[ZT] DNS in WARP tunnel (#22030)

* remove DoH IPs from learning path

* warp with firewall

* update WARP architecture

* mobile devices footnote

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture.mdx

@@ -18,9 +18,11 @@ The WARP client allows organizations to have granular control over the applicati
 
 | Connection                                                                                                                                     | Protocol | Purpose                                                                                                         |
 | ---------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------- |
-| Device orchestration                                                                                                                           | HTTPS    | Perform user registration, check device posture, apply WARP profile settings.                                   |
-| [DoH](https://www.cloudflare.com/learning/dns/dns-over-tls/)                                                                                   | HTTPS    | Send DNS requests to Gateway for DNS policy enforcement.                                                        |
 | WARP tunnel ([via WireGuard or MASQUE](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol)) | UDP      | Send IP packets to Gateway for network policy enforcement, HTTP policy enforcement, and private network access. |
+| [DoH](https://www.cloudflare.com/learning/dns/dns-over-tls/)                                                                                   | HTTPS    | Send DNS requests to Gateway for DNS policy enforcement. The DoH connection is maintained inside of the WARP tunnel.[^1]      |
+| Device orchestration                                                                                                                           | HTTPS    | Perform user registration, check device posture, apply WARP profile settings.                                   |
+
+[^1]: DoH is currently outside of the tunnel on iOS and Android/ChromeOS.
 
 ```mermaid
 flowchart LR
@@ -32,17 +34,22 @@ end
 subgraph Cloudflare
 A[Zero Trust account]
 subgraph Gateway
-G[DNS resolver]
 N[L3/L4 firewall]
+G[DNS resolver]
+end
 end
+W<--"Device
+orchestration"-->A
+subgraph tunnel["WARP tunnel"]
+ ip@{ shape: text, label: "Network traffic" }
+  dns@{ shape: text, label: "DNS traffic" }
 end
-W<--Device orchestration-->A
-D<--DoH-->G
-V<--WARP tunnel-->N
+V --- ip-->N
+D --- dns-->G
 N --> O[(Application)]
 ```
 
-Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [DoH endpoint](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#doh-ip) and [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint do not obey Split Tunnel rules, since those connections always operate outside of the WARP tunnel.
+Your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration determines what IP traffic is sent down the WARP tunnel. Your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration determines which DNS requests are sent to Gateway via DoH. Traffic to the [device orchestration API](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/#client-orchestration-api) endpoint does not obey Split Tunnel rules since the connection always operates outside of the WARP tunnel.
 
 Next, you will learn how WARP configures your operating system to apply your Local Domain Fallback and Split Tunnel routing rules. Implementation details differ between desktop and mobile clients.
 
@@ -68,7 +75,7 @@ Browsers with DoH configured will bypass the local DNS proxy. You may need to di
 
 Based on your Local Domain Fallback configuration, WARP will either forward the request to Gateway for DNS policy enforcement or forward the request to your private DNS resolver.
 
-- Requests to Gateway are sent over our [DoH connection](#overview) (outside of the WARP tunnel).
+- Requests to Gateway are sent over our [DoH connection](#overview) inside the WARP tunnel.
 - Requests to your private DNS resolver are sent either inside or outside of the tunnel depending on your Split Tunnel configuration. For more information, refer to [How the WARP client handles DNS requests](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).
 
 ```mermaid

src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/firewall.mdx

@@ -17,9 +17,14 @@ The WARP client connects to Cloudflare via a standard HTTPS connection outside t
 
 ## DoH IP
 
-All DNS requests through WARP are sent outside the tunnel via DoH (DNS over HTTPS). In your organization's firewall, you must allow the following host: `<ACCOUNT_ID>.cloudflare-gateway.com`. WARP will connect to the following IPs, which must be reachable for DNS to work correctly.
+:::note
+Only required for [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode.
+:::
+
+In [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh) mode, the WARP client sends DNS requests to Gateway over an HTTPS connection outside the tunnel. For DNS to work correctly, you must allow `<ACCOUNT_ID>.cloudflare-gateway.com` which will lookup the following IPs:
 
-<Render file="warp/doh-ips" />
+- IPv4 DoH Addresses: `162.159.36.1` and `162.159.46.1`
+- IPv6 DoH Addresses: `2606:4700:4700::1111` and `2606:4700:4700::1001`
 
 ### Android devices
 

src/content/partials/cloudflare-one/warp/doh-ips.mdx

@@ -10,26 +10,23 @@ Most admins test by manually downloading the WARP client and enrolling in your o
 ## Install WARP
 
 1. First, uninstall any existing third-party VPN software if possible. Sometimes products placed in a disconnected or disabled state will still interfere with the WARP client.
-2. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to these IP addresses:
-   * Client orchestration IPs: <Render file="warp/client-orchestration-ips" product="cloudflare-one" />
-   * Gateway DoH IPs: <Render file="warp/doh-ips" product="cloudflare-one" />
-     For more information, refer to [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
-3. Manually install WARP on the device.
-
+2. If you are running third-party firewall or TLS decryption software, verify that it does not inspect or block traffic to the WARP client orchestration IPs:
+  	<Render file="warp/client-orchestration-ips" product="cloudflare-one" />
 
-<Details header="Window, macOS, and Linux">
-
-<Render file="warp/enroll-desktop" product="cloudflare-one" />
+	For more information, refer to [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
 
+3. Manually install WARP on the device.
 
-</Details>
+		<Details header="Window, macOS, and Linux">
 
+		<Render file="warp/enroll-desktop" product="cloudflare-one" />
 
-<Details header="iOS, Android, and ChromeOS">
+		</Details>
 
-<Render file="warp/enroll-ios-android" product="cloudflare-one" />
+		<Details header="iOS, Android, and ChromeOS">
 
+		<Render file="warp/enroll-ios-android" product="cloudflare-one" />
 
-</Details>
+		</Details>
 
 The WARP client should show as **Connected**. {props.one}