Trialling Zero Trust. DNS not working when connected

richard.shuker · January 12, 2023, 7:19pm

Good afternoon,

I’m trialling Zero Trust, but have hit a hurdle right at the start.
I have two Windows 11 22H2 endpoints with WARP client 2022.12.476.0 installed.

The tunnel works great when the warp client is first installed.

However, when I connect the agent to my team the tunnel only works in “Gateway with DoH” mode,
As soon as I try to connect with “Gateway with WARP” connection then DNS resolution is broken.
Our zero trust tenant is new with only default configuration in it.

I can’t see anything in the docs that says extra config or policies are needed to simply browse the web.
In addition, when the gateway with WARP connection is connected I can ping the internet via IP address so the traffic would appear to be being tunnelled successfully.

The puzzling thing is that the DNS protocol mode is HTTPS and the docs say that the DoH requests are routed outside of the tunnel so it doesn’t make immediate sense why DoH works in DoH mode, but not in WARP mode despite both scenarios routing the DNS outside of the tunnel.

Help or guidance would be very gratefully received!

richard.shuker · January 17, 2023, 10:57am

Resolved. The issue was caused because there was a separate web content filtering client on the workstations that was unfortunately not reporting that it was blocking access to the DoH server.

This issue did not arise before the WARP client was joined to the team because the WARP client uses WARP protocol for DNS which sends the DNS requests down the tunnel as opposed to DoH where the DNS is outside the tunnel.

Excluding the following domains from the web content filter allowed comms with the Cloudflare DoH servers.

cloudflare.com
cloudflare-dns.com
cloudflare-gateway.com
cloudflareaccess.com
cloudflareclient.com