How to Use Cloudflare’s 1.1.1.1 Public DNS (And Why You Should)

Cloudflare, a company that provides content delivery networks, DNS services, and more, has recently announced a new public DNS service, called 1.1.1.1. This service is designed to be both faster than traditional DNS services and more private. Cloudflare claims that they will not store your data, and that their DNS service allows people to avoid censorship that some ISPs may use.

Read the rest of the article on The Mac Security Blog.

26 thoughts on “How to Use Cloudflare’s 1.1.1.1 Public DNS (And Why You Should)

  1. I was hoping you’d elaborate on this topic, thanks.

    What is confusing for me, is that my VPN provider requires me to use their DNS. Previously I’d used OpenDNS instead of the defaults. Will I have to change VPN provider if they won’t encrypt their DNS service, or is there actually a technical way to not use their DNS? Or is it even an issue, if I am connecting to a VPN then my DNS history is also protected?

    The articles I’ve seen on this subject haven’t addressed this yet…

    • Traffic to and from a VPN provider is encrypted, so the DNS should also be encrypted. I’m not sure of the needs, but there is probably a good reason for them to require that you use their DNS service.

  2. I was hoping you’d elaborate on this topic, thanks.

    What is confusing for me, is that my VPN provider requires me to use their DNS. Previously I’d used OpenDNS instead of the defaults. Will I have to change VPN provider if they won’t encrypt their DNS service, or is there actually a technical way to not use their DNS? Or is it even an issue, if I am connecting to a VPN then my DNS history is also protected?

    The articles I’ve seen on this subject haven’t addressed this yet…

    • Traffic to and from a VPN provider is encrypted, so the DNS should also be encrypted. I’m not sure of the needs, but there is probably a good reason for them to require that you use their DNS service.

  3. Thanks for the quick reply!
    I can always put these in the network settings anyway, for the times when not using the VPN.
    G’day!

  4. Thanks for the quick reply!
    I can always put these in the network settings anyway, for the times when not using the VPN.
    G’day!

  5. I set this up a couple days ago – doesnโ€™t seeem any faster but I like the privacy factors. A question I have is when you also set DNS servers on your router which takes precedence? Say I set up my Mac with 1.1.1.1 and my router with 8.8.8.8, which handles the request? And if I have 1.1.1.1 on router and my iPhone on Automatic, does the request go to 1.1.1.1?

    • The device’s DNS gets precedence. If none is set, or if it’s set to Automatic, it then goes up the chain, and the next device in the chain – generally the router – is the one that handles the request.

  6. I set this up a couple days ago – doesnโ€™t seeem any faster but I like the privacy factors. A question I have is when you also set DNS servers on your router which takes precedence? Say I set up my Mac with 1.1.1.1 and my router with 8.8.8.8, which handles the request? And if I have 1.1.1.1 on router and my iPhone on Automatic, does the request go to 1.1.1.1?

    • The device’s DNS gets precedence. If none is set, or if it’s set to Automatic, it then goes up the chain, and the next device in the chain – generally the router – is the one that handles the request.

  7. Thanks for this. Helpful

    My question is how does Cloudfare monetize this service? There has to be a considerable cost to creating a new free public DNS service right? I have trouble believing they are doing this selflessly. And if they aren’t selling our traffic data, what is their motivation? Any thoughts?

    Not sure I understood your answer to the above question so let me ask it again. If I have my home router set to 8.8.8.8, and my device, which is connected to it, set at 1.1.1., which DNS service will the device use?

    Thanks Kirk.

    • The DNS set on your device takes precedent.

      I think they’re using this mainly as a way of getting the company free advertising, since people are talking about it. They sell DNS services for businesses, along with other services. But they may also be using the traffic data they get – simply the amount of traffic – to help shape their content delivery networks.

    • If you read their blog post, they go into their motivations. They claim to have an altruistic mission to improve the internet, but also see it as in their enlightened self-interest to improve the infrastructure of the internet. But more specifically, if more people use 1.1.1.1 DNS, it improves the value of their enterprise DNS service:

      In other words, every new user of 1.1.1.1 makes Cloudflare’s Authoritative DNS service a bit better. And, vice versa, every new user of Cloudflare’s Authoritative DNS service makes 1.1.1.1 a bit better.

      https://blog.cloudflare.com/announcing-1111/

      Also, note, they’ve committed not to log traffic, and to have an external auditor come in once a year to confirm that their procedures and practices avoid data collection and protect privacy. I recommend reading the blog post, they’re upfront about the whole thing.

