--- title: 1.1.1.1 (DNS Resolver) description: Fast, private DNS resolution with Cloudflare 1.1.1.1 public resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # 1.1.1.1 (DNS Resolver) Speed up your online experience with Cloudflare's public DNS resolver. Available on all plans 1.1.1.1 is Cloudflare's public [DNS resolver ↗](https://www.cloudflare.com/learning/dns/what-is-dns/). When you type a domain name like `cloudflare.com` into your browser, a DNS resolver translates that name into an IP address (for example, `104.16.123.96`) so your device knows which server to contact. Most people use the DNS resolver assigned by their Internet Service Provider (ISP). Switching to 1.1.1.1 gives you a faster, more private alternative. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. 1.1.1.1 has been measured as the [fastest public DNS resolver ↗](https://www.dnsperf.com/#!dns-resolvers). It runs on Cloudflare's network in [hundreds of cities worldwide ↗](https://www.cloudflare.com/network/) and has access to the addresses of millions of domains on the same servers it runs on. 1.1.1.1 is free. Setting it up takes minutes and does not require any special software. --- ## Features ### 1.1.1.1 for Families 1.1.1.1 for Families adds protection against malware and adult content on top of the standard resolver. [ Use 1.1.1.1 for Families ](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) ### Encrypted DNS 1.1.1.1 supports DNS over HTTPS (DoH) and DNS over TLS (DoT) to encrypt your DNS queries and prevent eavesdropping. You can also access 1.1.1.1 [as a Tor hidden service](https://developers.cloudflare.com/1.1.1.1/additional-options/dns-over-tor/). [ Use Encrypted DNS ](https://developers.cloudflare.com/1.1.1.1/encryption/) --- ## Related products **[WARP Client](https://developers.cloudflare.com/warp-client/)** Encrypt all traffic from your device, not only DNS queries. **[DNS](https://developers.cloudflare.com/dns/)** Cloudflare's global DNS platform provides speed and resilience. DNS customers also benefit from free DNSSEC, and protection against route leaks and hijacking. **[Cloudflare Spectrum](https://developers.cloudflare.com/spectrum/)** Secure and accelerate your TCP or UDP based applications. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}}]} ``` --- --- title: IP addresses description: Get IPv4 and IPv6 addresses for Cloudflare DNS resolvers, 1.1.1.1 and 1.1.1.1 for Families. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # IP addresses Use the addresses below to configure your device or router. Two addresses are provided for each resolver for redundancy. For step-by-step instructions, refer to [Set up](https://developers.cloudflare.com/1.1.1.1/setup/). --- ## 1.1.1.1 The standard resolver provides fast, private DNS lookups with no content filtering. | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 | Refer to [Encryption](https://developers.cloudflare.com/1.1.1.1/encryption/) to learn how to encrypt your DNS queries. --- ## 1.1.1.1 for Families 1.1.1.1 for Families adds automatic filtering to block known malware, phishing, and (optionally) adult content. For more information, refer to [1.1.1.1 for Families set up](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families). ### Block malware | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.2 1.0.0.2 | 2606:4700:4700::1112 2606:4700:4700::1002 | ### Block malware and adult content | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.3 1.0.0.3 | 2606:4700:4700::1113 2606:4700:4700::1003 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/ip-addresses/","name":"IP addresses"}}]} ``` --- --- title: Set up description: Learn how to set up Cloudflare's 1.1.1.1 DNS resolver for enhanced security and privacy. Protect against malware and adult content with easy configuration. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Phishing ](https://developers.cloudflare.com/search/?tags=Phishing) # Set up By default, your devices use a [DNS server ↗](https://www.cloudflare.com/learning/dns/what-is-dns/) provided by your Internet service provider (ISP). You can change this to use 1.1.1.1 instead, which gives you faster and more private DNS resolution. Some [ISPs and network equipment providers](https://developers.cloudflare.com/1.1.1.1/infrastructure/network-operators/) already partner with Cloudflare to offer this. If your provider does not use Cloudflare, follow the instructions for your device or router below. Device or router specific guides * [ Android ](https://developers.cloudflare.com/1.1.1.1/setup/android/) * [ Azure ](https://developers.cloudflare.com/1.1.1.1/setup/azure/) * [ Gaming consoles ](https://developers.cloudflare.com/1.1.1.1/setup/gaming-consoles/) * [ Google Cloud ](https://developers.cloudflare.com/1.1.1.1/setup/google-cloud/) * [ iOS ](https://developers.cloudflare.com/1.1.1.1/setup/ios/) * [ Linux ](https://developers.cloudflare.com/1.1.1.1/setup/linux/) * [ macOS ](https://developers.cloudflare.com/1.1.1.1/setup/macos/) * [ Router ](https://developers.cloudflare.com/1.1.1.1/setup/router/) * [ Windows ](https://developers.cloudflare.com/1.1.1.1/setup/windows/) You can also set up [1.1.1.1 for Families](#1111-for-families) for additional protection against malware and adult content on your home network. 1.1.1.1 for Families uses the same [privacy commitments](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) as the standard 1.1.1.1 resolver. --- ## 1.1.1.1 for Families 1.1.1.1 for Families automatically blocks DNS queries to domains associated with malware, phishing, or (optionally) adult content. 1.1.1.1 for Families has two options: Block malware Use the following DNS resolvers to block malicious content: * `1.1.1.2` * `1.0.0.2` * `2606:4700:4700::1112` * `2606:4700:4700::1002` Block malware and adult content Use the following DNS resolvers to block malware and adult content: * `1.1.1.3` * `1.0.0.3` * `2606:4700:4700::1113` * `2606:4700:4700::1003` When a queried domain is classified as malicious, Cloudflare returns the address `0.0.0.0` instead of the real address. This prevents your device from connecting to the blocked site. Domain miscategorization If you are using 1.1.1.1 for Families and a domain is incorrectly blocked or allowed, [submit feedback ↗](https://radar.cloudflare.com/categorization-feedback/) to help improve Cloudflare's categorization. Your submission is anonymous. ### Test 1.1.1.1 for Families After configuring 1.1.1.1 for Families, verify that filtering is working with the following test URLs: * [https://malware.testcategory.com/ ↗](https://malware.testcategory.com/) — Tests whether known malware domains are blocked. * [https://nudity.testcategory.com/ ↗](https://nudity.testcategory.com/) — Tests whether adult content and malware domains are blocked. ### DNS over HTTPS (DoH) DNS over HTTPS (DoH) encrypts your DNS queries by sending them as HTTPS requests. This prevents anyone between your device and the resolver — such as your ISP or a network attacker — from seeing which domains you look up. For more information, refer to the [Learning Center article on DNS encryption ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/). To configure an encrypted DoH connection to 1.1.1.1 for Families, enter one of the following URLs in your DoH-compatible client or router: Block malware ``` https://security.cloudflare-dns.com/dns-query ``` Block malware and adult content ``` https://family.cloudflare-dns.com/dns-query ``` ### DNS over TLS (DoT) DNS over TLS (DoT) encrypts DNS queries using TLS on a dedicated port (`853`). Like DoH, it prevents eavesdropping on your DNS traffic. For more information, refer to the [Learning Center article on DNS encryption ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/). To configure an encrypted DoT connection to 1.1.1.1 for Families, enter one of the following hostnames in your DoT-compatible client or router: Block malware ``` security.cloudflare-dns.com ``` Block malware and adult content ``` family.cloudflare-dns.com ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}}]} ``` --- --- title: Android description: Learn how to set up Cloudflare's 1.1.1.1 DNS resolver on Android devices. Encrypt DNS queries with DoT or DoH, and enable 1.1.1.1 for Families. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Android The [1.1.1.1: Faster Internet ↗](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) app is the recommended way to set up 1.1.1.1 on Android. It automatically configures your phone to use 1.1.1.1 on any network you connect to. The app also allows you to enable encryption for DNS queries or enable [WARP mode](https://developers.cloudflare.com/warp-client/), which keeps all your HTTP traffic private and secure, including your DNS queries to 1.1.1.1. You can select between these options in the app settings. By default, the app uses WARP mode. ## Set up 1.1.1.1: Faster Internet 1. Download [1.1.1.1: Faster Internet from Google Play ↗](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) for free. 2. Launch 1.1.1.1: Faster Internet and accept the Terms of Service. 3. Toggle the **WARP** button to **Connected**. 4. Install the VPN profile that allows your phone to connect securely to 1.1.1.1. Your connection to the Internet and your DNS queries are now protected. ### Enable 1.1.1.1 for Families 1. Open 1.1.1.1: Faster Internet. 2. Tap the **menu button**. 3. Select **Advanced** \> **Connection options**. 4. In **DNS settings** \> **1.1.1.1 for Families**, select the option you want to use. ## Configure 1.1.1.1 manually ### Android 11 or later Android 11 and later support encrypted DNS through a feature called Private DNS, which uses DNS over TLS (DoT). When you configure Private DNS, your device uses that DNS resolver on all networks — including cellular — without needing per-network configuration. 1. Go to **Settings** \> **Network & internet**. 2. Select **Advanced** \> **Private DNS**. 3. Select the **Private DNS provider hostname** option. 4. Enter one of the following hostnames and select **Save**. Use 1.1.1.1 resolver * `one.one.one.one` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.1` or `1.0.0.1` * **IPv6**: `2606:4700:4700::1111` or `2606:4700:4700::1001` Block malware with 1.1.1.1 for Families * `security.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.2` or `1.0.0.2` * **IPv6**: `2606:4700:4700::1112` or `2606:4700:4700::1002` Block malware and adult content with 1.1.1.1 for Families * `family.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.3` or `1.0.0.3` * **IPv6**: `2606:4700:4700::1113` or `2606:4700:4700::1003` ### Android 9 or 10 Android 9 and 10 support DNS over TLS through a feature called Private DNS. When you configure Private DNS, your device encrypts DNS queries and uses the configured resolver on all networks, including cellular. 1. Go to **Settings** \> **Network & internet**. 2. Select **Advanced** \> **Private DNS**. 3. Select the **Private DNS provider hostname** option. 4. Enter `one.one.one.one` and select **Save**. Or use one of the following hostnames if you want to use 1.1.1.1 for Families. Block malware with 1.1.1.1 for Families * `security.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.2` or `1.0.0.2` * **IPv6**: `2606:4700:4700::1112` or `2606:4700:4700::1002` Block malware and adult content with 1.1.1.1 for Families * `family.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.3` or `1.0.0.3` * **IPv6**: `2606:4700:4700::1113` or `2606:4700:4700::1003` ### Previous Android versions Before making changes, take note of any DNS addresses you might have and save them in a safe place in case you need to use them later. 1. Open **Settings** \> **Wi-Fi**. 2. Press down and hold the name of the network you are currently connected to. 3. Select **Modify Network**. 4. Select the checkbox **Show Advanced Options**. 5. Change the IP Settings to **Static**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 8. Select **Save**. You may need to disconnect from the Wi-Fi and reconnect for the changes to take effect. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/android/","name":"Android"}}]} ``` --- --- title: Azure description: Configure 1.1.1.1 on Microsoft Azure virtual networks. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Azure ](https://developers.cloudflare.com/search/?tags=Azure) # Azure These steps configure 1.1.1.1 as the DNS resolver for an Azure Virtual Network (VNet). This applies to all resources in the VNet, including virtual machines. 1. Log in to your Azure portal. 2. From the Azure portal side menu, select **Virtual Networks**. 3. Select the virtual network you want to configure. 4. Select **DNS Servers** \> **Custom**, and add two entries: ``` 1.1.1.1 1.0.0.1 ``` 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/azure/","name":"Azure"}}]} ``` --- --- title: Gaming consoles description: Configure 1.1.1.1 on PlayStation and Xbox. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Gaming consoles The steps below configure your gaming console to use 1.1.1.1 instead of the default DNS resolver provided by your ISP. ## PS4 1. Go to **Settings** \> **Network** \> **Set Up Internet Connection**. 2. Select **Wi-Fi** or **LAN** depending on your Internet connection. 3. Select **Custom**. 4. Set **IP Address Settings** to **Automatic**. 5. Change **DHCP Host Name** to **Do Not Specify**. 6. Set **DNS Settings** to **Manual**. 7. Change **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 8. If you are able to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 9. Set **MTU Settings** to **Automatic**. 10. Set **Proxy Server** to **Do Not Use**. ## Xbox One 1. Open the Network screen by pressing the Xbox button on your controller. 2. Go to **Settings** \> **Network** \> **Network Settings**. 3. Go to **Advanced Settings** \> **DNS Settings**. 4. Select **Manual**. 5. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 6. If you have the option to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 7. When you are done, you will be shown a confirmation screen. Press **B** to save. ## Nintendo The following instructions work on New Nintendo 3DS, New Nintendo 3DS XL, New Nintendo 2DS XL, Nintendo 3DS, Nintendo 3DS XL, and Nintendo 2DS. 1. Go to the home menu and choose **System Settings** (the wrench icon). 2. Select **Internet Settings** \> **Connection Settings**. 