WARP mode "Secure Web Gateway without DNS Filtering" not behaving as expected

The documentation and description around the WARP mode “Secure Web Gateway without DNS Filtering” leads me to believe that local DNS would be queried and not Cloudflare.

ZT Console describes the setting as “Provides only WARP Tunnel and posture functionality. Does not enforce DNS policies or DNS resolution”

Documentation says: " In Secure Web Gateway without DNS filtering mode, WARP does not perform any DNS functions on the device. Therefore, all you need to do is split tunnel your IP traffic." (emphasis mine)

However on an ARM-basedf Mac running macOS 14.1.2 and WARP 2023.12.2.0 (20231201.19)
I am seeing the following behaviors:

  1. Trying to visit an internal only domain works.
  2. Trying to visit a domain that exists both internally and externally results in getting the internal version
  3. Trying to visit Facebook works.

Item 3 is incorrect behavior as our internal DNS returns “” for Facebook domains.

Additionally an nslookup of Facebook shows DNS results are coming from despite the promise in documentation that “WARP does not perform any DNS functions on the device”

How do I make WARP respect our network-level DNS filters? (A set of AdGuard servers with custom lists)