diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
index 252cdc307d5b10..9cd83554c15865 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
---
-import { Render } from "~/components";
+import { GlossaryTooltip, Render } from "~/components";
By default, Cloudflare Zero Trust excludes common top-level domains, used for local resolution, from being sent to Gateway for processing. These top-level domains are resolved by the local DNS resolver configured for the device on its primary interface.
@@ -17,6 +17,8 @@ Local Domain Fallback only applies to devices running the WARP client.
Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.
+
+
### AWS
@@ -52,4 +54,4 @@ The domain will no longer be excluded from Gateway DNS policies, effective immed
## Related resources
- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) - Control which traffic goes through WARP by including or excluding specific IPs or domains.
-- [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/) - Learn which IPs, domains, and ports to allow so users can deploy and connect WARP successfully behind a firewall.
+- [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/) - Learn which IPs, domains, and ports to allow so users can deploy and connect WARP successfully behind a firewall.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx
index 2eb8fc9a5b4d7b..64b0cfe9f4890d 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx
@@ -10,7 +10,7 @@ head:
content: Resolver policies
---
-import { Render, Badge } from "~/components";
+import { Render, Badge, GlossaryTooltip } from "~/components";
:::note
Only available on Enterprise plans.
@@ -52,6 +52,8 @@ To get started with resolving internal DNS queries with resolver policies, refer
If your resolver is only reachable by a client device and not by Gateway via a Cloudflare tunnel, Magic WAN tunnel, or other public Internet connections, you should configure [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) for your device. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply your client-side Local Domain Fallback rules first. If you onboard DNS queries to Gateway with the WARP client and route them with resolver policies, the source IP of the queries will be the IP address assigned by the WARP client.
+
+
## Resolver connections
Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a [Magic tunnel](/magic-transit/how-to/configure-tunnel-endpoints/). Policies default to port `53`. You can change which port your resolver uses by customizing it in your policy.
diff --git a/src/content/partials/cloudflare-one/warp/ldf-best-practice.mdx b/src/content/partials/cloudflare-one/warp/ldf-best-practice.mdx
new file mode 100644
index 00000000000000..0c7940a4582c54
--- /dev/null
+++ b/src/content/partials/cloudflare-one/warp/ldf-best-practice.mdx
@@ -0,0 +1,11 @@
+---
+{}
+---
+
+import { GlossaryTooltip } from "~/components";
+
+:::tip[Local Domain Fallback or Gateway Resolver policies?]
+
+If your DNS server can be configured to connect to a Cloudflare on-ramp, Cloudflare recommends using Gateway Resolver policies rather than Local Domain Fallback. Gateway Resolver policies provide more visibility by allowing you to log and review DNS traffic.
+
+:::
\ No newline at end of file