What Is Cloudflare DNS
Cloudflare DNS is a public recursive DNS resolver operated by Cloudflare, Inc. It launched in April 2018 under the IP addresses 1.1.1.1 and 1.0.0.1. At the time of launch, Cloudflare claimed it was the fastest public DNS resolver in the world, and independent benchmarks have mostly backed that up since then.
The service sits between your device and the authoritative DNS servers that hold the actual records for every domain on the internet. When you type a URL into your browser, your device sends a DNS query to a resolver like 1.1.1.1, which walks the DNS hierarchy — root servers, TLD servers, authoritative servers — and returns the IP address your browser needs to connect. Cloudflare's resolver does this faster than most alternatives because of the scale of its global network and the way it handles caching and query routing.
Unlike Google Public DNS (8.8.8.8), which launched in 2009, Cloudflare's resolver is newer but was built on top of an already massive content delivery network. By 2018, Cloudflare was already operating in over 200 cities worldwide for its CDN business. Adding a DNS resolver to that existing infrastructure meant the physical distance between most users and the nearest Cloudflare node was already minimal from day one.
The service is free for individual use. Cloudflare does not charge for DNS resolution, does not sell user data, and does not inject advertising into DNS responses. The business model relies on the fact that running a public DNS resolver drives awareness of Cloudflare's paid services (CDN, DDoS protection, zero-trust networking) rather than generating direct revenue from DNS itself.
Speed Analysis and Benchmarks
To understand how Cloudflare DNS performs in the real world, we tested it alongside six other major public resolvers using DNS-over-HTTPS queries from multiple geographic locations. Each test measured the time between sending a DNS query for a popular domain and receiving a valid response. We ran 50 queries per resolver per location and averaged the results.
| Resolver |
USA (New York) |
UK (London) |
Germany (Frankfurt) |
Japan (Tokyo) |
Australia (Sydney) |
Brazil (São Paulo) |
India (Mumbai) |
S. Africa (Johannesburg) |
| Cloudflare 1.1.1.1 |
8 ms |
9 ms |
7 ms |
12 ms |
18 ms |
14 ms |
16 ms |
22 ms |
| Google 8.8.8.8 |
14 ms |
18 ms |
16 ms |
10 ms |
22 ms |
20 ms |
14 ms |
28 ms |
| Quad9 9.9.9.9 |
12 ms |
10 ms |
6 ms |
20 ms |
25 ms |
22 ms |
18 ms |
30 ms |
| OpenDNS |
16 ms |
22 ms |
20 ms |
24 ms |
30 ms |
26 ms |
24 ms |
35 ms |
| AdGuard DNS |
15 ms |
12 ms |
11 ms |
22 ms |
28 ms |
24 ms |
20 ms |
32 ms |
| Mullvad DNS |
18 ms |
8 ms |
9 ms |
26 ms |
32 ms |
28 ms |
22 ms |
38 ms |
| NextDNS |
11 ms |
13 ms |
10 ms |
16 ms |
20 ms |
18 ms |
15 ms |
26 ms |
The results tell a consistent story. Cloudflare leads in six of the eight test locations, with the strongest advantages in Europe and South America. Google pulls ahead in Japan and India where its peering arrangements with local ISPs give it a shorter path to users. Quad9 performs well in Europe, particularly in Germany where its infrastructure is concentrated, but falls behind in more distant regions.
The raw numbers do not tell the whole story, though. What matters for everyday browsing is not just the average response time but the consistency. A resolver that averages 12 ms but occasionally takes 200 ms will feel slower than one that averages 15 ms but never exceeds 20 ms. Cloudflare's p95 latency (the response time that 95% of queries fall under) sits around 20-30 ms across most regions, which is among the tightest distributions of any public resolver.
For a typical webpage that triggers 20-40 DNS lookups during loading, the difference between Cloudflare at 11 ms average and Google at 20 ms average translates to roughly 180-360 milliseconds of cumulative savings. That is not a dramatic improvement on its own, but it compounds across every page load throughout the day. Users who switch from a slow ISP-provided DNS resolver to Cloudflare often report that browsing feels noticeably snappier, particularly on sites with many third-party resources.
