1.1.1.1 Public DNS Resolver
By the end of this lesson you will understand how 1.1.1.1 works, how to configure DoH and DoT for encrypted DNS, and why Cloudflare's resolver is a privacy advantage over default ISP resolvers.
What Is 1.1.1.1?
1.1.1.1 is Cloudflare's free, public recursive DNS resolver. It is the service that looks up domain names on behalf of your device when you browse the internet.
Unlike Cloudflare's authoritative DNS (which hosts your domain's records), 1.1.1.1 is a recursive resolver that any person or device can use to resolve any domain. It sits between your device and the internet's DNS hierarchy.
flowchart LR
DEVICE["Your Device"] -->|DNS Query| RESOLVER["1.1.1.1\n(Cloudflare Resolver)"]
RESOLVER -->|Recursive Lookup| ROOT["Root Servers"]
RESOLVER -->|Recursive Lookup| TLD[".com / .org TLD"]
RESOLVER -->|Recursive Lookup| AUTH["Authoritative DNS\n(Any Provider)"]
AUTH -->|Answer| RESOLVER
RESOLVER -->|Answer| DEVICE
style RESOLVER fill:#f6821f,color:#fff,stroke:#e5711e
Authoritative vs Recursive — What's the Difference?
| Authoritative DNS | Recursive Resolver (1.1.1.1) | |
|---|---|---|
| Role | Holds the official records for a specific domain | Looks up records for any domain on your behalf |
| Who uses it | Domain owners configure it | End users / devices query it |
| Cloudflare product | Cloudflare DNS (zone management) | 1.1.1.1 (public resolver) |
| Analogy | The phone book publisher | The librarian who looks up numbers for you |
Why Use 1.1.1.1?
Speed
1.1.1.1 is consistently the fastest public DNS resolver available:
| Resolver | Provider | Average Global Latency |
|---|---|---|
| 1.1.1.1 | Cloudflare | ~11ms |
| 8.8.8.8 | ~34ms | |
| 9.9.9.9 | Quad9 | ~20ms |
| ISP Default | Varies | 30–80ms |
Privacy
Cloudflare's privacy commitments for 1.1.1.1:
- No user IP logging — Cloudflare does not write the source IP to disk
- No selling of data — The resolver is not used for advertising
- Independent audit — KPMG audits 1.1.1.1's privacy practices annually
- Data purged in 24 hours — Transient debugging logs are deleted within 24 hours
Security
- DNSSEC validation enabled by default — rejects tampered DNS responses
- DNS over HTTPS (DoH) and DNS over TLS (DoT) — encrypts your queries
- Malware and adult content filtering available via 1.1.1.2 and 1.1.1.3
DNS over HTTPS (DoH)
DoH encrypts DNS queries inside regular HTTPS traffic. This prevents your ISP, network operator, or eavesdropper from seeing which domains you're resolving.
Endpoint
https://cloudflare-dns.com/dns-query
How It Works
sequenceDiagram
participant Browser
participant DoH as 1.1.1.1 DoH Endpoint
participant Auth as Authoritative DNS
Browser->>DoH: HTTPS POST /dns-query (encrypted)
DoH->>Auth: Standard DNS lookup
Auth-->>DoH: DNS response
DoH-->>Browser: HTTPS response (encrypted)
Note over Browser,DoH: Entire exchange encrypted with TLS
Configuring DoH
In Firefox:
- Settings → Privacy & Security → DNS over HTTPS
- Select "Max Protection"
- Provider:
https://cloudflare-dns.com/dns-query
In Chrome:
- Settings → Privacy and Security → Security
- Enable "Use secure DNS"
- Select "Cloudflare (1.1.1.1)"
System-wide with cloudflared:
# Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
-o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared
# Run as a local DNS proxy
cloudflared proxy-dns --port 5053 --upstream https://cloudflare-dns.com/dns-query
# Test it
dig @127.0.0.1 -p 5053 example.com
Testing DoH with curl
# JSON format
curl -s -H "accept: application/dns-json" \
"https://cloudflare-dns.com/dns-query?name=example.com&type=A" | jq
# Wire format (RFC 8484)
curl -s -H "accept: application/dns-message" \
"https://cloudflare-dns.com/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" \
| hexdump -C
DNS over TLS (DoT)
DoT encrypts DNS queries over a dedicated TLS connection on port 853. Unlike DoH (which uses port 443), DoT uses a separate port, making it easier for network operators to identify DNS traffic.