      • Thanks for the info. I guess I’ve unfortunately become a skeptic as what is written in public statements often isn’t the truth these days. Oh well.

  8. Thanks for this. Helpful

    My question is how does Cloudfare monetize this service? There has to be a considerable cost to creating a new free public DNS service right? I have trouble believing they are doing this selflessly. And if they aren’t selling our traffic data, what is their motivation? Any thoughts?

    Not sure I understood your answer to the above question so let me ask it again. If I have my home router set to 8.8.8.8, and my device, which is connected to it, set at 1.1.1., which DNS service will the device use?

    Thanks Kirk.

    • The DNS set on your device takes precedent.

      I think they’re using this mainly as a way of getting the company free advertising, since people are talking about it. They sell DNS services for businesses, along with other services. But they may also be using the traffic data they get – simply the amount of traffic – to help shape their content delivery networks.

    • If you read their blog post, they go into their motivations. They claim to have an altruistic mission to improve the internet, but also see it as in their enlightened self-interest to improve the infrastructure of the internet. But more specifically, if more people use 1.1.1.1 DNS, it improves the value of their enterprise DNS service:

      In other words, every new user of 1.1.1.1 makes Cloudflare’s Authoritative DNS service a bit better. And, vice versa, every new user of Cloudflare’s Authoritative DNS service makes 1.1.1.1 a bit better.

      https://blog.cloudflare.com/announcing-1111/

      Also, note, they’ve committed not to log traffic, and to have an external auditor come in once a year to confirm that their procedures and practices avoid data collection and protect privacy. I recommend reading the blog post, they’re upfront about the whole thing.

      • Thanks for the info. I guess I’ve unfortunately become a skeptic as what is written in public statements often isn’t the truth these days. Oh well.

  9. I just got finished warning a group over on Facebook about Cloudflare … use at your own risk — they’re now one of the leading purveyers of malicious spam and malware, and the cyber crime’s favorite service … so each complaint goes to their threshold in the black hole lists. We, through Safenetting and Spamcop.net have been reporting several a day.

    I would not patronize them no matter what the benefit because they make no remorse about purveying cybercrime, and claim they “don’t know what their customers are doing” … which is a lie. After customers are reported several dozen times, they certainly do know what’s going on. One of their biggest clients is the illegal drug trade which we’ve reported hundreds of times.

    I have forensics and documentation for officials.

    ๐Ÿ™‚
    Fred

    http://www.SafeNetting.com

    • And how are they purveying malware? Cloudflare’s main business is serving as a caching service and content delivery network for websites; they don’t host any sites themselves.

      • I can see from your comment that you’ve seen the marketing language Cloudflare presents to the general public. Their service is a dream come true for the 9-billion annual cyber crime industry. And, yes, you can use their masking service too — just like the cyber criminals do.

        IN FACT, some of the Apple Login attacks YOU have warned people about about in your column were delivered to millions of Apple users by Cloudflare.

        Because you don’t make bombs doesn’t make you blameless if you deliver the bombs. Because Cloudflare doesn’t host criminal sites, doesn’t make delivery of known cybercrime any less bad.

        Their model is cleverly designed to elude law enforcement, and prevent the victim from knowing where the attack actually came from. With first inquiry they have a canned response that says “We’re a caching service and have no idea what’s in that package.”

        When law enforcement is tracking attacks, they track the chain of IP gateways back to the origin. In these cases the originating IP is Cloudflare, so that’s who the report goes to.

        Whether or not Cloudflare hosts the malware or phishing or identity theft scam is irrelevant. When the victim clicks the link it goes to Cloudflare. (Of course, then goes to a redirect target or these days several redirects.)

        When a cyber attack arrives in our analysis servers Cloudflare is the ‘official’ host of the attack. The cyber crime syndicates use (and, pay) Cloudflare to mask their identity. By putting Cloudflare between the victim and the sender, the criminals buy precious extra time before their actual IP addresses are shut down and added to the spam-trap lists. The spam blocking industry (like Spam Assassin, etc.) subscribe to lists from Spamcop and other ‘black hole’ providers so they can protect your email.