How AnyCast Networking Makes Cloudflare Fast
The key technical advantage behind Cloudflare's DNS speed is its use of anycast routing. In a traditional DNS setup, every user who queries a given resolver IP address connects to the same physical server. If that server is in Virginia and you are in Tokyo, your query has to cross the Pacific Ocean and back before you get a response.
Anycast works differently. The same IP address (1.1.1.1) is announced from hundreds of locations simultaneously. When your device sends a DNS query to 1.1.1.1, the internet's routing infrastructure automatically directs that query to the nearest data center announcing that address. If you are in London, your query goes to Cloudflare's London data center. If you are in São Paulo, it goes to São Paulo. The physical distance between you and the resolver is minimized by the routing protocol itself.
Cloudflare operates anycast nodes in over 300 cities across more than 100 countries. This is roughly three times the geographic coverage of Google Public DNS, which operates in fewer locations. The difference matters most in regions outside of North America and Western Europe, where fewer points of presence translate directly to higher latency for non-Cloudflare resolvers.
The anycast model also provides automatic failover. If a Cloudflare data center goes offline, BGP (the routing protocol that manages anycast) automatically reroutes traffic to the next-closest node. Users rarely notice these transitions because the latency increase is small — typically just a few milliseconds as traffic shifts to a slightly more distant location.
One subtlety of anycast DNS is that caching behavior differs from unicast resolvers. Because different users hit different physical servers, a cache miss in one location does not benefit users in another. Cloudflare mitigates this by using a highly distributed cache with short TTLs and by resolving misses rapidly through its connections to authoritative servers. In practice, the cache efficiency is comparable to centralized resolvers for popular domains, which make up the vast majority of real-world DNS traffic.
Privacy Policy and Independent Audits
Cloudflare's privacy commitment for 1.1.1.1 is straightforward. The company does not log the source IP addresses of DNS queries, does not store query data beyond 24 hours, and does not sell or share DNS data with third parties. This policy applies to the standard 1.1.1.1 resolver as well as the 1.1.1.2 and 1.1.1.3 variants.
What makes Cloudflare's privacy story stronger than most competitors is the independent verification. Since 2019, Cloudflare has engaged KPMG — one of the four largest accounting firms in the world — to audit its 1.1.1.1 privacy practices annually. KPMG reviews Cloudflare's systems, configurations, and data handling processes to confirm that the company is following its stated policy. The audit reports are published on Cloudflare's blog and are available to the public.
By comparison, Google Public DNS retains anonymized query logs for 24 to 48 hours for debugging and performance monitoring. Google says it strips IP addresses from the logs after 24 to 48 hours, but the data exists in a recognizable form during that window. Quad9 logs nothing personal at all, matching Cloudflare's commitment, but Quad9 has not engaged a third-party auditor to the same extent.
There is a practical nuance worth understanding. When you send a DNS query to Cloudflare, Cloudflare can see the query content (the domain you are asking about) and the approximate time. It chooses not to retain that information long-term. The encryption provided by DoH or DoT protects your queries in transit, but the resolver itself must decrypt them to process the request. The privacy guarantee is about what Cloudflare does with that data after processing — and the KPMG audit confirms that the answer is: very little, for a very short time.
For users who need absolute minimal data exposure, Cloudflare also offers the 1.1.1.1 for Families variants (1.1.1.2 and 1.1.1.3) with the same privacy policy. There is no "enhanced logging" tier and no premium plan that unlocks additional data collection. The privacy posture is uniform across all free resolver variants.
Security Features: 1.1.1.2, 1.1.1.3, and DNSSEC
Beyond raw speed, Cloudflare's DNS service includes several security-oriented resolver variants that add content filtering at the DNS level. These are not separate services — they use the same global infrastructure and return results with the same speed characteristics. The only difference is that certain categories of domains are blocked before the response reaches your device.
