that you want to resolve using your private DNS server. All prefixes under the apex domain are subject to Local Domain Fallback (in other words,example.comis interpreted as*.example.com).
- 
In DNS Servers, enter the IP address of the DNS servers that should resolve that domain name. 
- 
Enter an optional description and select Save domain. 
A Local Domain Fallback list is scoped to a specific device profile. If a device profile does not have a corresponding Local Domain Fallback resource, those devices will use the default local domains shown in Step 2.
- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
(Optional) Create a list of domains that you can reuse across multiple device profiles. For example, you can declare a local value in the same module as your device profiles: local-domains.local.tf locals {default_local_domains = [# Default Local Domain Fallback entries recommended by Cloudflare{suffix = "corp"},{suffix = "domain"},{suffix = "home"},{suffix = "home.arpa"},{suffix = "host"},{suffix = "internal"},{suffix = "intranet"},{suffix = "invalid"},{suffix = "lan"},{suffix = "local"},{suffix = "localdomain"},{suffix = "localhost"},{suffix = "private"},{suffix = "test"}]}
- 
To configure Local Domain Fallback for the default device profile, use the cloudflare_zero_trust_device_default_profile_local_domain_fallback↗ resource. To configure Local Domain Fallback for a custom device profile, usecloudflare_zero_trust_device_custom_profile_local_domain_fallback↗. For example:device-profiles.tf resource "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example" {account_id = var.cloudflare_account_idpolicy_id = cloudflare_zero_trust_device_custom_profile.example.iddomains = concat(# Global entrieslocal.default_local_domains,# Profile-specific entries[{suffix = "example.com"description = "Domain for local development"dns_server = ["1.1.1.1", "192.168.0.1"]}])}
For suffix, specify the apex domain (example.com) that you want to resolve using your private DNS server. All prefixes under the apex domain are subject to Local Domain Fallback (in other words, example.com is interpreted as *.example.com). For dns_server, enter the IP address of the DNS servers that should resolve that domain name.
WARP tries all servers and always uses the fastest response, even if that response is no records found. We recommend specifying at least one DNS server for each domain. If a value is not specified, the WARP client will try to identify the DNS server (or servers) used on the device before it started, and use that server for each domain in the Local Domain Fallback list.
The WARP client routes DNS traffic to your Local Domain Fallback server according to your Split Tunnel configuration. To ensure that queries can reach your private DNS server:
- 
If your DNS server is only reachable inside of the WARP tunnel (for example, via cloudflaredor Magic WAN):- 
Go to Networks > Routes and verify that the DNS server is connected to Cloudflare. To connect a DNS server, refer to Private networks. 
- 
In your Split Tunnel configuration, verify that the DNS server IP routes through the WARP tunnel. 
 
- 
- 
If your DNS server is only reachable outside of the WARP tunnel (for example, via a third-party VPN), verify that the DNS server IP is excluded from the WARP tunnel. 
For more information, refer to How the WARP client handles DNS requests.
Resolver policies provide similar functionality to Local Domain Fallback but occur in Cloudflare Gateway rather than on the local device. This option is recommended if you want more granular control over private DNS resolution. For example, you can ensure that all users in a specific geography use the private DNS server closest to them, ensure that specific conditions are met before resolving private DNS traffic, and apply Gateway DNS policies to private DNS traffic.
To create a resolver policy:
- 
In Zero Trust ↗, go to Gateway > Resolver policies. 
- 
Select Add a policy. 
- 
Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service: Selector Operator Value Host in internal.example.comMake sure your destination is not subject to Local Domain Fallback. 
- 
In Select DNS resolver, choose Configure custom DNS resolvers. 
- 
Enter the IP addresses of your custom DNS resolver. As you enter an IP address, Gateway will search through your virtual networks configured in Zero Trust. 
- 
In Network, choose whether to route queries publicly (to the Internet) or privately (to a private network service). 
- 
(Optional) Enter a custom port for each IP address. 
- 
Select Create policy. 
Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.
- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
Create a resolver policy using the cloudflare_zero_trust_gateway_policy↗ resource:resource "cloudflare_zero_trust_gateway_policy" "resolver_policy" {name = "Example resolver policy"enabled = trueaccount_id = var.cloudflare_account_iddescription = "TERRAFORM MANAGED resolver policy"action = "resolve"traffic = "dns.fqdn in {\"internal.example.com\"}"identity = "identity.email in {\"jdoe@example.com\"}"precedence = 1rule_settings = {dns_resolvers = {# You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.ipv4 = [{ip = "192.0.2.24"port = 53route_through_private_network = truevnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id}]ipv6 = [{ip = "2001:DB8::"port = 53route_through_private_network = truevnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id}]}}}
When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order:
- Public resolvers
- Private resolvers behind the default virtual network for your account
- Private resolvers behind a custom virtual network
Gateway will cache the fastest resolver for use in subsequent queries. Resolver priority is cached on a per user basis for each data center.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-