        However, Spamcop alerts are supposed to alert the IP owners, who, in turn, ideally cut off the criminals quickly so fewer people are harmed. But in today’s world, many of the IP owners ignore the reports because Crime.inc represents a huge revenue source, far more important than the safety of the end user. Even Google and Amazon ignore the alerts and allow the crime to continue. Cybercrime is very profitable.

        Picture a guy in a van pulls up in front of your house
        Another guy jumps out of the back and tosses a bomb at your house.
        The van quickly pulls away.
        The police arrive and ask the man where the bomb came from.
        The man shrugs and says
        … “We’re Cloudflare, and never know what we’re carrying”
        The police ask who was driving the van, the man shrugs and says
        … “We’re Cloudflare and do not know who these people are”

        Who is guilty of tossing the bomb into your house?

        Now, here’s where it gets interesting.

        The next day TWO vans pull up in front of your house,
        and a guy jumps out of each and tosses a bomb at your house,
        both vans speed away.
        The police come and say
        “Isn’t that the same van you came in yesterday”
        The first guy says,
        …”Yes, but I don’t know who that is or what the package was”
        The police ask the 2nd guy from the 2nd van and bomb
        “You’re the same guy from the first van, who was driving your van”
        The second guy says
        … Yes, but I I don’t know who that is or what the package was”

        (This can go on for dozens and dozens of times. One of the illegal drug clients of Cloudflare sends the SAME attack every day or so, and the only thing that changes is the target address of the linked crime site. Once we report to Cloudflare, the next day the SAME criminal sends the SAME attack, but using a different link.)

        That’s where we catch them in their aiding and abeting the cyber criminals, because we report the incident and Cloudflare responds back with the name and contacts for the offending cyber criminal. So they actually do know who the criminal is, and what the crime was. And, after we’ver reported the SAME criminal and crime dozens and dozens of times over a series of months it becomes rather obvious that they are part of the criminal activity — just like the guy who tossed the bomb into your house.

        You, have read their “published” statements. “We don’t host any sites … we don’t know who these people are . . . we never know what’s in the package” Sure. “We never tell a lie, and we are always right. We are not a crook.”

        But they actually do, and they actually have told Spamcop they do not wish to report the cybercrime they are hiding. I assume because they’re making so much money. Cloudflare’s clients range from illegal drug scams, pornography, pump-n-dump schemes, spoof attacks, Chinese knock-off schemes, login spoofs and even drive-by ransom-ware. When reported, they claim they don’t know who it is — but when pressed, they admit they actually do know, and provide the actual criminal’s contact. Which, of course. takes several days and by that time, the criminal is gone.

        Go and read their policy and sign up for their masking service. You’ll see how it works and why it’s such a dream-come-true for cybercrime. That’s why this new ‘feature’ getting trusted writers and journalists, like you, promoting them really makes me sick.

        Pick up a copy of “Future Crimes” and begin to understand how to recognize the good guys from the bad guys so you don’t accidentally promote something that puts your readers in jeopardy.

        ๐Ÿ™‚

        Future Crimes by Marc Goodman http://amzn.to/2irHG0T

  10. I just got finished warning a group over on Facebook about Cloudflare … use at your own risk — they’re now one of the leading purveyers of malicious spam and malware, and the cyber crime’s favorite service … so each complaint goes to their threshold in the black hole lists. We, through Safenetting and Spamcop.net have been reporting several a day.

    I would not patronize them no matter what the benefit because they make no remorse about purveying cybercrime, and claim they “don’t know what their customers are doing” … which is a lie. After customers are reported several dozen times, they certainly do know what’s going on. One of their biggest clients is the illegal drug trade which we’ve reported hundreds of times.

    I have forensics and documentation for officials.

    ๐Ÿ™‚
    Fred

    http://www.SafeNetting.com

    • And how are they purveying malware? Cloudflare’s main business is serving as a caching service and content delivery network for websites; they don’t host any sites themselves.

      • I can see from your comment that you’ve seen the marketing language Cloudflare presents to the general public. Their service is a dream come true for the 9-billion annual cyber crime industry. And, yes, you can use their masking service too — just like the cyber criminals do.

        IN FACT, some of the Apple Login attacks YOU have warned people about about in your column were delivered to millions of Apple users by Cloudflare.