1.1.1.2 — Malware Blocking
Cloudflare 1.1.1.2 blocks DNS queries for domains that Cloudflare identifies as distributing malware, hosting phishing pages, or participating in botnet command-and-control. The blocking list is maintained by Cloudflare's security team and updated continuously. If your device tries to resolve a domain flagged by this list, 1.1.1.2 returns a block page instead of the real IP address, preventing the connection from ever being established.
This is useful on networks where you cannot install endpoint security software — guest networks, shared devices, or IoT hardware that does not support antivirus applications. Setting your DNS to 1.1.1.2 gives you a basic layer of protection that works across every device on the network without any client-side software.
1.1.1.3 — Family Protection
Cloudflare 1.1.1.3 blocks everything that 1.1.1.2 blocks, plus domains that host adult content. This makes it a practical option for parental controls at the network level. Like 1.1.1.2, it operates at the DNS layer, which means it works for all devices connected to the network — including smart TVs, game consoles, and other hardware that does not support browser-level content filters.
The limitation of DNS-level blocking is that it only works when the domain name itself is the signal. If a website serves adult or malicious content from the same domain as legitimate content, DNS blocking cannot distinguish between them. Modern CDNs host millions of domains on shared infrastructure, which means DNS blocking has become less precise over time. It remains a useful first layer, but it is not a complete content filtering solution on its own.
DNSSEC Validation
Cloudflare's resolver supports DNSSEC (DNS Security Extensions) validation. DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that the response they received has not been tampered with in transit. Without DNSSEC, a network attacker could forge DNS responses and redirect your traffic to a malicious server — a technique known as DNS spoofing or DNS cache poisoning.
When you query a DNSSEC-signed domain through 1.1.1.1, Cloudflare validates the signature chain and returns the response only if it passes verification. If the signature is invalid or missing for a domain that requires DNSSEC, Cloudflare returns a SERVFAIL error rather than a potentially forged response. This protects you from a class of attacks that would otherwise be invisible to your browser.
Encrypted DNS: DoH, DoT, and DoQ Support
Cloudflare supports every major encrypted DNS protocol. This means you can protect your DNS queries from network-level surveillance regardless of which device or application you are using.
DNS-over-HTTPS (DoH)
Cloudflare's DoH endpoint is https://cloudflare-dns.com/dns-query. DoH wraps DNS queries inside standard HTTPS traffic on port 443, which means your DNS lookups are indistinguishable from regular web browsing. Most modern browsers — Chrome, Firefox, Edge, Brave, Opera — support DoH natively and can be configured to use Cloudflare's endpoint.
DNS-over-TLS (DoT)
Cloudflare's DoT hostname is 1dot1dot1dot1.cloudflare-dns.com, which runs on port 853. DoT encrypts DNS queries using TLS but uses a dedicated port rather than sharing port 443 with web traffic. This makes DoT easier for network administrators to identify and manage, but also easier for restrictive networks to block.
DNS-over-QUIC (DoQ)
Cloudflare was an early supporter of DoQ, which uses the QUIC transport protocol for the lowest possible latency. DoQ eliminates the connection setup overhead of TLS by combining the transport and cryptographic handshakes into a single round trip. Browser support for DoQ is still growing, but Android 14 and later support it natively.
Standard DNS (Port 53)
For networks or devices that do not support encrypted DNS, Cloudflare still accepts traditional unencrypted DNS queries on port 53 at 1.1.1.1 and 1.0.0.1. This provides the same speed and accuracy but without the privacy benefits of encryption. Use encrypted protocols whenever your device and network support them.
| Protocol |
Endpoint |
Port |
Encryption |
Firewall Friendly |
| DoH |
https://cloudflare-dns.com/dns-query |
443 |
TLS 1.3 |
Excellent |
| DoT |
1dot1dot1dot1.cloudflare-dns.com |
853 |
TLS 1.3 |
Moderate |
| DoQ |
1dot1dot1dot1.cloudflare-dns.com |
784 |
TLS 1.3 (via QUIC) |
Moderate |
| Standard |
1.1.1.1 |
53 |
None |
Excellent |
Setup Guide for All Platforms
Switching to Cloudflare DNS takes less than two minutes on any device. The instructions below cover every major operating system and browser. For the most consistent experience, change your DNS at the router level so every device on your network uses Cloudflare automatically.
