cloudflare · deadlypants1973 · Aug 12, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Render } from "~/components";
+import { GlossaryTooltip, Render } from "~/components";
 
 By default, Cloudflare Zero Trust excludes common top-level domains, used for local resolution, from being sent to Gateway for processing. These top-level domains are resolved by the local DNS resolver configured for the device on its primary interface.
 
@@ -17,6 +17,8 @@ Local Domain Fallback only applies to devices running the WARP client.
 
 Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.
 
+<Render file="warp/ldf-best-practice" product="cloudflare-one" />
+
 ### AWS
 
 <Render file="aws-resolver" product="cloudflare-one" />
@@ -52,4 +54,4 @@ The domain will no longer be excluded from Gateway DNS policies, effective immed
 ## Related resources
 
 - [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) - Control which traffic goes through WARP by including or excluding specific IPs or domains.
-- [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/) - Learn which IPs, domains, and ports to allow so users can deploy and connect WARP successfully behind a firewall.
+- [WARP with firewall](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/) - Learn which IPs, domains, and ports to allow so users can deploy and connect WARP successfully behind a firewall.
@@ -10,7 +10,7 @@ head:
     content: Resolver policies
 ---
 
-import { Render, Badge } from "~/components";
+import { Render, Badge, GlossaryTooltip } from "~/components";
 
 :::note
 Only available on Enterprise plans.
@@ -52,6 +52,8 @@ To get started with resolving internal DNS queries with resolver policies, refer
 
 If your resolver is only reachable by a client device and not by Gateway via a Cloudflare tunnel, Magic WAN tunnel, or other public Internet connections, you should configure [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) for your device. If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply your client-side Local Domain Fallback rules first. If you onboard DNS queries to Gateway with the WARP client and route them with resolver policies, the source IP of the queries will be the IP address assigned by the WARP client.
 
+<Render file="warp/ldf-best-practice" product="cloudflare-one" />
+
 ## Resolver connections
 
 Resolver policies support TCP and UDP connections. Custom resolvers can point to the Internet via IPv4 or IPv6, or to a private network service, such as a [Magic tunnel](/magic-transit/how-to/configure-tunnel-endpoints/). Policies default to port `53`. You can change which port your resolver uses by customizing it in your policy.

@@ -0,0 +1,11 @@
+---
+{}
+---
+
+import { GlossaryTooltip } from "~/components";
+
+:::tip[Local Domain Fallback or Gateway Resolver policies?]
+
+If your DNS server can be configured to connect to a Cloudflare <GlossaryTooltip term="on-ramp">on-ramp</GlossaryTooltip>, Cloudflare recommends using Gateway Resolver policies rather than Local Domain Fallback. Gateway Resolver policies provide more visibility by allowing you to log and review DNS traffic.
+
+:::