Endpoint
tls://1.1.1.1 (port 853)
tls://1.0.0.1 (port 853)
How It Works
sequenceDiagram
participant Client
participant DoT as 1.1.1.1:853 (DoT)
Client->>DoT: TLS handshake (port 853)
Client->>DoT: DNS query (encrypted)
DoT-->>Client: DNS response (encrypted)
Note over Client,DoT: Encrypted with TLS on dedicated port 853
Configuring DoT
On Linux with systemd-resolved:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
# Restart systemd-resolved
sudo systemctl restart systemd-resolved
# Verify
resolvectl status
On Android (9+):
- Settings → Network & Internet → Private DNS
- Enter:
one.one.one.one
DoH vs DoT Comparison
| Feature | DoH | DoT |
|---|---|---|
| Port | 443 (HTTPS) | 853 |
| Protocol | HTTPS | TLS |
| Blends with web traffic | ✅ Yes — indistinguishable from regular HTTPS | ❌ No — separate port makes it identifiable |
| Network blocking | Harder to block (same as all HTTPS) | Easier to block (just block port 853) |
| Browser support | ✅ Built-in (Firefox, Chrome, Edge) | ❌ Usually OS-level only |
| Best for | Personal privacy on public networks | Organizational deployments |
Filtered Resolvers
Cloudflare offers filtered variants of 1.1.1.1 that block malware or adult content:
| Resolver IP | Blocks | Use Case |
|---|---|---|
1.1.1.1 / 1.0.0.1 | Nothing (pure resolver) | Default, fastest, no filtering |
1.1.1.2 / 1.0.0.2 | Malware | Family-safe networks, basic protection |
1.1.1.3 / 1.0.0.3 | Malware + adult content | Child-safe environments |
The filtered resolvers (1.1.1.2 and 1.1.1.3) also support DoH and DoT:
- Malware:
https://security.cloudflare-dns.com/dns-query - Malware + Adult:
https://family.cloudflare-dns.com/dns-query
Configuring 1.1.1.1 on Your System
Linux
sudo sh -c 'echo "nameserver 1.1.1.1" > /etc/resolv.conf'
sudo sh -c 'echo "nameserver 1.0.0.1" >> /etc/resolv.conf'
nmcli connection modify "your-connection" ipv4.dns "1.1.1.1 1.0.0.1"
nmcli connection modify "your-connection" ipv4.ignore-auto-dns yes
nmcli connection up "your-connection"
Router Level
Configure your router's DHCP settings to distribute 1.1.1.1 to all devices:
- Access your router's admin panel
- Find DNS settings (usually under WAN or DHCP)
- Set Primary DNS:
1.1.1.1, Secondary DNS:1.0.0.1
This applies encrypted, fast DNS to every device on your network.
Common Misconceptions
"1.1.1.1 is the same as Cloudflare DNS for my domain"
Reality: They are completely different products. 1.1.1.1 is a public recursive resolver anyone can use. Cloudflare DNS (authoritative) hosts the records for your specific domain. You can use one without the other.
"Using 1.1.1.1 means Cloudflare can see all my traffic"
Reality: DNS only resolves domain names to IP addresses. Cloudflare sees the domain you're looking up, but not the page content, URL path, or any data you send/receive. With DoH/DoT, even the DNS query is encrypted end-to-end.
"DoH and DoT are the same thing"
Reality: Both encrypt DNS queries, but they use different protocols and ports. DoH blends with web traffic (port 443), making it harder to block. DoT uses a dedicated port (853), making it easier to manage in enterprise networks.
Key Takeaways
- 1.1.1.1 is the world's fastest public DNS resolver — free, private, and audited.
- DoH (DNS over HTTPS) encrypts DNS inside HTTPS on port 443 — best for personal privacy.
- DoT (DNS over TLS) encrypts DNS on port 853 — best for organizational deployments.
- Filtered variants (
1.1.1.2,1.1.1.3) block malware and adult content at the DNS level. - 1.1.1.1 is a recursive resolver — it is separate from Cloudflare's authoritative DNS product.
What's Next
- Continue to Domain Registrar to learn about registering domains directly through Cloudflare at cost price.