Cloudflare WARP Network Traffic

I have Cloudflare WARP set up purely as a DNS-over-TLS resolver in macOS, and I’m confused by some of the network traffic it is producing.

I’ve been able to intercept and examine some of it using an HTTPS proxy, but most of it seems to avoid proxies entirely. Little Snitch[1] still catches it, however. I don’t want to let that traffic through without knowing what it is for, especially since it is intended to run constantly.

Here are my questions:

  1. Are there specific IP addresses I should expect Cloudflare WARP to use for DoT[2]?
  2. Why does it sometimes send traffic using unencrypted DNS[3], despite claiming to be using DoT for every logged query?
  3. Why does it make HTTPS[4] connections to the following hostnames?

  1. If you wanted to preempt questions like this, you could implement support for Little Snitch’s Internet Access Policy: it’s basically a machine-readable list of network traffic, complete with explanations and issues that can occur if you block it.

    Little Snitch is quite popular among security-minded macOS users, but that’s hardly a massive audience: I wouldn’t blame you for choosing not to add a file to your app just for that. ↩︎

  2. That is, TCP over port 853. ↩︎

  3. That is, UDP over port 53. ↩︎

  4. That is, TCP over port 443. ↩︎

  5. I’m fairly sure this one is for checking whether the API key being used has WARP+, but I might as well get confirmation while I’m asking. ↩︎ is Network Error Logging - it’s documented here and you can see it in the report-to response header of Cloudflare websites. CSP: report-to - HTTP | MDN is how Warp talks to Cloudflare - i.e to register the Warp client.

Warp checks for captive portals on a network so it can disable itself for you to be able to authenticate in that portal - I’d suspect the other domains are related to that. If not all of them, then at least

1 Like