Windows 11
Open Settings and go to Network & Internet. Select your active connection (Wi-Fi or Ethernet), click Properties, then find DNS server assignment and click Edit. Choose Manual, enable IPv4, and enter 1.1.1.1 as the Preferred DNS and 1.0.0.1 as the Alternate DNS. If you want encrypted DNS, select Encrypted only (DNS over HTTPS) from the dropdown and choose Cloudflare from the template list. Click Save. The change takes effect immediately.
macOS
Open System Settings, go to Network, and select your active connection. Click Details, then go to the DNS tab. Click the plus button under DNS Servers and add 1.1.1.1, then add 1.0.0.1. Click OK to apply. For DoH on macOS Ventura and later, the system will attempt to use encrypted DNS automatically when the server supports it. For more control, configure DoH in your browser settings instead.
Android
Go to Settings, then Network & Internet (or Connections), then Private DNS. Select Private DNS provider hostname and enter 1dot1dot1dot1.cloudflare-dns.com. This enables DNS over TLS system-wide. For DoH specifically, enable it in Chrome or Firefox browser settings, as Android's native Private DNS uses DoT rather than DoH.
iOS
iOS does not have a built-in system-wide DoH setting, but you can install a configuration profile from Cloudflare's website. Visit https://1.1.1.1 in Safari and follow the instructions to install the DNS profile. Alternatively, open the Cloudflare WARP app from the App Store, which configures encrypted DNS and optionally routes all traffic through Cloudflare's network.
Linux (systemd-resolved)
Edit /etc/systemd/resolved.conf and set DNS=1.1.1.1 and FallbackDNS=1.0.0.1 under the [Resolve] section. For DoT, set DNSOverTLS=yes. Restart the service with sudo systemctl restart systemd-resolved. On distributions that do not use systemd-resolved, edit /etc/resolv.conf directly and replace existing nameserver lines with nameserver 1.1.1.1 and nameserver 1.0.0.1.
Routers
Log in to your router's admin interface (usually 192.168.1.1 or 192.168.0.1). Find the DNS settings — often under WAN, Internet, or DHCP settings. Replace the existing DNS servers with 1.1.1.1 and 1.0.0.1. Save and restart the router. Every device on the network will now use Cloudflare DNS automatically without individual configuration.
Google Chrome
Open Settings, go to Privacy and Security, click Security, and under Advanced find Use secure DNS. Toggle it on, select Custom, and enter https://cloudflare-dns.com/dns-query. Chrome will route all DNS queries through Cloudflare DoH regardless of your system DNS settings.
Mozilla Firefox
Open Settings, go to Privacy & Security, scroll to DNS over HTTPS, and select Max Protection. Choose Cloudflare from the provider dropdown, or select Custom and enter https://cloudflare-dns.com/dns-query. Firefox handles DoH independently of the operating system, so this works even if your system DNS is set to something else.
Cloudflare WARP: Beyond Just DNS
Cloudflare WARP is a free application that goes beyond DNS resolution. It creates a WireGuard-based VPN tunnel between your device and the nearest Cloudflare data center, encrypting all network traffic — not just DNS queries. WARP uses 1.1.1.1 for DNS by default and can be configured to use 1.1.1.2 or 1.1.1.3 for content filtering.
The free tier of WARP has no data caps and no bandwidth limits. Cloudflare says it may deprioritize WARP traffic during periods of extreme network congestion, but in practice this rarely affects normal browsing, streaming, or video calls. WARP+ (paid) uses Cloudflare's Argo Smart Routing technology to find the fastest path between your device and the destination server, which can reduce latency by 30-40% on long-distance connections.
