Problem encountered with "Private DNS"

What is the name of the domain?

All

What is the issue you’re encountering

See below

What steps have you taken to resolve the issue?

By following this guide Private DNS · Cloudflare Zero Trust docs I have setup my Private DNS on my private network for WARP clients, or so I thought.

But it doesn’t work well because of the problem mentioned in the title of this post.

So for example:

My local LAN only supports ipv4.

is managed by Cloudflare reverse proxy service. So from public internet when queried, it will return a couple of proxied ipv4 addresses plus a couple of proxied ipv6 addresses. All good.

Now on my client device (I tested both Android WARP Client and Windows WARP Client), with WARP Zero Trust connection active, I try to make a DNS query on and while it returns the private / local ipv4 address served from my private DNS Server (let’s say 192.168.1.2), it ALSO returns a pair of public ipv6 addresses (the same public ipv6 addresses as if I hadn’t established any Zero Trust WARP connection on my device). And this confuses my client device.

So when I try to reach my services, depending on different circumstances, sometimes the client device will use the ipv6 address, therefore the connection will get routed through the public ipv6 route to my service instead of through my private ipv4 IP address (i.e. the 192.168.1.2 address). Really not desired as 1) some services are open only to internal LAN (i.e. can’t reach my service at all), and 2) I have services that can recongize where the connection originates from, and if it is from the Cloudflare proxy (i.e. public) it will restrict some features.

I have actaully come up with a workaround - on my private DNS Server, I deliberately added a “dummy” ipv6 address for www.mydomain.com (say “fd12:3456:789a:1::1”) that goes nowhere. And now when my WARP client queries , it will get the internal ipv4 address (192.168.1.2), and also this dummy ipv6 address (fd12:3456:789a:1::1). So it doesn’t really matter what the client device wants to try first, because fd12:3456:789a:1::1 will not reach anywhere, and the device will eventually (and without any noticable delay) try 192.168.1.2 and make the connection successfully.

Still it seems kind to dumb to have to fake an ipv6 address to work around this problem. Can the private DNS Server not take precedence 100% of the time regardless of the ipv4 / ipv6 situation?

(Sorry, as a new forum user it seems there are some restrictions causing my OP to lose some of its content. Reposting below:)

By following this guide Private DNS · Cloudflare Zero Trust docs I have setup my Private DNS on my private network for WARP clients, or so I thought.

But it doesn’t work well because of the problem mentioned in the title of this post.

So for example:

My local LAN only supports ipv4.

(www dot mydomain dot com) is managed by Cloudflare reverse proxy service. So from public internet when queried, it will return a couple of proxied ipv4 addresses plus a couple of proxied ipv6 addresses. All good.

Now on my client device (I tested both Android WARP Client and Windows WARP Client), with WARP Zero Trust connection active, I try to make a DNS query on (www dot mydomain dot com) and while it returns the private / local ipv4 address served from my private DNS Server (let’s say 192.168.1.2), it ALSO returns a pair of public ipv6 addresses (the same public ipv6 addresses as if I hadn’t established any Zero Trust WARP connection on my device). And this confuses my client device.

So when I try to reach my services, depending on different circumstances, sometimes the client device will use the ipv6 address, therefore the connection will get routed through the public ipv6 route to my service instead of through my private ipv4 IP address (i.e. the 192.168.1.2 address). Really not desired as 1) some services are open only to internal LAN (i.e. can’t reach my service at all), and 2) I have services that can recongize where the connection originates from, and if it is from the Cloudflare proxy (i.e. public) it will restrict some features.

I have actaully come up with a workaround - on my private DNS Server, I deliberately added a “dummy” ipv6 address for (www dot mydomain dot com) (say “fd12:3456:789a:1::1”) that goes nowhere. And now when my WARP client queries (www dot mydomain dot com), it will get the internal ipv4 address (192.168.1.2), and also this dummy ipv6 address (fd12:3456:789a:1::1). So it doesn’t really matter what the client device wants to try first, because fd12:3456:789a:1::1 will not reach anywhere, and the device will eventually (and without any noticable delay) try 192.168.1.2 and make the connection successfully.

Still it seems kind to dumb to have to fake an ipv6 address to work around this problem. Can the private DNS Server not take precedence 100% of the time regardless of the ipv4 / ipv6 situation?