← Back to all notes

KB - Cloudflare WARP DNS Proxy Failure with Docker Desktop

2 min read Uncategorized

KB: Cloudflare WARP DNS Proxy Failure with Docker Desktop

KB ID: CF-WARP-001
Created: 2024-12-22
Category: Networking / VPN / Cloudflare
Affected Systems: Windows/macOS with Docker Desktop and Cloudflare WARP

Summary

Users running Docker Desktop alongside Cloudflare WARP may experience connectivity failures due to a DNS resolution conflict. This article documents the error, root cause, and resolution.

Symptoms

Users will encounter the following error when attempting to connect through Cloudflare WARP:

Field Value
Status Unable to Connect
Error Reason DNS proxy failure
Error Code CF_DNS_PROXY_FAILURE
Error Description A third-party process is performing DNS resolution on this device: mDNSResponder. Remove the process's DNS interception or contact your administrator to update WARP modes.
Reference https://cfl.re/CF_DNS_PROXY_FAILURE

Root Cause

Docker Desktop includes an experimental feature called "Use kernel networking for UDP" that enables a more efficient kernel networking path for UDP traffic. This feature intercepts DNS resolution requests via mDNSResponder, which conflicts with Cloudflare WARP's DNS proxy functionality.

When both services attempt to handle DNS resolution simultaneously, WARP cannot establish its secure tunnel, resulting in the CF_DNS_PROXY_FAILURE error.

Resolution

Steps to Resolve

  1. Open Docker Desktop

  2. Navigate to Settings (gear icon in the top-right corner)

  3. Select ResourcesNetwork (or General depending on Docker Desktop version)

  4. Locate the following option:

    Use kernel networking for UDP
    Use a more efficient kernel networking path for UDP. This may not be compatible with your VPN software.

  5. Disable (uncheck) this option

  6. Click Apply & Restart

  7. Once Docker Desktop has restarted, reconnect Cloudflare WARP

Verification

After applying the fix:
- Cloudflare WARP should connect successfully
- Docker containers should continue to function normally
- DNS resolution should work as expected for both services

Additional Notes

  • This setting is experimental and Docker explicitly warns it "may not be compatible with your VPN software"
  • Disabling this option should not significantly impact Docker performance for most use cases
  • If users require this Docker feature for specific workloads, they may need to disconnect WARP while using those workloads

Revision History

Date Author Changes
2024-12-22 Security Team Initial creation

More Notes