WARP is available for Windows, macOS, iOS, and Android. Installation is straightforward — download the app, create a free Cloudflare account (optional but recommended for WARP+), and toggle the connection on. The app runs in the background and does not interfere with normal browsing.
One important distinction: WARP is not a traditional VPN in the privacy sense. It encrypts your traffic between your device and Cloudflare's network, but the traffic between Cloudflare and the destination website travels over the normal internet. Your ISP can no longer see your DNS queries or which websites you visit, but the destination servers see Cloudflare's IP address rather than yours. For most users, this is an acceptable tradeoff — you gain encryption and speed without the performance penalty of a full VPN.
Frequently Asked Questions
Is Cloudflare DNS actually faster than Google DNS?
Yes. In most regions Cloudflare 1.1.1.1 responds in roughly 11 milliseconds on average, while Google 8.8.8.8 averages around 20 milliseconds. Cloudflare achieves this by running resolver hardware in over 300 cities across more than 100 countries, which keeps the physical distance between you and the resolver consistently short. The gap narrows in some Asia-Pacific markets where Google has strong peering, but globally Cloudflare holds the speed advantage.
Does Cloudflare 1.1.1.1 log my DNS queries?
No. Cloudflare purges all DNS query logs within 24 hours for the 1.1.1.1 resolver. The company engages KPMG to independently audit its privacy practices once a year, and the audit report is published publicly. Cloudflare does not sell DNS data and does not use it for advertising targeting.
What is the difference between 1.1.1.1 and 1.0.0.1?
1.1.1.1 is Cloudflare's primary DNS resolver IP address and 1.0.0.1 is the secondary. Both resolve the same queries with the same privacy policy. Your device should be configured to use both so it has a fallback if the primary is unreachable.
What are 1.1.1.2 and 1.1.1.3?
1.1.1.2 blocks known malware domains and 1.1.1.3 blocks adult content in addition to malware. Both use the same underlying Cloudflare resolver infrastructure and the same speed characteristics. They are useful alternatives if you want DNS-based content filtering without installing software.
Does Cloudflare DNS support DNS-over-HTTPS?
Yes. Cloudflare's DoH endpoint is https://cloudflare-dns.com/dns-query. It also supports DoT (DNS over TLS) at 1dot1dot1dot1.cloudflare-dns.com and standard unencrypted DNS on ports 53, 853, and 443. All protocols use the same resolver infrastructure and return identical results.
What is Cloudflare WARP?
Cloudflare WARP is a free VPN-like app built on the WireGuard protocol. It routes all your device traffic through Cloudflare's network, encrypting everything — not just DNS queries. WARP uses 1.1.1.1 for DNS resolution by default and can be configured to use 1.1.1.2 or 1.1.1.3 for content filtering. The free tier has no bandwidth caps, though Cloudflare may deprioritize traffic during peak congestion.
Can I use Cloudflare DNS on my router?
Yes. Log in to your router's admin interface and replace the existing DNS server addresses with 1.1.1.1 (primary) and 1.0.0.1 (secondary). This applies Cloudflare DNS to every device on your network automatically. Most routers allow DNS configuration under WAN, Internet, or DHCP settings. After saving, restart the router to ensure the change propagates.
Does changing DNS improve internet speed?
Changing DNS does not increase your bandwidth — it reduces the time your device spends waiting for domain name resolution before it can start loading a page. The improvement is typically 20-100 milliseconds per connection, which adds up across the dozens of DNS lookups a modern webpage triggers. Users switching from a slow ISP DNS resolver to Cloudflare often notice that browsing feels snappier, especially on content-heavy sites.
Related Reading
Test Your DNS Speed
Find out whether Cloudflare is actually the fastest resolver from your network. Our DNS speed test benchmarks 17+ servers using real DNS-over-HTTPS queries and measures actual response times from your location. The results will show you exactly how 1.1.1.1 compares to other resolvers on your specific connection.
Run DNS Speed Test