3. Select your Internet connection and then select **Change Settings**. 4. Select **Change DNS**. 5. Set **Auto-Obtain DNS** to **No**. 6. Select **Detailed Setup**. 7. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 8. If you are able to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 9. Select **Save** \> **OK**. ## Nintendo Switch 1. Press the home button and select **System Settings**. 2. Scroll down and select **Internet** \> **Internet Settings**. 3. Select your Internet connection and then select **Change Settings**. 4. Select **DNS Settings** \> **Manual**. 5. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 6. Select **Save** \> **OK**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/gaming-consoles/","name":"Gaming consoles"}}]} ``` --- --- title: Google Cloud description: Configure 1.1.1.1 on Google Cloud instances. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ GCP ](https://developers.cloudflare.com/search/?tags=GCP) # Google Cloud Google Cloud lets you configure custom DNS servers at the Virtual Private Cloud (VPC) network level using [outbound server policies ↗](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-out) in Cloud DNS. When you create an outbound server policy, all resources in that VPC network — including existing virtual machines — use the specified DNS servers. Note If you are using [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can assign [locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to apply custom [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) via Gateway. To configure 1.1.1.1 for your Google Cloud VPC network: 1. Open the [Google Cloud Console ↗](https://console.cloud.google.com). 2. Go to **Network Services** \> **Cloud DNS** and select [**DNS Server Policies** ↗](https://console.cloud.google.com/net-services/dns/policies). 3. Select **Create Policy**. 4. Enter a name for your policy (for example, `cloudflare-1-1-1-1`) and select the VPC networks to apply it to. 5. Under **Alternate DNS servers**, select **Add Item** and enter: ``` 1.1.1.1 1.0.0.1 ``` 6. Select **Create**. DNS requests within the configured VPC networks will now use 1.1.1.1. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/google-cloud/","name":"Google Cloud"}}]} ``` --- --- title: iOS description: Configure 1.1.1.1 on iOS devices. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # iOS The [1.1.1.1: Faster Internet ↗](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) app is the recommended way to set up 1.1.1.1 on iOS. It automatically configures your device to use 1.1.1.1 on any network you connect to, including cellular networks (which cannot use a custom DNS resolver through manual iOS settings alone). The app also allows you to enable encryption for DNS queries or enable [WARP mode](https://developers.cloudflare.com/warp-client/), which keeps all your HTTP traffic private and secure, including your DNS queries to 1.1.1.1. You can select between these options in the app settings. By default, the app uses WARP mode. ## Set up 1.1.1.1: Faster Internet 1. Download [1.1.1.1: Faster Internet from the App Store ↗](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) for free. 2. Launch 1.1.1.1: Faster Internet and accept the Terms of Service. 3. Install the VPN profile that allows your phone to connect securely to 1.1.1.1. 4. Toggle the **WARP** button to **Connected**. ### Enable 1.1.1.1 for Families 1. Open 1.1.1.1: Faster Internet. 2. Tap the **menu button**. 3. Select **Advanced** \> **Connection options**. 4. In **DNS settings** \> **1.1.1.1 for Families**, select the option you want to use. ## Configure 1.1.1.1 manually Note Manual configuration only applies to the Wi-Fi network you are currently connected to. You will need to repeat these steps for each new Wi-Fi network. This method does not work for cellular connections. Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Go to **Settings** \> **Wi-Fi**. 2. Select the **'i'** icon next to the Wi-Fi network you are connected to. 3. Scroll down and select **Configure DNS**. 4. Change the configuration from **Automatic** to **Manual**. 5. Select **Add Server**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 8. Select **Save**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/ios/","name":"iOS"}}]} ``` --- --- title: Linux description: Learn how to set up 1.1.1.1 as your DNS resolver on a Linux system. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Linux Before you begin, take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. You can configure 1.1.1.1 using the [command line](#use-command-line-interface-cli) or a [graphical interface](#use-graphical-user-interface-gui). ## Use command line interface (CLI) If you want to use 1.1.1.1 for Families instead of the standard resolver, replace `1.1.1.1` in the examples below with the corresponding [IPv4 or IPv6 address](https://developers.cloudflare.com/1.1.1.1/ip-addresses/). ### `resolv.conf` On most Linux distributions, `/etc/resolv.conf` controls which DNS resolver the system uses. To set `1.1.1.1` as your DNS resolver with `1.0.0.1` as a backup: Terminal window ``` echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1" | sudo tee /etc/resolv.conf ``` Warning Some services — such as DHCP clients or `NetworkManager` — automatically overwrite `/etc/resolv.conf` when your network connection changes. If your DNS settings revert after a reboot or reconnection, configure 1.1.1.1 in your network manager or DHCP client instead. You can also edit `/etc/resolv.conf` manually with a text editor like `nano` or `vim`. ### `systemd-resolved` If your system uses `systemd-resolved` to manage DNS, edit the configuration file at `/etc/systemd/resolved.conf`: 1. Run the following command, replacing `` with your preferred editor. Terminal window ``` sudo /etc/systemd/resolved.conf ``` 1. In the editor, add or edit the following lines: ``` [Resolve] DNS=1.1.1.1 ``` To use DNS over TLS, append `#one.one.one.one` after the IP address (this tells `systemd-resolved` which hostname to use for TLS verification) and set `DNSOverTLS` to `yes`: ``` [Resolve] DNS=1.1.1.1#one.one.one.one DNSOverTLS=yes ``` ## Use graphical user interface (GUI) ### GNOME 1. Go to **Show Applications** \> **Settings** \> **Network**. 2. Select the adapter you want to configure — such as your Ethernet adapter or Wi-Fi card — and select the **Settings** button. 3. On the **IPv4** tab > **DNS** section, disable the **Automatic** toggle. 4. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 5. Go to **IPv6**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 7. Select **Apply**. ### KDE Plasma 1. Go to **System Settings** \> **Wi-Fi & Internet** \> **Wi-Fi & Networking**. (or **Connections**, if on Plasma 5) 2. Select the connection you want to configure - like your current connected network. 3. On the **IPv4** tab, select the **Method** drop-down menu > _Automatic (Only addresses)_. 4. Select the text box next to **DNS servers**. 5. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 6. On the **IPv6** tab, select the **Method** drop-down menu > _Automatic (Only addresses)_. 7. Select the text box next to **DNS servers**. 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **Apply**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/linux/","name":"Linux"}}]} ``` --- --- title: macOS description: Configure 1.1.1.1 on macOS. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # macOS These steps configure 1.1.1.1 as the DNS resolver for a specific network service (such as Wi-Fi or Ethernet) on your Mac. Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Go to **System Settings**. You can find it by pressing `CMD + Space` on your keyboard and typing `System Settings`. 2. Go to **Network**. 3. Select a network service. 4. Select **Details**. 5. Go to **DNS**. 6. Under **DNS Servers**, select **Add**. 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **OK**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ## Encrypt your DNS queries 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. For more information on how to encrypt your DNS queries, please refer to the [Encrypted DNS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/macos/","name":"macOS"}}]} ``` --- --- title: Router description: Configure 1.1.1.1 on your router. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Router Configuring 1.1.1.1 on your router applies the DNS setting to every device on your network. You do not need to change DNS settings on individual phones, computers, or other devices. 1. Go to the **IP address** used to access your router's admin console in your browser. * Linksys and Asus routers typically use `http://192.168.1.1` or `http://router.asus.com` (for ASUS). * Netgear routers typically use `http://192.168.1.1` or `http://routerlogin.net`. * D-Link routers typically use `http://192.168.0.1`. * Ubiquiti routers typically use `http://unifi.ubnt.com`. * MikroTik routers typically use `http://192.168.88.1`. 2. Enter the router credentials. For consumer routers, the default credentials for the admin console are often found under or behind the device. 3. In the admin console, locate the section where **DNS settings** are configured. This may be contained within categories such as **WAN** and **IPv6** (Asus routers), **IP** (MikroTik routers), or **Internet** (Netgear routers). Consult your router's documentation for details. 4. Take note of any DNS addresses that are currently set and save them in a safe place in case you need to use them later. 5. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 7. Save the updated settings. ## Use DNS over TLS on OpenWrt If your router runs OpenWrt, you can encrypt DNS traffic using DNS over TLS. For setup instructions, refer to [Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound ↗](https://blog.cloudflare.com/dns-over-tls-for-openwrt/). ## FRITZ!Box Starting with [FRITZ!OS 7.20 ↗](https://en.avm.de/press/press-releases/2020/07/fritzos-720-more-performance-convenience-security/), DNS over TLS is supported. Refer to [Configuring different DNS servers in the FRITZ!Box ↗](https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/165%5FConfiguring-different-DNS-servers-in-the-FRITZ-Box/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/router/","name":"Router"}}]} ``` --- --- title: Windows description: Configure 1.1.1.1 on Windows. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Windows ## Windows 10 Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Select the **Start menu** \> **Settings**. 2. On **Network and Internet**, select **Change Adapter Options**. 3. Right-click on the Ethernet or Wi-Fi network you are connected to and select **Properties**. 4. Select **Internet Protocol Version 4**. 5. Select **Properties** \> **Use the following DNS server addresses**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Select **OK**. 8. Select **Internet Protocol Version 6**. 9. Select **Properties** \> **Use the following DNS server addresses**. 10. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 11. Select **OK**. ## Windows 11 Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Select the **Start menu** \> **Settings**. 2. On **Network and Internet**, select the adapter you want to configure — such as your Ethernet adapter or Wi-Fi card. 3. Scroll to **DNS server assignment** and select **Edit**. 4. Select the **Automatic (DHCP)** drop-down menu > **Manual**. 5. Select the **IPv4** toggle to turn it on. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Select the **IPv6** toggle. 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **Save**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ## Encrypt your DNS queries 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. For more information on how to encrypt your DNS queries, please refer to the [Encrypted DNS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/windows/","name":"Windows"}}]} ``` --- --- title: Encryption description: Encryption options for DNS queries to 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Encryption When you visit a website, your device first sends a DNS query to translate the domain name (for example, `example.com`) into an IP address. Traditionally, these queries are sent in plaintext — unencrypted and readable by anyone on the network path. Unencrypted DNS queries can be monitored, modified, or used for tracking by ISPs, network operators, or malicious actors. To protect your DNS traffic, 1.1.1.1 supports three encryption standards: * [DNS over TLS (DoT)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) — Encrypts DNS queries over a dedicated TLS connection on port `853`. * [DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) — Encrypts DNS queries inside regular HTTPS traffic on port `443`. * [Oblivious DNS over HTTPS (ODoH)](https://developers.cloudflare.com/1.1.1.1/encryption/oblivious-dns-over-https/) — Adds a privacy layer to DoH so that no single entity can see both your identity and your query. You can also [configure your browser](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) to secure your DNS queries. To secure connections on your smartphone, refer to the 1.1.1.1 [iOS](https://developers.cloudflare.com/1.1.1.1/setup/ios/) or [Android](https://developers.cloudflare.com/1.1.1.1/setup/android/) apps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}}]} ``` --- --- title: DNS over HTTPS description: Encrypt DNS queries using HTTPS with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DNS over HTTPS DNS over HTTPS (DoH) encrypts DNS queries by wrapping them inside regular HTTPS requests. This prevents attackers from forging or altering your DNS traffic. DoH sends DNS traffic over port `443` — the default port for HTTPS web traffic. Because DoH queries use the same port and protocol as normal web browsing, they are difficult to distinguish from other HTTPS traffic on the network. DoH supports the HTTP, HTTP/2, and HTTP/3 protocols. * [ Configure DoH on your browser ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) * [ Connect to 1.1.1.1 using DoH clients ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/) * [ Make API requests to 1.1.1.1 ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}}]} ``` --- --- title: Connect to 1.1.1.1 using DoH clients description: Learn how to connect to Cloudflare's 1.1.1.1 using DNS over HTTPS (DoH) clients. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Connect to 1.1.1.1 using DoH clients A DoH client is a software that runs on your device and sends DNS queries to a resolver like 1.1.1.1 over an encrypted HTTPS connection. Once configured, the client handles DNS resolution for your device or network. ## Cloudflare WARP client Refer to [WARP client](https://developers.cloudflare.com/warp-client/) for guidance on WARP modes and get-started information for different [operating systems](https://developers.cloudflare.com/warp-client/get-started/). ## DNSCrypt-Proxy [DNSCrypt-Proxy ↗](https://dnscrypt.info) 2.0+ supports DoH out of the box. It supports both 1.1.1.1 and other services. It also includes more advanced features, such as load balancing and local filtering. 1. [Install DNSCrypt-Proxy ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation). 2. Verify that `dnscrypt-proxy` is installed and the version is 2.0 or later: Terminal window ``` dnscrypt-proxy -version ``` ``` 2.0.8 ``` 3. Set up the configuration file using the [official instructions ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation#setting-up-dnscrypt-proxy), and add `cloudflare` and `cloudflare-ipv6` to the server list in `dnscrypt-proxy.toml`: TOML ``` server_names = ['cloudflare', 'cloudflare-ipv6'] ``` 4. Make sure that nothing else is running on `localhost:53` (port `53` is the standard DNS port on your local machine), and check that everything works as expected: Terminal window ``` dnscrypt-proxy -resolve cloudflare-dns.com ``` ``` Resolving [cloudflare-dns.com] Domain exists: yes, 3 name servers found Canonical name: cloudflare-dns.com. IP addresses: 2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019, 104.16.111.25, 104.16.112.25 TXT records: - Resolver IP: 172.68.140.217 ``` 5. Register it as a system service so that it starts automatically when your device boots. Follow the [DNSCrypt-Proxy installation instructions ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/dns-over-https-client/","name":"Connect to 1.1.1.1 using DoH clients"}}]} ``` --- --- title: Configure DoH on your browser description: Configure DNS over HTTPS in your browser. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Configure DoH on your browser Several browsers support DNS over HTTPS (DoH), which encrypts your DNS queries to protect them from monitoring and tampering. Some browsers might already have this setting enabled. Note [1.1.1.1 for Families](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) provides additional filtering to block malware, phishing, or adult content. To use it, follow the steps below but, instead of choosing the default 1.1.1.1 option, refer to [Set up](https://developers.cloudflare.com/1.1.1.1/setup/#dns-over-https-doh) and specify the URL you want to use. ## Mozilla Firefox 1. Select the menu button > **Settings**. 2. In the **Privacy & Security** menu, scroll down to the **Enable secure DNS using:** section. 3. Select **Increased Protection** or **Max Protection**. By default, it will use the **Cloudflare** provider. 4. If this is not the case, select **Cloudflare** in the **Choose Provider** dropdown. ## Google Chrome 1. Select the three-dot menu in your browser > **Settings**. 2. Select **Privacy and security** \> **Security**. 3. Scroll down and enable **Use secure DNS**. 4. Select the **With** option, and from the drop-down menu choose _Cloudflare (1.1.1.1)_. ## Microsoft Edge 1. Select the three-dot menu in your browser > **Settings**. 2. Select **Privacy, Search, and Services**, and scroll down to **Security**. 3. Enable **Use secure DNS**. 4. Select **Choose a service provider**. 5. Select the **Enter custom provider** drop-down menu and choose _Cloudflare (1.1.1.1)_. ## Brave 1. Select the menu button in your browser > **Settings**. 2. Select **Privacy and security** \> **Security**. 3. Under **Advanced**, enable **Use secure DNS**. 4. From the **Select DNS provider** drop-down menu, choose _Cloudflare (1.1.1.1)_. ## Check if the browser is configured correctly Visit [1.1.1.1 help page ↗](https://one.one.one.one/help) and check if `Using DNS over HTTPS (DoH)` shows `Yes`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/","name":"Configure DoH on your browser"}}]} ``` --- --- title: Make API requests to 1.1.1.1 description: Make programmatic DNS queries to 1.1.1.1 over HTTPS. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Make API requests to 1.1.1.1 Cloudflare offers a DNS over HTTPS resolver at: ``` https://cloudflare-dns.com/dns-query ``` ## HTTP method Cloudflare's DNS over HTTPS (DoH) endpoint supports `POST` and `GET` for DNS wireformat, and `GET` for JSON format. When making requests using `POST`, the DNS query is included as the message body of the HTTP request, and the MIME type (`application/dns-message`) is sent in the `Content-Type` request header. Cloudflare will use the message body of the HTTP request as sent by the client, so the message body should not be encoded. When making requests using `GET`, the DNS query is encoded into the URL. ## Valid MIME types If you use JSON format, set `application/dns-json`, and if you use DNS wireformat, use `application/dns-message`. Refer to [DNS wireformat](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/) and [JSON](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/) for cURL examples. ## Send multiple questions in a query Each DNS query maps to exactly one HTTP request. To send multiple queries concurrently, use HTTP/2 or HTTP/3, which supports multiplexing multiple requests over a single connection. HTTP/2 is the minimum recommended version of HTTP for use with DoH. This is not specific to 1.1.1.1, but rather how DoH operates per [RFC 8484 ↗](https://datatracker.ietf.org/doc/html/rfc8484#section-5.2). Example request: Terminal window ``` curl --http2 --header "accept: application/dns-json" "https://one.one.one.one/dns-query?name=cloudflare.com" --next --http2 --header "accept: application/dns-json" "https://one.one.one.one/dns-query?name=example.com" ``` ## Authentication No authentication is required to send requests to this API. ## Supported TLS versions Cloudflare's DNS over HTTPS resolver supports TLS 1.2 and TLS 1.3. ## Return codes | HTTP Status | Meaning | | ----------- | ---------------------------------------------------------- | | 400 | DNS query not specified or too small. | | 413 | DNS query is larger than maximum allowed DNS message size. | | 415 | Unsupported content type. | | 504 | Resolver timeout while waiting for the query response. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}}]} ``` --- --- title: Using JSON description: Query 1.1.1.1 DNS over HTTPS using JSON format. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Using JSON Warning The DNS over HTTPS JSON format does not have a formal RFC, which means behavior might be different between providers. Additionally, there might be small changes in behavior in the future. For critical use cases, it is recommended to use the [DNS over HTTPS wireformat](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/), which is defined in [RFC 1035 ↗](https://www.rfc-editor.org/rfc/rfc1035.html). Cloudflare's DNS over HTTPS endpoint also supports JSON format for querying DNS data. There is no agreed-upon JSON schema for DNS over HTTPS in the Internet Engineering Task Force (IETF), so Cloudflare has chosen to follow the same schema as Google's DNS over HTTPS resolver. JSON formatted queries are sent using a `GET` request. When making requests using `GET`, the DNS query is encoded into the URL. Include an HTTP `Accept` request header with a MIME type of `application/dns-json` to indicate that the client can accept a JSON response. ## Supported parameters | Field | Required? | Description | Default | | ----- | --------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- | | name | Yes | Query name. | \- | | type | No | Query type (either a [numeric value or text ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4)). | A | | do | No | DO bit - whether the client wants DNSSEC data (either empty or one of 0, false, 1, or true). | false | | cd | No | CD bit - disable validation (either empty or one of 0, false, 1, or true). | false | ## Examples Example request and response: Terminal window ``` curl --header "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA" ``` ``` { "Status": 0, "TC": false, "RD": true, "RA": true, "AD": true, "CD": false, "Question": [ { "name": "example.com.", "type": 28 } ], "Answer": [ { "name": "example.com.", "type": 28, "TTL": 1726, "data": "2606:2800:220:1:248:1893:25c8:1946" } ] } ``` In the case of an invalid request a `400 Bad Request` error is returned: Terminal window ``` curl --header "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&cd=2" ``` ``` { "error": "Invalid CD flag `2`. Expected to be empty or one of `0`, `false`, `1`, or `true`." } ``` ## Response fields The following tables have more information on each response field. ### Successful response | Field | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Status | The Response Code of the DNS Query. The codes are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6). | | TC | If the TC field is true, the truncated bit was set. This occurs when the DNS answer exceeds the size of a single UDP or TCP packet. With Cloudflare DNS over HTTPS, the TC field is almost always false because Cloudflare supports the maximum response size. | | RD | If true, it means the Recursive Desired bit was set. This is always set to true for Cloudflare DNS over HTTPS. | | RA | If true, it means the Recursion Available bit was set. This is always set to true for Cloudflare DNS over HTTPS. | | AD | If true, it means that every record in the answer was verified with DNSSEC. | | CD | If true, the client asked to disable DNSSEC validation. In this case, Cloudflare will still fetch the DNSSEC-related records, but it will not attempt to validate the records. | | Question: name | The record name requested. | | Question: type | The type of DNS record requested. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Answer: name | The record owner. | | Answer: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Answer: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Answer: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Authority: name | The record owner. | | Authority: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Authority: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Authority: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Additional: name | The record owner. | | Additional: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Additional: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Additional: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Comment | List of EDE messages. Refer to [Extended DNS error codes](https://developers.cloudflare.com/1.1.1.1/infrastructure/extended-dns-error-codes/) for more information. | ### Error response | Field | Description | | ----- | ------------------------------------------ | | error | An explanation of the error that occurred. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}},{"@type":"ListItem","position":6,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/","name":"Using JSON"}}]} ``` --- --- title: DNS Wireformat description: Query 1.1.1.1 DNS over HTTPS using wireformat. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DNS Wireformat Cloudflare respects DNS wireformat as defined in [RFC 1035 ↗](https://www.rfc-editor.org/rfc/rfc1035.html). To send queries using DNS wireformat, set the header `accept: application/dns-message`, or `content-type: application/dns-message` if using `POST` to indicate the media type of the query. Queries using DNS wireformat can be sent using `POST` or `GET`. ## Using POST When making requests using `POST`, the DNS query is included as the message body of the HTTP request, and the MIME type (see below) is included in the `Content-Type` request header. Cloudflare will use the message body of the HTTP request as sent by the client, so the message body should not be encoded. The following is an example request. The same DNS query for `www.example.com`, using the POST method would be: ``` :method = POST :scheme = https :authority = cloudflare-dns.com :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 ``` And would return the answer in wireformat: ``` :status = 200 content-type = application/dns-message content-length = 64 cache-control = max-age=128 <64 bytes represented by the following hex encoding> 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00 00 80 00 04 C0 00 02 01 ``` To try this using cURL, write: Terminal window ``` echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 --decode | curl --header 'content-type: application/dns-message' --data-binary @- https://cloudflare-dns.com/dns-query --output - | hexdump ``` ## Using GET When making requests using `GET`, the DNS query is encoded into the URL. The `accept` header can be used to indicate the MIME type (default: `application/dns-message`). Example request: Terminal window ``` curl --header 'accept: application/dns-message' --verbose 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump ``` ``` * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f968700a400) GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2 Host: cloudflare-dns.com User-Agent: curl/7.54.0 accept: application/dns-message * Connection state changed (MAX_CONCURRENT_STREAMS updated)! HTTP/2 200 date: Fri, 23 Mar 2018 05:14:02 GMT content-type: application/dns-message content-length: 49 cache-control: max-age=0 set-cookie: \__cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly server: cloudflare-nginx cf-ray: 3ffe69838a418c4c-SFO-DOG { [49 bytes data] 100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494 * Connection #0 to host cloudflare-dns.com left intact 0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77 0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8 0000030 22 0000031 ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}},{"@type":"ListItem","position":6,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/","name":"DNS Wireformat"}}]} ``` --- --- title: DNS over TLS description: Encrypt DNS queries using TLS with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # DNS over TLS By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is one way to send DNS queries over an encrypted connection. Cloudflare supports DNS over TLS on standard port `853` and is compliant with [RFC 7858 ↗](https://tools.ietf.org/html/rfc7858). DoT wraps standard DNS traffic inside a TLS-encrypted TCP connection. This prevents anyone between your device and the resolver from reading or modifying your DNS queries. ## How it works Cloudflare supports DNS over TLS (DoT) on `1.1.1.1`, `1.0.0.1`, and the corresponding IPv6 addresses (`2606:4700:4700::1111` and `2606:4700:4700::1001`) on port `853`. If your DoT client does not support IP addresses, Cloudflare's DoT endpoint can also be reached by hostname on `one.one.one.one`. A stub resolver is the DNS client software on your device that sends queries to a DNS resolver. With DoT, the stub resolver connects to the resolver over a TLS connection: 1. Before the connection, the DNS stub resolver stores a fingerprint of 1.1.1.1's TLS certificate. This fingerprint is a base64-encoded SHA-256 hash of the certificate's public key information, known as the Subject Public Key Info (SPKI) pin. The stub resolver uses this pin to verify it is connecting to the authentic 1.1.1.1 server. 