Cloudflare One Client for macOS DNS search suffixes

Why single-label queries start behaving differently on managed macOS

A single-label query is the sort of hostname people type because it worked on a desk LAN ten years ago and never quite died. On macOS, the client can append DNS search domains from the device profile or network policy, then send the expanded name along with the system-configured suffix list. The query still starts as a single label, but resolution now depends on the suffix order the machine has been handed.

That changes the failure shape. A hostname that once fell straight into the local resolver may now resolve through the search list, or fail in a different place when the first suffix points at a dead zone. If the profile has stale suffixes, the machine will try them in sequence and make the DNS layer look flaky when the real fault sits in the policy.

Where the suffix list comes from in the device profile

The source is the WARP device profile or network policy. If those settings define search domains, the client appends them to the resolver path on macOS. It does not replace the system list outright, which means local suffixes and managed suffixes can coexist, for better or worse.

That is the bit worth checking before rollout. A suffix list that looks neat in the Zero Trust dashboard can still clash with what the Mac already carries. If a laptop sits on a home network, a guest Wi-Fi, or a site LAN with its own resolver habits, the combined list can produce odd hits that are hard to reproduce on an admin machine.

What the client adds, and what it leaves to the system resolver

The client adds the configured search domains for single-label lookups. It leaves the rest of the resolver behaviour to macOS, including the system search suffixes already present on the box. That keeps the integration lightweight, but it also means the client is not acting like a full replacement DNS stack.

In practice, that matters most when name resolution looks correct in policy but wrong on the device. The machine may be doing exactly what it was told, just not what was intended. DNS makes a fine liar when the suffix list is messy.

The operational edge cases that show up first

The local DNS proxy now supports DNSSEC passthrough, which is the kind of change that only looks boring until it breaks validation. DO and AD bits, plus RRSIG records, now make it through intact. If a resolver chain used to flatten or mangle that data, the client should stop being the place where DNSSEC gets quietly ruined.

That still leaves search order. When the proxy is in the path, a single-label query can be expanded before resolution, then passed on with DNSSEC data preserved. If the suffix list is wrong, DNSSEC does not save the day. It just confirms the answer was signed and still useless.

Local DNS proxy behaviour with DNSSEC and search order

The local DNS proxy keeping DNSSEC intact is a good fix, but it does not make search suffixes harmless. Resolution order still determines which FQDN gets queried. If the suffix list sends printer to printer.corp.example first and that zone is wrong, the client will faithfully preserve the DNSSEC response from the wrong destination.

That is the nuisance here: the proxy is doing its job, and the failure still sits one layer above it. If a hostname works only when typed in full, suspect the suffix list before touching the resolver chain.

Split DNS, VNET exposure, and the Zero Trust dashboard

VNET availability is now scoped per WARP device profile in the Zero Trust dashboard. That means the picker no longer needs to show every VNET in the organisation to every device. Before this change, visibility was broader than most administrators wanted, which is a tidy way of saying it was too easy to expose irrelevant networks to the wrong endpoint.

This affects more than the UI. If a Mac can see only the VNETs attached to its profile, access troubleshooting becomes less noisy, but mis-scoped profiles show up faster. A laptop assigned to the wrong profile may still connect, then fail when the VNET it needs is missing from the set it is allowed to reach. That sort of failure tends to look like DNS, because DNS is where people always look first.

Keep the rollout tight on macOS clients

The safest rollout is small and ugly in the useful way. Start with a narrow set of macOS devices, a known suffix list, and hostnames that already exist in production. A policy page is not proof of anything. A real hostname is.

The same caution applies to VNET scope. If the profile controls which VNETs appear in the client, test a device that actually needs more than one path and one that should see very little. The difference between those two tells you more than a perfect dashboard screenshot ever will.

Test the suffix list against real hostnames, not just policy pages

Use names that exercise the search list, not names that already include the full domain. Single-label queries are the point here. If the suffix handling is wrong, full hostnames can still look fine while internal short names fail in the field.

A decent test set includes one hostname that should resolve through the managed suffix, one that should resolve through the local resolver, and one that should fail cleanly. If all three behave the same, the test set is bad or the profile is doing something you did not plan for.

Watch for the failure modes that look like DNS but are really profile drift

Profile drift is the dull failure that eats afternoons. A stale suffix, the wrong VNET assignment, or a device stuck on an older profile can all show up as intermittent name resolution problems. The client is then blamed for being moody when it is simply obeying the wrong instructions.

The new Emergency Disconnect path adds one more operational boundary. A monitored local file can now trigger disconnect, alongside the existing HTTPS polling path, and either signal being asserted is enough to drop the connection. Both signals must be cleared before normal operation resumes. That is fine in a controlled setup and deeply annoying if a file watcher or endpoint control leaves the signal hanging around.

What to verify after the change lands

Check three things on a real Mac: the resolved suffix order, the VNETs shown for that profile, and the client state after any disconnect event. If single-label queries resolve to the right targets, the suffix list is probably sane. If the VNET picker shows only the networks attached to the profile, the scoping is doing its job.

For proxy paths, confirm that local DNS proxy traffic still carries DNSSEC data cleanly and that applications depending on CONNECT requests with underscore-containing hostnames no longer fall over. On the admin side, keep split tunnel changes in mind, because the new UI does not handle split tunnel list configuration, so that still lives in warp-cli tunnel ip and warp-cli tunnel host.

If the Mac gets stuck at “Checking your organisation configuration”, the client may be hanging on IPC errors and need a reboot. That is the sort of message that sounds polite and behaves like a brick.

Tags:

Related posts

Cloudflare One Client for macOS DNS search suffixes

Cloudflare One Client for macOS can make a short hostname behave very differently, and most of the pain sits in the suffix list rather than DNS itself. I have seen perfectly sane machines fail because...

Flux | v2.9.1

Flux v2.9.1: disables CRD substitution to prevent schema damage, fixes kustomize SOPS and dry run errors, CLI build fix and upgrade guide, component updates

OTel Collector | v0.156.0

OTel Collector v0 156 0: dependency refresh and version bump, review core and contrib changelogs, test integrations before upgrade