Bug Fix April 16, 2026

OpenClaw 4.14 GPT-5.4 / Codex Bug: Cloudflare 403 & "DNS Lookup Failed" — Fixed

If you updated to OpenClaw 2026.4.14 and your GPT-5.4 agent suddenly shows "DNS lookup for the provider endpoint failed" — your DNS is fine. OpenClaw hit a Cloudflare bot-mitigation wall and logged the wrong error. Here's what actually happened and two ways to fix it.

What's Going On

Two related bugs landed in 4.14 for openai-codex/gpt-5.4 users:

Bug #1 — Cloudflare 403 after upgrading from 4.12 (Issue #66633)

After the 4.12 → 4.14 upgrade, every openai-codex agent turn fails because chatgpt.com/backend-api/v1 returns a Cloudflare bot-challenge page (HTTP 403, cf-mitigated: challenge) instead of an API response. The failure is then misreported in logs as "DNS lookup for the provider endpoint failed" — which is completely misleading. Your DNS is working fine.

Bug #2 — Direct CLI inference returns HTML rawError (Issue #66674)

Even without the OAuth path, running openclaw infer directly against openai-codex/gpt-5.4 on 4.14 returns HTML in the rawError field and surfaces as the same fake DNS error. Both bugs share the same root cause: Cloudflare tightened its bot detection, and 4.14's user-agent/header changes tripped the challenge.

Why 4.12 Worked But 4.14 Broke

OpenClaw 4.14 changed how requests are shaped when going through the openai-codex / ChatGPT OAuth path. The updated headers or TLS fingerprint changed enough to trigger Cloudflare's automated bot detection — a challenge that returns HTML instead of JSON. OpenClaw's error handler doesn't recognize HTML as a valid provider error, falls through, and reports "DNS lookup failed." The underlying connection is fine; the body is just wrong.

Fix #1 — Roll Back to 4.12 (Fastest)

npm install -g openclaw@2026.4.12
openclaw gateway restart

This gets you running again immediately. Downside: you lose 4.14's other improvements (GPT-5 turn fixes, localModelLean flag, credential redaction in approvals, LanceDB cloud storage).

Fix #2 — Switch to Direct OpenAI API Key (Recommended)

The Cloudflare issue only affects the ChatGPT/Codex OAuth path. If you use a direct OpenAI API key instead, it routes through api.openai.com — no Cloudflare challenge, no fake DNS errors. You also get full model selection (not locked to what OAuth allows).

In ~/.openclaw/openclaw.json, replace the openai-codex provider block:

{
  "providers": {
    "openai": {
      "apiKey": "sk-your-openai-key",
      "model": "gpt-5.4"
    }
  }
}

Then restart: openclaw gateway restart

Fix #3 — Wait for 4.15 Stable

OpenClaw 2026.4.15-beta.1 shipped overnight (April 15–16, 2026) and fixes the stale package chunk imports that contributed to this. If you're not in a rush, waiting for 4.15 stable (likely a few days) is the cleanest path.

Quick Diagnostic

If you're unsure which bug you're hitting, run:

openclaw infer --model openai-codex/gpt-5.4 "say hi"

If it fails with "DNS lookup failed" but your internet is up and other providers work, you're hitting this Cloudflare/4.14 issue. If only your agents are broken but openclaw infer works, you may have a different problem (see the openclaw doctor guide).

TL;DR

4.14 + openai-codex/gpt-5.4 = Cloudflare 403 logged as "DNS failed"
Your DNS is fine. OpenClaw's error handler is reading HTML as an error.
Fix A: Roll back to 4.12. Fix B: Switch to direct OpenAI API key. Fix C: Wait for 4.15 stable.

Tired of debugging OpenClaw upgrades?

ClawReady handles version pinning, upgrade testing, and provider configs for you. We'll keep your agent running across releases — so you don't have to chase changelogs.

Book a Free Call →