2. The DNS stub resolver establishes a TCP connection with `1.1.1.1:853`. 3. The DNS stub resolver initiates a TLS handshake — a process where both sides agree on encryption parameters and the client verifies the server's identity. 4. In the TLS handshake, 1.1.1.1 presents its TLS certificate. 5. Once the TLS connection is established, the DNS stub resolver can send DNS over an encrypted connection, preventing eavesdropping and tampering. 6. All DNS queries sent over the TLS connection must comply with specifications of [sending DNS over TCP ↗](https://tools.ietf.org/html/rfc1035#section-4.2.2). ## Example Terminal window ``` kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com ``` ``` ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 138 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com ;; DEBUG: SHA-256 PIN: GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 ;; DEBUG: SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3395 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR ;; PADDING: 408 B ;; QUESTION SECTION: ;; example.com. IN A ;; ANSWER SECTION: example.com. 75897 IN A 93.184.216.34 ;; Received 468 B ;; Time 2023-06-23 18:05:42 PDT ;; From 1.1.1.1@853(TCP) in 12.1 ms ``` ## Supported TLS versions Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-tls/","name":"DNS over TLS"}}]} ``` --- --- title: DNSKEY description: DNSKEY records used by the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DNSKEY Standard DNS has no built-in way to verify that a response actually came from the authoritative server for a domain. An attacker could return a forged answer, and a resolver would have no way to detect it. [DNSSEC ↗](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) solves this by adding cryptographic signatures to DNS records. Domain owners sign their DNS records with a private key, and resolvers like 1.1.1.1 verify those signatures using the corresponding public key. This proves the response is authentic and has not been modified in transit. DNSSEC uses two DNS record types to distribute the public keys needed for verification: * **DNSKEY** records contain the public signing keys for a domain. * **DS** (Delegation Signer) records link a child zone's keys to its parent zone, creating a chain of trust. Resolvers use these keys to verify the signatures stored in [RRSIG records ↗](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/). ## Supported signature algorithms 1.1.1.1 supports the following DNSSEC signature algorithms: * RSA/SHA-1 * RSA/SHA-256 * RSA/SHA-512 * RSASHA1-NSEC3-SHA1 * ECDSA Curve P-256 with SHA-256 (ECDSAP256SHA256) * ECDSA Curve P-384 with SHA-384 (ECDSAP384SHA384) * ED25519 ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dnskey/","name":"DNSKEY"}}]} ``` --- --- title: Oblivious DNS over HTTPS description: Learn how Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) to enhance privacy by separating HTTP request contents from requester IP addresses. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy)[ Proxying ](https://developers.cloudflare.com/search/?tags=Proxying) # Oblivious DNS over HTTPS With standard [DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/), your DNS queries are encrypted, but the resolver still sees both your IP address and the domain you are looking up. Oblivious DNS over HTTPS (ODoH) adds a privacy layer so that no single entity can see both pieces of information at the same time. Warning ODoH is defined in [RFC 9230 ↗](https://www.rfc-editor.org/rfc/rfc9230.html). This RFC is experimental and is not endorsed by the IETF. ## How ODoH works ODoH introduces two roles between your device and the DNS resolver: * **Proxy** — Forwards your encrypted DNS query to the target. The proxy can see your IP address but cannot read the query because it is encrypted. * **Target** — Receives and decrypts the DNS query, then sends it to the upstream resolver. The target can read the query but only sees the proxy's IP address, not yours. Because the query is encrypted before it reaches the proxy, and the target never learns your IP address: * The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. * The target only has access to the encrypted query and the proxy's IP address, while not having visibility over the client's IP address. * Only the intended target can read the content of the query and produce a response, which is also encrypted. This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Clients are in complete control of proxy and target selection, so you can choose a proxy and target operated by different organizations to reduce collusion risk. Clients encrypt their query for the target using Hybrid Public Key Encryption ([HPKE ↗](https://blog.cloudflare.com/hybrid-public-key-encryption/)), a standard for encrypting messages to a recipient using their public key. A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. ## Cloudflare and third-party products Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`. To make ODoH queries you can use open source clients such as [dnscrypt-proxy ↗](https://github.com/DNSCrypt/dnscrypt-proxy). [iCloud Private Relay ↗](https://support.apple.com/102602) uses similar privacy-separation principles and uses [Cloudflare as one of their partners ↗](https://blog.cloudflare.com/icloud-private-relay/). ## Related resources * [HPKE: Standardizing public-key encryption ↗](https://blog.cloudflare.com/hybrid-public-key-encryption/) blog post * [Privacy Gateway](https://developers.cloudflare.com/privacy-gateway/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/oblivious-dns-over-https/","name":"Oblivious DNS over HTTPS"}}]} ``` --- --- title: Upstream resolution description: How 1.1.1.1 selects authoritative nameservers, retries failed queries, and determines which response to return. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Upstream resolution When 1.1.1.1 does not have an answer in its cache, it contacts authoritative nameservers on your behalf. Authoritative nameservers are the DNS servers that hold the actual records for a domain. This page describes how 1.1.1.1 selects which nameserver to query, what happens when a nameserver is unreachable, and how the final response is determined. ## Query name minimization When resolving a multi-level domain name like `foo.bar.example.com`, 1.1.1.1 does not reveal the full name to every server in the chain. Instead, it sends only the minimum information each server needs. For example, when asking the `.com` TLD server, 1.1.1.1 only discloses that it needs to find `example.com` — the subdomain parts (`foo.bar`) are not included. This limits the amount of information exposed to intermediary servers and reduces privacy leakage. ## Root zone 1.1.1.1 uses [locally hosted copies of the root zone file ↗](https://blog.cloudflare.com/f-root/) instead of querying remote root servers for every lookup. The root zone file contains the addresses of all top-level domain (TLD) servers. By hosting it locally, 1.1.1.1 avoids a network round trip to root servers, which reduces latency, improves privacy, and decreases load on the global DNS root server system. ## Nameserver selection Most domains have multiple authoritative nameservers for redundancy. When 1.1.1.1 needs to query one, it chooses based on measured performance. The resolver tracks metrics for each nameserver — including round-trip time (how long a query takes to travel to the server and back) and response quality — then picks the nameserver that has historically been fastest and most reliable from the data center handling your request. If the selected nameserver does not respond in time or returns an error, 1.1.1.1 retries against a different nameserver for the same zone. Refer to [Retry behavior](#retry-behavior) for details. A small percentage of queries are also sent to alternative nameservers so that performance measurements stay current. This allows a previously slow server to be re-evaluated if its performance improves. For more background on the system that powers this selection, refer to the [BigPineapple architecture blog post ↗](https://blog.cloudflare.com/big-pineapple-intro/). ## Retry behavior If a nameserver does not respond in time or returns a temporary error, 1.1.1.1 retries the query against a different authoritative nameserver for the same zone. The unresponsive server is deprioritized so that subsequent queries prefer healthier alternatives. 1.1.1.1 periodically re-checks deprioritized servers to detect recovery. When multiple clients request the same domain at the same time, 1.1.1.1 deduplicates the upstream queries so that a single in-flight request serves all waiting clients. The exact retry timing and ranking logic are tuned over time and may change. ## Response selection For a given query, 1.1.1.1 returns only one answer to the client. When authoritative nameservers disagree, which response 1.1.1.1 selects depends on the type of responses received. The following DNS response codes are relevant: * **`NOERROR`** — The query succeeded. The response contains the requested records, or indicates that the name exists but has no records of the requested type (sometimes called `NODATA`). * **`NXDOMAIN`** — The domain name does not exist. * **`SERVFAIL`** — The nameserver encountered an internal error and could not answer. * **`REFUSED`** — The nameserver refused to answer the query. How 1.1.1.1 handles disagreements between nameservers: * **`NOERROR` versus `NXDOMAIN`:** Both are valid authoritative answers. 1.1.1.1 returns whichever response it receives first and does not query remaining nameservers to compare. Authoritative nameservers for the same zone are expected to be consistent. If one returns `NXDOMAIN` and another returns `NOERROR` for the same name, that indicates a misconfiguration on the authoritative side. * **Timeout versus a valid response:** A timeout is not an answer. 1.1.1.1 retries against another nameserver and returns the first valid response it receives. * **`SERVFAIL` or `REFUSED` versus a valid response:** Temporary failures are treated as upstream errors, not authoritative answers. 1.1.1.1 retries against another nameserver and returns the first valid response. Only if all nameservers return errors does 1.1.1.1 return a failure to the client — typically `SERVFAIL`, or `REFUSED` if that is what the nameservers consistently returned. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/upstream-resolution/","name":"Upstream resolution"}}]} ``` --- --- title: Verify connection description: Verify your device is connected to 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Verify connection After [setting up 1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/), you can verify that your DNS queries are going through Cloudflare's resolver. 1. Open a web browser on a device that you configured to use 1.1.1.1, or on a device connected to a router you configured. 2. Go to [https://1.1.1.1/help ↗](https://one.one.one.one/help). The page runs a series of tests and shows whether your connection to 1.1.1.1 is working. It also displays which Cloudflare data center is serving your requests. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/check/","name":"Verify connection"}}]} ``` --- --- title: Privacy description: Privacy commitments and audits for the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Privacy Cloudflare maintains separate privacy commitments depending on how you use 1.1.1.1: * [1.1.1.1 Public DNS Resolver](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/): Privacy commitments for the 1.1.1.1 public DNS resolver, including what data Cloudflare collects, uses, retains, and shares. Governed by the Cloudflare [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). * [Resolver for Firefox](https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox/): Privacy commitments specific to the Cloudflare Resolver for Firefox, where Cloudflare acts as a data processor under Mozilla's instructions. This is separate from the 1.1.1.1 public DNS resolver and is not covered by the main Cloudflare Privacy Policy. * [1.1.1.1 Application ↗](https://www.cloudflare.com/application/privacypolicy/): Privacy policy for Cloudflare's consumer-facing 1.1.1.1 applications, including the 1.1.1.1 app for iOS and Android. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}}]} ``` --- --- title: Cloudflare Resolver for Firefox description: How 1.1.1.1 works as the trusted resolver for Firefox. