Cloudflare WARP macOS client fails to enable DNS filtering

What is the name of the domain?

ALL Domains

What is the error number?

CF_DNS_LOOKUP_FAILURE

What is the error message?

Status: Unable to Connect Error reason: DNS lookup failure Error code: CF_DNS_LOOKUP_FAILURE Error description: WARP is unable to resolve hostnames via its local DNS proxy. Try to verify your DNS connectivity or contact your administrator for assistance. Learn more: Client errors · Cloudflare Zero Trust docs

What is the issue you’re encountering

Once we enable the WARP client; we lose network connectivity

What steps have you taken to resolve the issue?

OS: Sequoia Version 15.3 (24D60)

1.	Service mode chosen: “Gateway with DoH” (DNS-only) 
2.	Exact commands run while we're in an unhealthy state returning `CF_DNS_LOOKUP_FAILURE`  and their outputs

– systemextensionsctl list
• W5364U7YZB io.tailscale.ipn.macsys.network-extension (1.84.1/101.84.1) Tailscale Network Extension [activated enabled]
– scutil –dns
(full resolver block shows only ISP servers 24.222.0.94 / 24.222.0.33 / 24.222.0.5 — no 127.0.2.2 entries)
– sudo lsof -Pn -iUDP:53 -iTCP:53
(no output – nothing is listening on port 53)
– mdls -name kMDItemCFBundleIdentifier “/Applications/Cloudflare WARP.app”
kMDItemCFBundleIdentifier = “com.cloudflare.1dot1dot1dot1.macos”
– tccutil reset SystemExtension com.cloudflare.1dot1dot1dot1.macos
tccutil: Failed to reset SystemExtension approval status for com.cloudflare.1dot1dot1dot1.macos
– tccutil reset NetworkExtension com.cloudflare.1dot1dot1dot1.macos
(command executed; no console output)
– tccutil reset SystemExtension “com.cloudflare*”
tccutil: No such bundle identifier “com.cloudflare*”: The operation couldn’t be completed. (OSStatus error -10814.)
– log stream –style syslog –process warp-dex
(ran while repeatedly enabling/disabling WARP; no warp-dex or DNS-proxy log entries appeared)
– Tailscale state
Tailscale client fully quit and DNS override disabled during all tests.
3. Observed behaviour
• Enabling WARP in “Gateway with DoH” mode immediately returns CF_DNS_LOOKUP_FAILURE.
• macOS DNS resolvers never change from ISP values.
• macOS never prompts to approve any Cloudflare DNS-proxy or content-filter component.
4. Actions already tried
• Reset Network-Extension TCC entry (see tccutil commands above).
• Deleted ~/Library/Preferences/com.cloudflare.warp.plist and relaunched WARP.
• Reinstalled WARP from fresh DMG.
• Disabled Tailscale completely before each attempt.
(No change in outcome.)
5. Items NOT attempted
• Full-tunnel “Gateway with WARP” mode has not been tested; requirement is DNS filtering only.

Please confirm whether the current macOS build of WARP should load an embedded DNS-proxy in DNS-only mode and prompt for approval, and advise next troubleshooting steps or provide a fixed build / configuration guidance so DNS filtering can be enabled successfully.

What are the steps to reproduce the issue?

Only reproducible on one host, persistently

Screenshot of the error

Screenshot 2025-06-10 at 13.47.46.png1186×1512 137 KB

Likely a known conflict with Tailscale Tailscale and Cloudflare WARP do not interoperate on macOS · Issue #5631 · tailscale/tailscale · GitHub

I’d understand if this was an issue with a tunnel collision; but I’m ONLY using the DNS Proxy mode? It seems like a failure to launch the proxy

Based on the logs it looks like can’t take control of the DNS configuration on local host.

If you completely uninstall Tailscale does DoH load?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.