The WARP client on Android cannot handle DoH authentication

Zero Trust WARP
1

What is the name of the domain?

any

What is the error message?

all signs suggest that authentication is break (as shown on screenshots, but they were not shown in the gateway logs so the query must been dropped when just entering the edge network – rather than rejected by policies or somethings)

What is the issue you’re encountering

if DoH authentication is enable (for the default DNS location) and WARP (on Android) is turned on, apps wouldn’t be able to resolve domains (including WARP, so it shows “connection error” and keep re-connects forever)

What steps have you taken to resolve the issue?

Pls find the next section first :slight_smile:

  1. disable “DoH endpoint filtering & authentication”
  2. problems resloved

What are the steps to reproduce the issue?

  1. install “Cloudflare One Agent” from Google Play and enroll an Android device
  2. enable “DoH endpoint filtering & authentication” and click only “Require user tokens or identities” for the default DNS location
  3. connect… and failed

Screenshot of the error

Screenshot_20250409_191016_Cloudflare One.jpg
Screenshot_20250409_191016_Cloudflare One.jpg1080×2400 291 KB

2

May I ask if you’ve got any Gateway policies applied already, which would block the DoH by default? :thinking:

3

No, there isn’t any dns or network policies but only one auto generated bypass M365 policy under http policies.

Plus, the issue only happens on Android, other platfrom (tested Windows 11, iOS 18.3, and Arch Linux) works smoothly no matter whether I enabled auth for the default DoH or not.
They just working without needs to reconfigure/restart, and if I enabled the auth, I do see the device Id and user emails in logs and analytics.

image
image705×445 20.1 KB