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy) # Cloudflare Resolver for Firefox ## Frequently asked questions about the Cloudflare resolver for Firefox ### What is the Cloudflare resolver for Firefox? Every time you type a web address, such as [www.mozilla.org ↗](http://www.mozilla.org) or [www.firefox.com ↗](http://www.firefox.com), into a web browser, the web browser sends a query to a DNS resolver. If DNS is like the card catalog of the Internet, then a DNS resolver is like a helpful librarian that knows how to use the information from that catalog to track down the exact location of a website. Whenever a resolver receives your query it looks up the IP address associated with the web address that you entered and relays that information to your web browser. “DNS resolution” as this process is referred to, is a crucial component of your Internet experience because without it your web browser would be unable to communicate with the servers that host your favorite websites, since communication requires knowing the IP addresses of those websites. For most Internet users, the DNS resolver that they use is either the one that comes with the operating system running on their machines or the one that is set by their network provider. In some cases, these resolvers leave a lot to be desired because of their susceptibility to unwanted spying and other security threats. To address this, Mozilla has partnered with Cloudflare to provide DNS resolution directly from within the Firefox browser using the Cloudflare resolver for Firefox. When this feature is active, Firefox sends DNS queries over a secure channel to the Cloudflare resolver for Firefox rather than to an unknown DNS resolver, significantly decreasing the odds of unwanted spying or man-in-the-middle attacks. ### What information does the Cloudflare resolver for Firefox collect? Any data Cloudflare handles as a result of its resolver for Firefox is as a data processor acting pursuant to Mozilla's data processing instructions. The data Cloudflare collects and processes pursuant to its agreement with Mozilla is not covered by the [Cloudflare Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). As part of its agreement with Mozilla, Cloudflare has agreed to collect only a limited amount of data about the DNS requests sent to the Cloudflare resolver for Firefox via the Firefox browser. Cloudflare will collect only the following information from Firefox users: * date * dateTime * srcAsNum * srcIPVersion * dstIPVersion * dstIPv6 * dstIPv4 * dstPort * protocol * queryName * queryType * queryClass * queryRd * queryDo * querySize * queryEdns * ednsVersion * ednsPayload * ednsNsid * responseType * responseCode * responseSize * responseCount * responseTimeMs * responseCached * responseMinTTL * answerData type * answerData * validationState * coloID (unique Cloudflare data center ID) * metalId (unique Cloudflare data center ID) All of the above information is stored in temporary logs and then permanently deleted within 24 hours of Cloudflare's receipt of such information. In addition, Cloudflare stores the following in permanent logs: * Total number of requests processed by each Cloudflare data center. * Aggregate list of all domain names requested. * Samples of domain names queried along with the times of such queries. Information stored in permanent logs is anonymized and may be held indefinitely by Cloudflare for internal research and development purposes. ### What is the Cloudflare promise? Cloudflare commits to using the information collected from the Cloudflare resolver for Firefox solely to improve the performance of the Cloudflare resolver for Firefox and to assist in debugging efforts if an issue arises. In addition to limiting collection and use of data, Cloudflare promises: * Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare resolver for Firefox. * Cloudflare will not combine the data that it collects from such queries with any other Cloudflare or third-party data in any way that can be used to identify individual end users. * Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla's explicit written permission. ### What about government requests for content blocking? Cloudflare does not block or filter content through the Cloudflare resolver for Firefox. As part of its agreement with Mozilla, Cloudflare provides only direct DNS resolution. If Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the Cloudflare resolver for Firefox, Cloudflare would, in consultation with Mozilla, exhaust its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/privacy/cloudflare-resolver-firefox/","name":"Cloudflare Resolver for Firefox"}}]} ``` --- --- title: 1.1.1.1 Public DNS Resolver description: Learn more about Cloudflare's commitment to privacy with the 1.1.1.1 Public DNS Resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Logging ](https://developers.cloudflare.com/search/?tags=Logging)[ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy) # 1.1.1.1 Public DNS Resolver _Last updated March 27, 2024_ ## Cloudflare's commitment to privacy: 1.1.1.1 Public DNS Resolver The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver. --- Nearly everything on the Internet starts with a DNS request. DNS is the Internet's directory. Select a link, open an app, send an email, and the first thing your device does is ask a DNS resolver: where can I find this? By default, most devices use a DNS resolver provided by the Internet service provider (ISP). Some ISPs and third-party DNS providers log your queries, sell data about your Internet activity, or use it to target you with ads. DNS queries are also typically sent in plaintext, which means anyone on the network path between your device and the resolver can see every site you visit and every app you use — even if the content itself is encrypted. Cloudflare built the 1.1.1.1 public DNS resolver to address these problems. In partnership with APNIC, Cloudflare operates 1.1.1.1 as a recursive DNS service designed for privacy and security. DNS requests to 1.1.1.1 can be sent over an [encrypted channel](https://developers.cloudflare.com/1.1.1.1/encryption/), significantly decreasing the odds of unwanted spying or man-in-the-middle attacks. The 1.1.1.1 public DNS resolver was designed for privacy first. Cloudflare commits to the following: 1. Cloudflare will not sell or share Public Resolver users' personal data with third parties or use personal data from the Public Resolver to target any user with advertisements. 2. Cloudflare will only retain or use what is being asked, not information that will identify who is asking it. Except for randomly sampled network packets captured from at most 0.05% of all traffic sent to Cloudflare's network infrastructure, Cloudflare will not retain the source IP from DNS queries to the Public Resolver in non-volatile storage. These randomly sampled packets are solely used for network troubleshooting and DoS mitigation purposes. 3. A Public Resolver user's IP address (referred to as the client or source IP address) will not be stored in non-volatile storage. Cloudflare will anonymize source IP addresses via IP truncation methods (last octet for IPv4 and last 80 bits for IPv6). Cloudflare will delete the truncated IP address within 25 hours. 4. Cloudflare will retain only the limited transaction and debug log data ("Public Resolver Logs") set forth below, for the legitimate operation of our Public Resolver and research purposes, and Cloudflare will delete the Public Resolver Logs within 25 hours. 5. Cloudflare will not share the Public Resolver Logs with any third parties except for APNIC pursuant to a Research Cooperative Agreement. APNIC will only have limited access to query the anonymized data in the Public Resolver Logs and conduct research related to the operation of the DNS system. Cloudflare has taken technical steps to ensure that we cannot retain our user's information. We have also retained one of the top four accounting firms to audit our practices and publish a public report confirming we are doing what we said we would. The report is available on the [Certifications and compliance resources ↗](https://www.cloudflare.com/trust-hub/compliance-resources/) page. ## Limited data sharing with APNIC Cloudflare has partnered with [APNIC Labs ↗](https://labs.apnic.net/?p=1127), the regional Internet registry for the Asia-Pacific region, which provided the 1.1.1.1 IP address for use as a public DNS resolver. As part of its mission to ensure a global, open, and secure Internet, APNIC conducts research about the functioning and governance of the Internet, which it publishes at [www.apnic.net ↗](http://www.apnic.net). Cloudflare has agreed to provide APNIC with access to some of the anonymized data that Cloudflare collects through the Cloudflare Public DNS Resolver. APNIC can access query names, query types, resolver location, and other metadata via a Cloudflare API. This allows APNIC to study topics like the volume of DDoS attacks on the Internet and adoption of IPv6. APNIC Labs uses this data for non-profit operational research. As part of Cloudflare's commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address associated with a client. Aside from APNIC, Cloudflare will not share the Public Resolver Logs with any third party. ## Data in public resolver logs The Public Resolver Logs consist of the following fields: * answerData type * answerData * coloID (unique Cloudflare data center ID) * date * dateTime * dstIPVersion * dstIPv6 * dstIPv4 * dstPort * ede * ednsVersion * ednsPayload * ednsNsid * feature.uid * feature.value * metalId (unique Cloudflare data center ID) * ns ip * ns name * protocol * queryName * queryType * queryClass * queryRd * queryDo * querySize * queryEdns * queryCd * responseType * responseCode * responseSize * responseCount * responseTimeMs * responseCached * responseMinTTL * reused * srcAsNum * srcCountry * srcIPVersion * validationState Additionally, the resolver performs outgoing queries to authoritative nameservers in the DNS hierarchy. These queries are logged in subrequest fields and are used for the operation and debugging of the Public DNS Resolver service. The following subrequest data is included in the Public Resolver Logs: * subrequest.ipv6 (authoritative nameserver) * subrequest.ipv4 (authoritative nameserver) * subrequest.protocol * subrequest.durationMs * subrequest.queryName * subrequest.queryType * subrequest.responseCode * subrequest.responseCount * subrequest.recordType * subrequest.recordData * subrequest.error Except for limited sampled data from the Public Resolver Logs (which do not include truncated IP addresses) used to generate the aggregations described below, all Public Resolver Logs are deleted within 25 hours. Cloudflare may produce the following aggregations: * Total number of queries with different protocol settings (for example, TCP/UDP/DNSSEC) by Cloudflare data center. * Response code and response time quantiles with different protocol settings by Cloudflare data center. * Total number of requests processed by Cloudflare data center. * Aggregate list of all domain names requested, with aggregate request count and timestamp of first request by region. * Number of unique clients, queries over IPv4, queries over IPv6, queries with the RD bit set, queries asking for DNSSEC, number of bogus, valid, and invalid DNSSEC answers, queries by type, number of answers with each response code, response time quantiles (for example, 50th percentile), response TTL, and number of cached answers per minute, per day, per protocol (HTTPS/UDP/TCP/TLS), per region, per Cloudflare data center, and per Autonomous System Number. * Number of queries, number of queries with EDNS, number of bytes and time in answers quantiles (for example, 50th percentile) by day, month, Cloudflare data center, and by IPv4 versus IPv6. * Number of queries, response codes and response code quantiles (for example, 50th percentile) by day, region, name, and type. Cloudflare may store this aggregated data indefinitely to power Cloudflare Radar and to improve Cloudflare services, such as enhancing the overall performance of the Cloudflare Resolver and identifying security threats. ## What about requests for content blocking? Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks. In general, Cloudflare views government or civil requests to block content at the DNS level as ineffective, inefficient, and overboard. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government's jurisdiction. A government request to block content through a globally available public recursive resolver like the 1.1.1.1 Public DNS Resolver and 1.1.1.1 for Families should therefore be evaluated as a request to block content globally. Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/privacy/public-dns-resolver/","name":"1.1.1.1 Public DNS Resolver"}}]} ``` --- --- title: Troubleshooting description: Learn how to diagnose and report issues with Cloudflare's DNS Resolver image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging)[ CLI ](https://developers.cloudflare.com/search/?tags=CLI) # Troubleshooting This guide helps you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, [verify your connection](https://developers.cloudflare.com/1.1.1.1/check/) to automatically gather relevant information. ## Name resolution issues If a domain name is not resolving correctly, test DNS resolution against 1.1.1.1 and compare the result to another resolver (such as `8.8.8.8`). The CHAOS TXT queries (`id.server`) identify which Cloudflare server handled your request, which is useful when reporting issues. ### Linux/macOS Terminal window ``` # Test DNS resolution dig example.com @1.1.1.1 dig example.com @1.0.0.1 dig example.com @8.8.8.8 # Check connected nameserver dig +short CHAOS TXT id.server @1.1.1.1 dig +short CHAOS TXT id.server @1.0.0.1 # Optional: Network information dig @ns3.cloudflare.com whoami.cloudflare.com txt +short ``` ### Windows Terminal window ``` # Test DNS resolution nslookup example.com 1.1.1.1 nslookup example.com 1.0.0.1 nslookup example.com 8.8.8.8 # Check connected nameserver nslookup -class=chaos -type=txt id.server 1.1.1.1 nslookup -class=chaos -type=txt id.server 1.0.0.1 # Optional: Network information nslookup -type=txt whoami.cloudflare.com ns3.cloudflare.com ``` Warning The network information command reveals your IP address. Only include this in reports to Cloudflare if you are comfortable sharing this information. For additional analysis, you can generate a [DNSViz ↗](http://dnsviz.net/) report for the domain in question. ## Connectivity and routing issues If DNS queries time out or you cannot reach 1.1.1.1 at all, the problem may be a network routing issue between your device and Cloudflare. Run traceroutes to both resolver addresses to identify where packets are being dropped. Before reporting connectivity issues: 1. Search for existing reports from your country and ISP. 2. Run traceroutes to both Cloudflare DNS resolvers. ### Linux/macOS Terminal window ``` # Basic connectivity tests traceroute 1.1.1.1 traceroute 1.0.0.1 # If reachable, check nameserver identity dig +short CHAOS TXT id.server @1.1.1.1 dig +short CHAOS TXT id.server @1.0.0.1 # TCP connection tests dig +tcp @1.1.1.1 id.server CH TXT dig +tcp @1.0.0.1 id.server CH TXT ``` ### Windows Terminal window ``` # Basic connectivity tests tracert 1.1.1.1 tracert 1.0.0.1 # If reachable, check nameserver identity nslookup -class=chaos -type=txt id.server 1.1.1.1 nslookup -class=chaos -type=txt id.server 1.0.0.1 # TCP connection tests nslookup -vc -class=chaos -type=txt id.server 1.1.1.1 nslookup -vc -class=chaos -type=txt id.server 1.0.0.1 ``` ## DNS-over-TLS (DoT) troubleshooting DNS over TLS encrypts DNS queries using TLS on port `853`. If your DoT connection is not working, test TLS connectivity and then DNS resolution over TLS. ### Linux/macOS Terminal window ``` # Test TLS connectivity openssl s_client -connect 1.1.1.1:853 openssl s_client -connect 1.0.0.1:853 # Test DNS resolution over TLS kdig +tls @1.1.1.1 id.server CH TXT kdig +tls @1.0.0.1 id.server CH TXT ``` ### Windows Windows does not include a standalone DoT client. You can test TLS connectivity using OpenSSL after installing it manually. ## DNS-over-HTTPS (DoH) troubleshooting DNS over HTTPS sends DNS queries as HTTPS requests. If your DoH connection is not working, test it by querying the Cloudflare DNS endpoint directly. ### Linux/macOS Terminal window ``` curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA' ``` ### Windows PowerShell ``` (Invoke-WebRequest -Uri 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA').RawContent ``` ## Common issues ### First hop failures If your traceroute fails at the first hop (the first network device after your computer, usually your router), the issue is likely hardware-related. Your router may have a hardcoded route for `1.1.1.1` that conflicts with using it as a DNS resolver. When reporting this issue, include: * Router make and model * ISP name * Any relevant router configuration details ## Additional resources * [1.1.1.1 DNS Resolver homepage ↗](https://1.1.1.1) * [DNS over TLS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) * [Diagnostic tool ↗](https://one.one.one.one/help/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Terms of use description: Terms of use for the 1.1.1.1 DNS resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Terms of use By using 1.1.1.1 Public DNS Resolver or 1.1.1.1 for Families, you agree to the [Cloudflare Website and Online Services Terms of Use ↗](https://www.cloudflare.com/website-terms/). If you are an [Internet Service Provider (ISP) or network equipment provider](https://developers.cloudflare.com/1.1.1.1/infrastructure/network-operators/) that integrates 1.1.1.1, you agree to provide proper attribution to Cloudflare in accordance with the Cloudflare Trademark Guidelines. Contact `resolver@cloudflare.com` for logo requests. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/terms-of-use/","name":"Terms of use"}}]} ``` --- --- title: FAQ description: Find answers to common questions about Cloudflare's 1.1.1.1 DNS resolver, including setup, privacy features, IPv6 support, and troubleshooting tips. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # FAQ Below you will find answers to our most commonly asked questions. If you cannot find the answer you are looking for, refer to the [community page ↗](https://community.cloudflare.com/) to explore more resources. ## What is 1.1.1.1? 1.1.1.1 is Cloudflare's fast and secure DNS resolver. When you visit a website like `cloudflare.com`, your computer needs to find the IP address of the server that hosts it. Your computer cannot perform this translation on its own, so it sends the request to a DNS resolver. A DNS resolver looks up the IP address for a given domain name (for example, `2400:cb00:2048:1::c629:d7a2` for `cloudflare.com`) and returns it to the requesting device. Your device is usually configured to use a DNS resolver chosen by your ISP (such as Comcast or AT&T) for home or wireless Internet, or by your network administrator for office networks. You can change which DNS resolver your device uses at any time. Refer to [Set up 1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/) for instructions. ## How can I check if my computer / smartphone / tablet is connected to 1.1.1.1? Visit [1.1.1.1/help ↗](https://one.one.one.one/help) to make sure your system is connected to 1.1.1.1 and that it is working. ## What do DNS resolvers do? DNS resolvers are like address books for the Internet. They translate domain names into IP addresses so that your browser knows which server to contact. A resolver does this by working backwards from the top of the domain name hierarchy. Every resolver knows how to find the invisible `.` at the end of domain names (for example, `cloudflare.com.`). There are [hundreds of root servers ↗](http://www.root-servers.org/) all over the world that host the `.` file. Resolvers come preconfigured with the [IP addresses of those root servers ↗](http://www.internic.net/domain/named.root). Cloudflare itself hosts [that file ↗](http://www.internic.net/domain/root.zone) on all of its servers around the world through a [partnership with ISC ↗](https://blog.cloudflare.com/f-root/). The resolver asks one of the root servers where to find the next link in the chain — the top-level domain (TLD), which is the domain ending like `.com` or `.org`. The root servers return the address of the TLD server responsible for that ending. The resolver then asks the TLD server where to find the specific domain. For example, a resolver might ask `.com` where to find `cloudflare.com`. The TLD server responds with the address of the authoritative nameserver that holds the records for that domain. Once the resolver has the final IP address, it returns the answer to the device that asked. This whole system is called the [Domain Name System (DNS) ↗](https://www.cloudflare.com/learning/dns/what-is-dns/). It includes the servers that host domain records (called [authoritative DNS servers ↗](https://www.cloudflare.com/learning/dns/dns-server-types/)) and the servers that look up those records on behalf of users (DNS resolvers). ## Does 1.1.1.1 support ANY? No. Cloudflare [stopped supporting the ANY query type ↗](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/) in 2015\. The `ANY` query asks a DNS server to return all record types for a domain at once. In practice, `ANY` is more often used to amplify denial-of-service attacks than for legitimate purposes. When 1.1.1.1 receives an `ANY` query, it responds with `NOTIMPL` (not implemented). ## How does 1.1.1.1 work with DNSSEC? DNSSEC (Domain Name System Security Extensions) lets domain owners cryptographically sign their DNS records. A DNSSEC-validating resolver checks these signatures to confirm that a DNS response is authentic and has not been modified. 1.1.1.1 is a DNSSEC-validating resolver. On every query, it sends the `DO` (DNSSEC OK) flag to signal that it can accept signed responses. If the authoritative server provides signed records, 1.1.1.1 validates the signatures before returning the answer. 1.1.1.1 supports the signature algorithms listed in [Supported DNSKEY signature algorithms](https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/). ## Does 1.1.1.1 send EDNS Client Subnet header? No. 1.1.1.1 is a privacy-focused resolver and does not include client IP information in its queries to authoritative servers. It does not send the EDNS Client Subnet (ECS) header. The only exception is the Akamai debug domain `whoami.ds.akahelp.net`, which is used for cross-provider debugging. Cloudflare does not send ECS to any of Akamai's production domains, such as `akamaihd.net`. ## Does 1.1.1.1 support IPv6? Yes. 1.1.1.1 has full IPv6 support. Refer to [IP addresses](https://developers.cloudflare.com/1.1.1.1/ip-addresses/) for the IPv6 addresses you can use. ## What is Purge Cache? 1.1.1.1's Purge Cache tool allows you to refresh 1.1.1.1's DNS cache for domain names. To refresh the cache for a domain name, visit the [Purge Cache page ↗](https://one.one.one.one/purge-cache/). ## Can IPs used by 1.1.1.1 be allowlisted? Authoritative DNS providers may want to allowlist the IP addresses that 1.1.1.1 uses when querying upstream nameservers. The full list of Cloudflare IP addresses is available at [https://www.cloudflare.com/ips/ ↗](https://www.cloudflare.com/ips/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/faq/","name":"FAQ"}}]} ``` --- --- title: DNS in Google Sheets description: Look up DNS records directly inside Google Sheets using Cloudflare's 1.1.1.1 DNS resolver and a custom Google Apps Script function. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ JavaScript ](https://developers.cloudflare.com/search/?tags=JavaScript)[ JSON ](https://developers.cloudflare.com/search/?tags=JSON)[ Integration ](https://developers.cloudflare.com/search/?tags=Integration) # DNS in Google Sheets ## Create a function This tutorial creates a custom Google Sheets function that queries Cloudflare's 1.1.1.1 DNS resolver using DNS over HTTPS (DoH) — a protocol that encrypts DNS lookups over HTTPS. Once set up, you can type a formula like `=NSLookup("A", "example.com")` in any cell to retrieve DNS records without leaving your spreadsheet. This is useful for bulk domain audits, migration planning, or monitoring DNS changes across many domains at once. To get started, open your Google Sheet and create a [custom function in Google Apps Script ↗](https://developers.google.com/apps-script/guides/sheets/functions) with the following code: JavaScript ``` function NSLookup(type, domain, useCache = false, minCacheTTL = 30) { // --- Parameter validation --- if (typeof type == "undefined") { throw new Error("Missing parameter 1 dns type"); } if (typeof domain == "undefined") { throw new Error("Missing parameter 2 domain name"); } if (typeof useCache != "boolean") { throw new Error("Only boolean values allowed in 3 use cache"); } if (typeof minCacheTTL != "number") { throw new Error("Only numeric values allowed in 4 min cache ttl"); } type = type.toUpperCase(); domain = domain.toLowerCase(); // --- Optional caching layer (uses Google Apps Script CacheService) --- let cache = null; if (useCache) { // Cache key and hash cacheKey = domain + "@" + type; cacheHash = Utilities.base64Encode(cacheKey); cacheBinKey = "nslookup-result-" + cacheHash; cache = CacheService.getScriptCache(); const cachedResult = cache.get(cacheBinKey); if (cachedResult != null) { return cachedResult; } } // --- DNS-over-HTTPS query to Cloudflare's 1.1.1.1 resolver --- const url = "https://cloudflare-dns.com/dns-query?name=" + encodeURIComponent(domain) + "&type=" + encodeURIComponent(type); const options = { muteHttpExceptions: true, headers: { accept: "application/dns-json", }, }; const result = UrlFetchApp.fetch(url, options); const rc = result.getResponseCode(); const resultText = result.getContentText(); if (rc !== 200) { throw new Error(rc); } // --- Standard DNS response codes --- const errors = [ { name: "NoError", description: "No Error" }, // 0 { name: "FormErr", description: "Format Error" }, // 1 { name: "ServFail", description: "Server Failure" }, // 2 { name: "NXDomain", description: "Non-Existent Domain" }, // 3 { name: "NotImp", description: "Not Implemented" }, // 4 { name: "Refused", description: "Query Refused" }, // 5 { name: "YXDomain", description: "Name Exists when it should not" }, // 6 { name: "YXRRSet", description: "RR Set Exists when it should not" }, // 7 { name: "NXRRSet", description: "RR Set that should exist does not" }, // 8 { name: "NotAuth", description: "Not Authorized" }, // 9 ]; const response = JSON.parse(resultText); if (response.Status !== 0) { return errors[response.Status].name; } // --- Extract answer records and determine cache TTL --- const outputData = []; let cacheTTL = 0; for (const i in response.Answer) { outputData.push(response.Answer[i].data); const ttl = response.Answer[i].TTL; cacheTTL = Math.min(cacheTTL || ttl, ttl); } const outputString = outputData.join(","); if (useCache) { cache.put(cacheBinKey, outputString, Math.max(cacheTTL, minCacheTTL)); } return outputString; } ``` ## Using 1.1.1.1 When you call the `NSLookup` function with a record type and a domain, the cell displays the corresponding DNS record value — the data (such as an IP address) that DNS returns for that domain and record type. The full function signature is: `=NSLookup(type, domain, useCache, minCacheTTL)` | Parameter | Required | Default | Description | | ----------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------- | | type | Yes | — | DNS record type to query (for example, A, AAAA, MX). | | domain | Yes | — | The domain name to look up. | | useCache | No | false | Set to true to cache results using Google Apps Script's CacheService, which reduces repeated DNS lookups in large spreadsheets. | | minCacheTTL | No | 30 | Minimum cache duration in seconds. The actual TTL is the higher of this value or the TTL returned by the DNS response. | Supported DNS record types * `A` * `AAAA` * `CAA` * `CNAME` * `DS` * `DNSKEY` * `MX` * `NS` * `NSEC` * `NSEC3` * `RRSIG` * `SOA` * `TXT` For example, if cell `B1` contains `A` (the record type) and `B2` contains `example.com` (the domain), typing the following formula in another cell: ``` =NSLookup(B1, B2) ``` Depending on your regional settings, you may need to use a semicolon as the argument separator: ``` =NSLookup(B1; B2) ``` ![Google Sheets cell containing the NSLookup formula](https://developers.cloudflare.com/_astro/google-sheet-function.B_K9dB4i_1pUnIa.webp) Returns the `A` record for that domain: ``` 198.41.214.162, 198.41.215.162 ``` ![Google Sheets cell displaying the DNS lookup result](https://developers.cloudflare.com/_astro/google-sheet-result.qjsyQyZU_ZJWiV8.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-in-google-sheets/","name":"DNS in Google Sheets"}}]} ``` --- --- title: DNS over Discord description: Run DNS lookups and WHOIS queries directly in Discord using the 1.1.1.1 bot. Invite the bot to a server or add it to your account to query DNS records without leaving Discord. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # DNS over Discord The 1.1.1.1 DNS over Discord bot allows you to run DNS lookups and WHOIS queries directly inside Discord, which is useful when you are debugging DNS issues collaboratively or need quick record checks without switching to a terminal. [Invite the bot to your Discord server ↗](https://cfl.re/3nM6VfQ) to make it available in that server's channels, or [add the bot to your Discord account ↗](https://dns-over-discord.v4.wtf/invite/user) to use it anywhere in Discord. ## Perform DNS lookups Once the bot is in your server, type `/dig` to start performing DNS lookups. Discord will display a slash command form where you specify the domain to look up, an optional DNS record type, and an optional flag for a short result. A DNS lookup queries the Domain Name System to retrieve records associated with a domain (for example, the IP addresses a domain points to, or the mail servers it uses). If only a domain is given for the command, the bot defaults to looking for `A` records (which map a domain to one or more IPv4 addresses) and returns the full format result, not the short form. Example: ``` /dig domain: cloudflare.com ``` ### Supported record types Discord has a limit of 25 options in slash commands, so DNS over Discord offers the 25 most common DNS record types to choose from. Supported DNS record types * `A` * `AAAA` * `CAA` * `CDNSKEY` * `CDS` * `CERT` * `CNAME` * `DNSKEY` * `DS` * `HINFO` * `HTTPS` * `LOC` * `MX` * `NAPTR` * `NS` * `PTR` * `SMIMEA` * `SOA` * `SPF` * `SRV` * `SSHFP` * `SVCB` * `TLSA` * `TXT` * `URI` To query other DNS record types, or multiple record types at once, use the `/multi-dig` command. ### Short form response The `/dig` command has an optional flag to request a short form response. When you request a response in the short form, the name and TTL (time-to-live, how long the record is cached) columns are excluded. The command returns only the record data without formatting, similar to the equivalent `dig` command-line interface response. Example: ``` /dig domain: cloudflare.com type: AAAA records short: True ``` ### Disable DNSSEC checking DNSSEC (Domain Name System Security Extensions) validates that DNS responses have not been tampered with. You can disable this validation in the `/dig` command by passing `cdflag` as true, which is useful when troubleshooting domains with misconfigured DNSSEC, where validation failures block otherwise valid records from appearing. Example: ``` /dig domain: cloudflare.com type: AAAA records cdflag: True ``` ### Refreshing existing results You can refresh the DNS lookup results by clicking the Refresh button. Clicking it will trigger the bot to re-request the DNS query in the message, and update the results in the message. Any user can click this button. The refresh button is available on all responses to the `/dig` command, including those that resulted in an error, such as an unknown domain or no records found. ### Changing DNS provider By default, the DNS over Discord bot uses Cloudflare's 1.1.1.1 DNS service. To compare results across providers (for example, to check whether a DNS propagation issue is provider-specific) select a different provider from the dropdown below the result. The results in the message update to reflect the selected provider. Any user can change the DNS provider. ## `multi-dig` command If you want to look up multiple DNS record types at once, use the `/multi-dig` command. This allows you to specify any supported DNS record type, and multiple types separated by a space. Example: ``` /multi-dig domain: cloudflare.com types: A AAAA ``` ### Supported record types Unlike `/dig`, the `/multi-dig` command does not show an autocomplete menu for record types. You provide a space-separated list of DNS record types to look up. If you include an invalid record type, the bot drops it without an error message. So if results seem incomplete, check for typos in your type list. If no valid types are provided, the bot defaults to `A` records. DNS record types supported and considered valid by the bot Use a `*` (asterisk) in place of a record type to get DNS results for all supported types. * `A` * `AAAA` * `AFSDB` * `APL` * `CAA` * `CDNSKEY` * `CDS` * `CERT` * `CNAME` * `CSYNC` * `DHCID` * `DLV` * `DNAME` * `DNSKEY` * `DS` * `EUI48` * `EUI64` * `HINFO` * `HIP` * `HTTPS` * `IPSECKEY` * `KEY` * `KX` * `LOC` * `MX` * `NAPTR` * `NS` * `NSEC` * `NSEC3` * `NSEC3PARAM` * `OPENPGPKEY` * `PTR` * `RP` * `SMIMEA` * `SOA` * `SPF` * `SRV` * `SSHFP` * `SVCB` * `TA` * `TKEY` * `TLSA` * `TXT` * `URI` * `ZONEMD` ### Short form response Like the main `/dig` command, the `/multi-dig` command also supports the optional short flag after the types have been specified in the slash command. Example: ``` /multi-dig domain: cloudflare.com types: CDS CDNSKEY short: True ``` ### Disable DNSSEC checking As with the `dig` command, you can disable DNSSEC checking by passing `cdflag` as true. This will return the DNS records even if the DNSSEC validation fails. Example: ``` /multi-dig domain: cloudflare.com type: AAAA records cdflag: True ``` ### Refreshing existing results The `/multi-dig` command also provides a refresh button below each set of DNS results requested (or after each block of 10 DNS record types, if you requested more than 10). As with the `/dig` command, any user can press the refresh button to refresh the displayed DNS results, including for DNS queries that had previously failed. ### Changing DNS provider Like the `/dig` command, you can change the DNS provider when using the `/multi-dig` command. The menu appears after each set of DNS results (or after each block of results if more than 10 record types are requested). This menu can be used by any user to change the DNS provider used for the lookup. ## `whois` command The `/whois` command performs a RDAP/WHOIS lookup in Discord for a given domain, IP address, or ASN (Autonomous System Number, a unique identifier assigned to a network). WHOIS returns registration and ownership information, such as who registered a domain and when it expires. Examples: ``` /whois query: cloudflare.com /whois query: 104.16.132.229 /whois query: 2606:4700::6810:84e5 /whois query: 13335 ``` ## Other commands The bot also has a set of helper commands available to get more information about the bot and quick links. ### `help` command The `/help` command provides in-Discord documentation about all the commands available in the 1.1.1.1 DNS over Discord bot. Example: ``` /help ``` ### `privacy` command The `/privacy` command displays the Privacy Policy notice for using the 1.1.1.1 DNS over Discord bot. You can also [refer to the Privacy Policy page ↗](https://dns-over-discord.v4.wtf/privacy) to access it. Example: ``` /privacy ``` ### `terms` command The `/terms` command displays the Terms of Service notice for using the 1.1.1.1 DNS over Discord bot. You can also [refer to the Terms of Service page ↗](https://dns-over-discord.v4.wtf/terms) to access it. Example: ``` /terms ``` ### `github` command The DNS over Discord bot is open-source, and the `/github` command provides a quick link to access the GitHub repository. The GitHub repository can be accessed at [https://github.com/MattIPv4/DNS-over-Discord/ ↗](https://github.com/MattIPv4/DNS-over-Discord/). Example: ``` /github ``` ### `invite` command The `/invite` command provides the user with a quick link to invite the 1.1.1.1 DNS over Discord bot to another Discord server, or to add it to a Discord account. The bot can be invited at any time with [https://cfl.re/3nM6VfQ ↗](https://cfl.re/3nM6VfQ). The bot can also be added to accounts with [https://dns-over-discord.v4.wtf/invite/user ↗](https://dns-over-discord.v4.wtf/invite/user). ``` /invite ``` --- ## Development The DNS over Discord bot is deployed on [Cloudflare Workers ↗](https://workers.cloudflare.com/). You can find the source code for the bot on GitHub, as well as information on getting started with contributing to the project, at [https://github.com/MattIPv4/DNS-over-Discord/ ↗](https://github.com/MattIPv4/DNS-over-Discord/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-over-discord/","name":"DNS over Discord"}}]} ``` --- --- title: DNS over Tor description: If you do not want to disclose your IP address to the resolver, you can use our Tor onion service. Resolving DNS queries through the Tor network guarantees a significantly higher level of anonymity than making the requests directly. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Privacy ](https://developers.cloudflare.com/search/?tags=Privacy)[ Proxying ](https://developers.cloudflare.com/search/?tags=Proxying) # DNS over Tor Warning The hidden resolver (Cloudflare's DNS resolver accessible through Tor) is still an experimental service and should not be used in production or for other critical uses. When you send a standard DNS query, both your ISP and the DNS resolver can see your IP address and the domains you look up. Cloudflare's Tor onion service routes your DNS queries through the Tor network, which guarantees a significantly higher level of anonymity than making requests directly. The resolver never sees your IP address, and your ISP cannot determine that you attempted to resolve a domain name. Read more about this service in [this blog post ↗](https://blog.cloudflare.com/welcome-hidden-resolver/). ## Setting up a Tor client Unlike standard DNS modes where traffic is sent directly to an IP address, the Tor network routes traffic without exposing IP addresses. This means all connections to the hidden resolver must go through a Tor client. Before you start, head to the [Tor Project website ↗](https://www.torproject.org/download/download.html.en) to download and install a Tor client. If you use the Tor Browser, it will automatically start a [SOCKS proxy ↗](https://en.wikipedia.org/wiki/SOCKS) at `127.0.0.1:9150`. If you use Tor from the command line, create the following configuration file: ``` SOCKSPort 9150 ``` Then you can run tor with: Terminal window ``` tor -f tor.conf ``` Also, if you use the Tor Browser, you can head to the resolver's address to see the usual 1.1.1.1 page: ``` https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/ ``` Note The HTTPS certificate indicator should say "Cloudflare, Inc. (US)." This confirms you are connected to Cloudflare's resolver and not an impersonating service. If you ever forget 1.1.1.1's address, use cURL to retrieve it: Terminal window ``` curl -sI https://tor.cloudflare-dns.com | grep -i alt-svc ``` ``` alt-svc: h2="dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:443"; ma=315360000; persist=1 ``` ## Setting up a local DNS proxy using socat Not all DNS clients support connecting to the Tor network directly. The [socat ↗](http://www.dest-unreach.org/socat/) utility bridges this gap by forwarding local ports through the Tor proxy, so any DNS-speaking software can reach the hidden resolver. ### DNS over TCP, TLS, and HTTPS The hidden resolver listens on TCP port 53 (DNS over TCP) and port 853 (DNS over TLS). After setting up a Tor proxy, run the following `socat` command as a privileged user, setting `PORT` to 53 or 853 depending on your protocol: Terminal window ``` PORT=853; socat TCP4-LISTEN:${PORT},reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:${PORT},socksport=9150 ``` From here, you can follow the regular guide for [setting up 1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/), except you should always use `127.0.0.1` instead of `1.1.1.1`. If you need to access the proxy from another device, replace `127.0.0.1` in the `socat` command with your local IP address. ### DNS over HTTPS [As explained in the blog post ↗](https://blog.cloudflare.com/welcome-hidden-resolver/), the preferred method is DNS over HTTPS (DoH), which encrypts the entire DNS query within an HTTPS connection. To set it up: 1. Download `cloudflared` by following the guide for [connecting to 1.1.1.1 using DNS over HTTPS clients](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/). 2. Start a Tor SOCKS proxy and use `socat` to forward port TCP:443 to localhost: Terminal window ``` socat TCP4-LISTEN:443,reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:443,socksport=9150 ``` 1. Instruct your machine to treat the `.onion` address as localhost: Terminal window ``` cat << EOF >> /etc/hosts 127.0.0.1 dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion EOF ``` If you run this command more than once, remove duplicate entries from `/etc/hosts` to avoid conflicts. 1. Finally, start a local DNS over UDP daemon: Terminal window ``` cloudflared proxy-dns --upstream "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" ``` ``` INFO[0000] Adding DNS upstream url="https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" INFO[0000] Starting DNS over HTTPS proxy server addr="dns://localhost:53" INFO[0000] Starting metrics server addr="127.0.0.1:35659" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-over-tor/","name":"DNS over Tor"}}]} ``` --- --- title: Extended DNS error codes description: Extended DNS error codes returned by 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) # Extended DNS error codes [Extended DNS Error Codes ↗](https://www.rfc-editor.org/rfc/rfc8914.html) (defined in RFC 8914) is a method to return additional information about the cause of DNS errors. When a DNS query fails, the standard response code (such as `SERVFAIL`) often does not explain _why_ it failed. Extended DNS Error Codes solve this by attaching a more specific error code and descriptive text to the response, so you can identify the exact cause without guesswork. 