#DNS Lookup for the provider endpoint failed

OpenClaw on my Mac mini is correctly set to use ChatGPT Plus OAuth with openai-codex/gpt-5.4, but every real Codex request to chatgpt.com/backend-api gets blocked by Cloudflare (403 cf-mitigated: challenge / websocket 401), so OpenClaw shows “DNS lookup for the provider endpoint failed.”
The same OpenClaw version and same account work fine on my Hostinger VPS, so the issue looks specific to this Mac/network path, not my subscription or OpenClaw config.

OpenClaw on my Mac mini is correctly set to use ChatGPT Plus OAuth with openai-codex/gpt-5.4, but every real Codex request to chatgpt.com/backend-api gets blocked by Cloudflare (403 cf-mitigated: challenge / websocket 401), so OpenClaw shows “DNS lookup for the provider endpoint failed.”
The same OpenClaw version and same account work fine on my Hostinger VPS, so the issue looks specific to this Mac/network path, not my subscription or OpenClaw config.

Let me check the docs and the exact error path so I don’t guess.

I found one important thing in the code: that “DNS lookup for the provider endpoint failed” message is a generic sanitizer. It can show up for broader network/provider-path failures, so it can definitely mask the underlying Cloudflare block you saw.

This doesn’t sound like real DNS.

I checked the docs/code, and OpenClaw currently sanitizes several provider/network failures into the generic message:

LLM request failed: DNS lookup for the provider endpoint failed.

So a Cloudflare 403 cf-mitigated or WS 401 can absolutely show up as that misleading text.

Since the same account works on your VPS, I’d treat this as a Mac egress / local network path issue, not a subscription/config entitlement issue.

Please paste these first:

openclaw --version
openclaw status --all
openclaw models status

openclaw doctor --deep
openclaw config get models.providers.openai-codex

Most likely culprits on the Mac:

• iCloud Private Relay, VPN, proxy, DNS filter, Pi-hole
• Little Snitch / LuLu / antivirus HTTPS inspection
• a stale models.providers.openai-codex override shadowing the built-in Codex OAuth path
• local TLS stack weirdness, which doctor --deep now checks for Codex OAuth on macOS

Fastest experiments:

1. Try a different egress path, phone hotspot is perfect
2. Temporarily disable Private Relay / VPN / HTTPS-inspecting tools
3. If only WebSocket is failing, force SSE as a test:

{
  agents: {
    defaults: {
      models: {
        "openai-codex/gpt-5.4": { params: { transport: "sse" } },
      },
    },
  },
}

Docs:

• https://docs.openclaw.ai/help/faq
• https://docs.openclaw.ai/providers/openai
• https://docs.openclaw.ai/gateway/doctor
• https://docs.openclaw.ai/gateway/troubleshooting

If you paste those outputs plus one raw failing log block, I can help narrow it down pretty quickly.

Yeah, I think your read is basically right.

403 cf-mitigated means Cloudflare is challenging that specific Mac/network path. OpenClaw can’t solve that challenge in the Codex backend flow, so the request dies, then the UI/error sanitizer turns it into the misleading “DNS lookup…” message.

So in practice:

• not a ChatGPT Plus entitlement problem
• probably not an OpenClaw auth problem
• very likely Mac egress / local network / local TLS-intercept / IP reputation

Also, forcing SSE is only a diagnostic. If the plain HTTPS request is already getting cf-mitigated, SSE won’t magically fix it.

What I’d test on the Mac, in this order:

1. Different egress path
   • phone hotspot is the best quick test
2. Disable network meddling

• iCloud Private Relay
  • VPN / WARP / exit node
  • proxy
  • Little Snitch / LuLu
  • AdGuard / NextDNS / antivirus HTTPS inspection

3. Run doctor

   openclaw --version
   openclaw status --all
   openclaw models status
   openclaw doctor --deep
   openclaw config get models.providers.openai-codex
   

One more thing I checked in the docs/code: if you ever added a custom models.providers.openai-codex transport override, that can shadow the built-in Codex OAuth route. So that last config get output matters.

If the hotspot test works, that’s basically your answer: the Mac’s normal network path is what Cloudflare dislikes.

At that point the real options are:

• keep Codex OAuth on the VPS
• switch the Mac to openai/* with an API key instead of ChatGPT OAuth
• change the Mac’s egress/network path

Docs:

• https://docs.openclaw.ai/providers/openai
• https://docs.openclaw.ai/gateway/doctor
• https://docs.openclaw.ai/help/faq
• https://docs.openclaw.ai/gateway/troubleshooting

If you paste those command outputs, I can help narrow it down fast.

Maybe I should reset my Mac and onboard again ?

I wouldn’t reset the Mac, no.

A full Mac reset or even a full OpenClaw re-onboard is unlikely to fix cf-mitigated, because that usually points to the network/egress path, not broken local config.

I’d do these cheaper tests first:

1. Phone hotspot test

   • if it works there, you’ve basically proven it’s the normal network path

2. Temporarily disable

   • iCloud Private Relay
   • VPN / WARP / proxy / exit node
   • Little Snitch / LuLu / AdGuard / HTTPS inspection

3. Low-cost OpenClaw reset only

   • re-auth Codex, not the whole machine: