[Gateway] FQDN update (#22405)

Author: maxvp

src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx

@@ -180,7 +180,17 @@ Gateway uses Rust to evaluate regular expressions. The Rust implementation is sl
 
 ### Selector prerequisites
 
-The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic onboarded to Gateway with [WARP](/cloudflare-one/connections/connect-devices/warp/), [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/), or [Browser Isolation](/cloudflare-one/policies/browser-isolation/). These selectors are not compatible with traffic onboarded to Gateway with [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/), or [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/).
+The [Application](#application), [Content Categories](#content-categories), [Domain](#domain), and [Host](#host) selectors are only available for traffic on-ramped to Gateway with the following methods:
+
+| On-ramp method                                                                             | Compatibility |
+| ------------------------------------------------------------------------------------------ | ------------- |
+| [WARP](/cloudflare-one/connections/connect-devices/warp/)                                  | ✅            |
+| [PAC files](/cloudflare-one/connections/connect-devices/agentless/pac-files/)              | ✅            |
+| [Browser Isolation](/cloudflare-one/policies/browser-isolation/)                           | ✅            |
+| [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) | ❌            |
+| [Magic WAN](/magic-wan/zero-trust/cloudflare-gateway/)                                     | ❌            |
+
+When you use these selectors in an egress policy for traffic from a supported on-ramp, Gateway will assign initial resolved IPs to the DNS queries, then apply the correct egress IP according to the egress policy. Unsupported traffic will be resolved with your default Gateway settings. Gateway will only overwrite the DNS response when the query matches a condition in the egress policy. If you use [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/locations/) to send a DNS query to Gateway with IPv4, IPv6, DoT, or DoH, Gateway will not return the initial resolved IP.
 
 To turn on the selectors for your account, use the [Patch Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/edit/) endpoint. For example:
 
@@ -200,7 +210,17 @@ curl --request PATCH \
 
 Additionally, to use these selectors to filter traffic onboarded with WARP, you need to:
 
-1. Ensure you have deployed [WARP beta version 2025.4.589.1](/cloudflare-one/connections/connect-devices/warp/download-warp/beta-releases/) or later on your users' devices.
+1. Ensure you have deployed [WARP version 2025.4.929.0](/cloudflare-one/connections/connect-devices/warp/download-warp/beta-releases/) or later on your users' desktop devices. If you need to apply your policies to mobile devices or devices running a version of WARP prior to 2025.4.929.0, add and deploy the following key-value pair to your devices' [WARP configuration file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/) (`mdm.xml` on Windows and Linux or `com.cloudflare.warp.plist` on macOS):
+
+   ```diff lang="xml"
+   <array>
+   	<dict>
+   +		<key>doh_in_tunnel</key>
+   +		<true/>
+   	</dict>
+   </array>
+   ```
+
 2. In your WARP [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
 
    <Tabs> <TabItem label="Exclude IPs and domains">