        Because you don’t make bombs doesn’t make you blameless if you deliver the bombs. Because Cloudflare doesn’t host criminal sites, doesn’t make delivery of known cybercrime any less bad.

        Their model is cleverly designed to elude law enforcement, and prevent the victim from knowing where the attack actually came from. With first inquiry they have a canned response that says “We’re a caching service and have no idea what’s in that package.”

        When law enforcement is tracking attacks, they track the chain of IP gateways back to the origin. In these cases the originating IP is Cloudflare, so that’s who the report goes to.

        Whether or not Cloudflare hosts the malware or phishing or identity theft scam is irrelevant. When the victim clicks the link it goes to Cloudflare. (Of course, then goes to a redirect target or these days several redirects.)

        When a cyber attack arrives in our analysis servers Cloudflare is the ‘official’ host of the attack. The cyber crime syndicates use (and, pay) Cloudflare to mask their identity. By putting Cloudflare between the victim and the sender, the criminals buy precious extra time before their actual IP addresses are shut down and added to the spam-trap lists. The spam blocking industry (like Spam Assassin, etc.) subscribe to lists from Spamcop and other ‘black hole’ providers so they can protect your email.

        However, Spamcop alerts are supposed to alert the IP owners, who, in turn, ideally cut off the criminals quickly so fewer people are harmed. But in today’s world, many of the IP owners ignore the reports because Crime.inc represents a huge revenue source, far more important than the safety of the end user. Even Google and Amazon ignore the alerts and allow the crime to continue. Cybercrime is very profitable.

        Picture a guy in a van pulls up in front of your house
        Another guy jumps out of the back and tosses a bomb at your house.
        The van quickly pulls away.
        The police arrive and ask the man where the bomb came from.
        The man shrugs and says
        … “We’re Cloudflare, and never know what we’re carrying”
        The police ask who was driving the van, the man shrugs and says
        … “We’re Cloudflare and do not know who these people are”

        Who is guilty of tossing the bomb into your house?

        Now, here’s where it gets interesting.

        The next day TWO vans pull up in front of your house,
        and a guy jumps out of each and tosses a bomb at your house,
        both vans speed away.
        The police come and say
        “Isn’t that the same van you came in yesterday”
        The first guy says,
        …”Yes, but I don’t know who that is or what the package was”
        The police ask the 2nd guy from the 2nd van and bomb
        “You’re the same guy from the first van, who was driving your van”
        The second guy says
        … Yes, but I I don’t know who that is or what the package was”

        (This can go on for dozens and dozens of times. One of the illegal drug clients of Cloudflare sends the SAME attack every day or so, and the only thing that changes is the target address of the linked crime site. Once we report to Cloudflare, the next day the SAME criminal sends the SAME attack, but using a different link.)

        That’s where we catch them in their aiding and abeting the cyber criminals, because we report the incident and Cloudflare responds back with the name and contacts for the offending cyber criminal. So they actually do know who the criminal is, and what the crime was. And, after we’ver reported the SAME criminal and crime dozens and dozens of times over a series of months it becomes rather obvious that they are part of the criminal activity — just like the guy who tossed the bomb into your house.

        You, have read their “published” statements. “We don’t host any sites … we don’t know who these people are . . . we never know what’s in the package” Sure. “We never tell a lie, and we are always right. We are not a crook.”

        But they actually do, and they actually have told Spamcop they do not wish to report the cybercrime they are hiding. I assume because they’re making so much money. Cloudflare’s clients range from illegal drug scams, pornography, pump-n-dump schemes, spoof attacks, Chinese knock-off schemes, login spoofs and even drive-by ransom-ware. When reported, they claim they don’t know who it is — but when pressed, they admit they actually do know, and provide the actual criminal’s contact. Which, of course. takes several days and by that time, the criminal is gone.

        Go and read their policy and sign up for their masking service. You’ll see how it works and why it’s such a dream-come-true for cybercrime. That’s why this new ‘feature’ getting trusted writers and journalists, like you, promoting them really makes me sick.

        Pick up a copy of “Future Crimes” and begin to understand how to recognize the good guys from the bad guys so you don’t accidentally promote something that puts your readers in jeopardy.

        ๐Ÿ™‚

        Future Crimes by Marc Goodman http://amzn.to/2irHG0T

Leave a Reply to Rick Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.