1.1.1.1 supports Extended DNS Error Codes. Below is a list of error codes 1.1.1.1 returns, what they mean, and steps you may want to take to resolve the issue. Many of these errors relate to DNSSEC (DNS Security Extensions) — the set of protocols that add cryptographic signatures to DNS records to prevent tampering. Extended DNS Error Codes appear automatically in the `OPT PSEUDOSECTION` of a `dig` response when the server includes them, for example: Terminal window ``` dig @1.1.1.1 example.com A ``` | Code number | Code name | Example output | Next steps | | ----------- | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Unsupported DNSKEY Algorithm | EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify example.com. A: unsupported key size, DNSKEY example.com., id = 12345) | The domain did not pass DNSSEC validation. Check which [signature key algorithm](https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/) your website uses and confirm it is supported by 1.1.1.1. | | 2 | Unsupported DS Digest Type | EDE: 2 (Unsupported DS Digest Type): (no supported DS digest type for example.com.) | The domain did not pass DNSSEC validation due to an unsupported digest type on the DS record. If none of the provided DS records are supported, the domain will fail to resolve. Make sure to [add a supported DS record](https://developers.cloudflare.com/dns/dnssec/) with your registrar. | | 3 | Stale Answer | EDE: 3 (Stale Answer) | This is a silent error. It notifies that the DNS resolver could only return stale data. If the issue persists reach out on the 1.1.1.1 [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 6 | DNSSEC Bogus | EDE: 6 (DNSSEC Bogus): (proof of non-existence of example.com. A)EDE: 6 (DNSSEC Bogus): (found duplicate CNAME records for example.com. (1 duplicate RRs)) | This domain did not pass DNSSEC validation. The signatures for the target record, or the proof of non-existence of the target records, are invalid. Check your [DNS configuration](https://developers.cloudflare.com/dns/). | | 7 | Signature Expired | EDE: 7 (Signature Expired): (for DNSKEY example.com., id = 12345: RRSIG example.com., expiration = 123456) | This domain did not pass DNSSEC validation due to an expired signature. Make sure your zone is signed with valid [DNSSEC signatures](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 8 | Signature Not Yet Valid | EDE: 8 (Signature Not Yet Valid): (for DNSKEY example.com., id = 12345: RRSIG example.com., inception = 12345) | This domain did not pass DNSSEC validation. Make sure your zone is signed with valid [DNSSEC signatures](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 9 | DNSKEY Missing | EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for example.com.) | This domain did not pass DNSSEC validation. It does not have a SEP DNSKEY that matches the set of DS records at the registry. Make sure to either sign the zone using keys that match the current DS set, or [add the missing DS records](https://developers.cloudflare.com/dns/dnssec/) with your registrar. | | 10 | RRSIGs Missing | EDE: 10 (RRSIGs Missing): (for DNSKEY example.com., id = 12345) | 1.1.1.1 was unable to retrieve Resource Record Signatures (RRSigs) to verify the authenticity of the records. Check your [DNS configuration](https://developers.cloudflare.com/dns/) and the response code. If the response code is not SERVFAIL, this error indicates that there is a non-operational key issue somewhere along the path, but the resolver found at least one successful path for validation. Examples of non-operational key issues include but are not limited to key rollover in-progress, stand-by key, and attacker stripping signatures made by a certain key. | | 11 | No Zone Key Bit Set | EDE: 11 (No Zone Key Bit Set): (for DNSKEY example.com., id = 12345) | This domain did not pass DNSSEC validation. The zone's SEP DNSKEY must [set a Zone Key flag](https://datatracker.ietf.org/doc/html/rfc4035#section-5.3.1). Check your [DNSSEC configuration](https://developers.cloudflare.com/dns/dnssec/) or DNSSEC's [troubleshooting guide](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 12 | NSEC Missing | EDE: 12 (NSEC Missing): failed to verify an insecure referral proof for example.com | This domain did not pass DNSSEC validation. The upstream nameserver did not include a valid proof of non-existence for the target name. Make sure the zone is [signed with DNSSEC](https://developers.cloudflare.com/dns/dnssec/troubleshooting/) and has valid [NSEC/NSEC3 records](https://www.cloudflare.com/dns/dnssec/dnssec-complexities-and-considerations/). | | 13 | Cached Error | EDE: 13 (Cached Error) | 1.1.1.1 returned a cached error. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 22 | No Reachable Authority | EDE: 22 (No Reachable Authority): (at delegation example.com.) | 1.1.1.1 could not reach some or all of the authoritative nameservers (or they potentially refused to resolve). This can occur if the authoritative nameservers are overloaded or temporarily unavailable. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 23 | Network Error | EDE: 23 (Network Error): (1.1.1.1:53 rcode=SERVFAIL for example.com. A) | 1.1.1.1 could not determine a network path to the upstream nameservers, or the nameserver did not respond. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 30 | Invalid Query Type | EDE: 30 (Invalid Query Type): Invalid Query Type | The record type in the request cannot give a valid answer. If this is returned for standard query types, such as A or AAAA records, please reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/extended-dns-error-codes/","name":"Extended DNS error codes"}}]} ``` --- --- title: Support for IPv6-only networks description: Use 1.1.1.1 on IPv6-only networks. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) # Support for IPv6-only networks While network infrastructure is shifting towards IPv6-only networks, providers still need to support IPv4 addresses. Dual-stack networks (networks in which all nodes have both IPv4 and IPv6 connectivity capabilities) can understand both IPv4 and IPv6 packets. However, not all networks are dual-stack, and IPv6-only networks need a translation mechanism to reach IPv4 resources. 1.1.1.1 supports DNS64, a mechanism that synthesizes AAAA records (DNS records that map domain names to IPv6 addresses) from A records (DNS records that map domain names to IPv4 addresses) when no AAAA records exist. This allows IPv6-only clients to receive a usable IPv6 address for destinations that only have an IPv4 address, so the client can still connect through the network's NAT64 gateway. Note You should only turn on DNS64 if you are managing or using an IPv6-only network. While the resolver can synthesize IPv6 addresses, it cannot synthesize their record signatures for domains using DNSSEC (DNS Security Extensions, which add cryptographic signatures to DNS records to verify their authenticity). A DNS client that revalidates signatures would reject these synthesized records because they lack valid signatures. A good tradeoff is to use a secure protocol such as [DNS over TLS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) or [DNS over HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) between the client and the resolver to prevent eavesdropping and tampering on the connection to the resolver. ## Configure DNS64 DNS64 is specifically for networks that already have NAT64 (Network Address Translation from IPv6 to IPv4) support. NAT64 translates IPv6 traffic to IPv4 at the network level, while DNS64 provides the corresponding translated addresses through DNS. If you are a network operator who has NAT64, you can test our DNS64 support by updating it to the following IP addresses: ``` 2606:4700:4700::64 2606:4700:4700::6400 ``` Some devices use separate fields for all eight parts of IPv6 addresses and cannot accept the `::` IPv6 abbreviation syntax. For such fields enter: ``` 2606:4700:4700:0:0:0:0:64 2606:4700:4700:0:0:0:0:6400 ``` ## Test DNS64 After your configuration, visit an IPv4-only address to check if you can reach it over your IPv6-only network. For example, you can visit [https://ipv4.google.com ↗](https://ipv4.google.com). If the page loads, DNS64 and NAT64 are working together to translate your connection. Visit [http://test-ipv6.com/ ↗](http://test-ipv6.com/) to test if it can detect your IPv6 address. If you receive a `10/10`, your IPv6 is configured correctly. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/ipv6-networks/","name":"Support for IPv6-only networks"}}]} ``` --- --- title: Network operators description: Information for network operators peering with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Network operators Network operators, including Internet Service Providers (ISPs), device manufacturers, public Wi-Fi networks, municipal broadband providers, and security scanning services can use [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/) in place of operating their own recursive DNS infrastructure — DNS servers that resolve queries on behalf of clients by querying authoritative nameservers across the internet. Cloudflare also partners with ISPs and network equipment providers to make [1.1.1.1 for Families](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) available within their offerings. Refer to our [blog post ↗](https://blog.cloudflare.com/safer-resolver/) for details. Using 1.1.1.1 can improve performance for end-users due to Cloudflare's extensive [global network ↗](https://www.cloudflare.com/network/), as well as provide higher overall cache hit rates (the percentage of DNS queries answered from cache rather than requiring a new upstream lookup) due to our regional caches. The 1.1.1.1 resolver was designed with a privacy-first approach. Refer to our [data and privacy policies](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) for what is logged and retained by 1.1.1.1. ## Configuring 1.1.1.1 There are multiple ways to use 1.1.1.1 as an operator: * Including a [DNS over HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) or [DNS over TLS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) proxy on end-user routers or devices (best for privacy). * Pushing 1.1.1.1 to devices via DHCP/PPP (the protocols operators use to automatically assign network settings, including DNS servers, to devices) within an operator network (recommended; most practical). * Having a DNS proxy on an edge router make requests to 1.1.1.1 on behalf of all connected devices. Where possible, we recommend using encrypted transports (DNS over HTTPS or TLS) for queries, as this provides the highest degree of privacy for users over last-mile networks (the final segment of connectivity between the operator and the end user). ## Available Endpoints Note [Cloudflare Zero Trust ↗](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. If you require additional controls over our public 1.1.1.1 resolver, [contact us ↗](https://www.cloudflare.com/products/zero-trust/). The publicly available endpoints for 1.1.1.1 are detailed in the following table. Each resolver variant serves a different filtering level: the unfiltered resolver performs standard DNS resolution with no content blocking, the Malware variant blocks queries to domains associated with malware and phishing, and the Adult Content + Malware variant blocks adult content in addition to malware and phishing. | Resolver | IPv4 address | IPv6 address | DNS over HTTPS endpoint | DNS over TLS endpoint | | ---------------------------------- | --------------- | ----------------------------------------- | --------------------------------------------- | --------------------------- | | 1.1.1.1 (unfiltered) | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 | https://cloudflare-dns.com/dns-query | one.one.one.one | | Families (Malware) | 1.1.1.2 1.0.0.2 | 2606:4700:4700::1112 2606:4700:4700::1002 | https://security.cloudflare-dns.com/dns-query | security.cloudflare-dns.com | | Families (Adult Content + Malware) | 1.1.1.3 1.0.0.3 | 2606:4700:4700::1113 2606:4700:4700::1003 | https://family.cloudflare-dns.com/dns-query | family.cloudflare-dns.com | You may wish to provide end users with options to change from the default 1.1.1.1 resolver to one of the [1.1.1.1 for Families](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) endpoints. ## Rate Limiting Operators using 1.1.1.1 for typical Internet-facing applications and/or users should not encounter any rate limiting for their users. In some rare cases, security scanning use-cases or proxied traffic may be rate limited to protect our infrastructure as well as upstream DNS infrastructure from potential abuse. Best practices include: * Avoiding tunneling or proxying all queries from a single IP address at high rates. Distributing queries across multiple public IPs will improve this without impacting cache hit rates (caches are regional). * A high rate of "uncacheable" responses (such as `SERVFAIL`, a DNS response code indicating the server failed to complete the query) against the same domain may be rate limited to protect upstream, authoritative nameservers (the DNS servers that hold the official records for a domain). Many authoritative nameservers enforce their own rate limits, and we strive to avoid overloading third party infrastructure where possible. ## Help If you are a network operator and still have outstanding questions, contact `resolver@cloudflare.com` with your use case, so it can be discussed further. Make sure to visit [1.1.1.1/help ↗](https://one.one.one.one/help) from within your network and share the resulting report when contacting Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/network-operators/","name":"Network operators"}}]} ``` --- --- title: SLA and technical support description: SLA and support details for the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/1.1.1.1/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # SLA and technical support As you use 1.1.1.1 in your infrastructure or service, note that dedicated technical support is limited. You are subject to the [Cloudflare Website and Online Services Terms of Use ↗](https://www.cloudflare.com/website-terms/) and no service level agreements (SLAs) are provided. If you need SLAs and dedicated support, consider using [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) instead. Gateway adds policy-based DNS filtering and management. Gateway includes other advanced options such as domain categories, customized filtering, and scheduling capabilities. For example, if you are a device manufacturer or network operator, you can use a multi-tenant environment — where a single deployment serves multiple separate customers — to allow your customers to configure their own individual filters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1 (DNS Resolver)"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/sla-and-support/","name":"SLA and technical support"}}]} ```