How to use Cloudflare's DNS service to speed up and secure your internet
Video: Net neutrality explained with beer
Cloudflare is an old hand at speeding up corporate internet services with its content delivery network (CDN). The company is also a pro at blocking Distributed Denial of Service (DDoS) attacks. Now, with its new 1.1.1.1 public Domain Name System (DNS) resolver, it can speed up and secure your web browsing, as well.
Also: Cloudflare's new DNS attracting 'gigabits per second' of rubbish
What is DNS and how does it work?
DNS is the Internet's master phone book. It turns human-readable domain names, such as cbsinteractive.com, into Internet Protocol (IP) addresses such as 64.30.228.118. For all practical purposes, every time you go anywhere on the internet, you start by interacting with DNS.
Read also: Cloudflare's free network monitoring mobile SDK open to all developers
This takes time. A complex webpage can require multiple DNS lookups -- one for the text, another for an image, another for an ad on the page, and so on -- before your page loads. Each DNS lookup takes an average of 32 milliseconds (ms). That really slows down many websites. So, when you speed up your DNS lookups, you'll get faster internet performance.
There have been fast DNS services for years to help you. My favorites are Cisco OpenDNS and Google Public DNS. According to Olafur Gudmundsson, Cloudflare's director of engineering, Cloudflare's 1.1.1.1 will be faster than the others because "we are already building data centers all over the globe to reduce the distance (i.e. latency) from users to content. Eventually we want everyone to be within 10 milliseconds of at least one of our locations."
Read also: SpaceX's Starlink takes a big step forward in delivering internet from the sky
In addition, the Cloudflare public DNS resolver uses the open-source Knot Resolver. This has aggressive caching and "negative caching" to improve performance. The first uses a distributed cache to improve the odds that, when you search for a popular site, Knot will already have the IP address ready to deliver to you. The second, based on RFC 8198, caches popular mistakes --wwww instead of www for example -- so minimal time is used in returning an error message.
The reasons why you should hide your IP address
While 1.1.1.1 is fast, it's biggest improvements comes with protecting your privacy. When the Federal Communications Commission gutted net neutrality, it also opened the door for ISPs to track all your internet searches. ISPs can, and are, selling your browsing data.
What can you do about it? One solution is to use a virtual private network (VPN). Another is to stop using your ISP's DNS service and switch to an independent DNS resolver.
What is 1.1.1.1 and how does it work?
What 1.1.1.1 brings to the table, that the others haven't, is a focus on user privacy.
Read also: Cloudflare emerges triumphant in Blackbird patent lawsuit
To do this, Cloudflare has committed itself to never using DNS browsing data to target ads, The company has also committed to never recording your IP address and wiping all DNS logs within 24 hours. You don't need to take its word for it. Cloudflare has contracted KPMG, the well-respected auditing firm, to annually audit its code and practices and publish a public report confirming it's keeping its word.
Technically, Cloudflare is also protecting your privacy by adding support for DNS-over-TLS and DNS-over-HTTPS. DNS-over-TLS takes the existing, insecure DNS protocol and adds transport layer encryption. DNS-over-HTTPS includes not only securit, it also supports forthcoming internet protocols such as Quick UDP Internet Connections (QUIC) and HTTP/2 Server Push.
So, do you want faster, more secure DNS? Here's how to make 1.1.1.1 work for you.
Router
If you're using a router for your office network DNS settings -- and you probably are -- log in and find your DNS server settings. Once there, note down your existing DNS records and replace them with the following:
- For IPv4: 1.1.1.1 and 1.0.0.1
- For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
That's it. The next time your computers look up a website, they'll use the 1.1.1.1 DNS services.
Windows
With Windows, click on the Start menu, then click on Control Panel, and do the following:
- Click on Network and Internet.
- Click on Change Adapter Settings.
- Right click on the Wi-Fi network you are connected to, then click Properties.
- Select Internet Protocol Version 4 (or Version 6 if desired).
- Click Properties.
- Write down any existing DNS server entries for future reference.
- Click Use The Following DNS Server Addresses.
- Replace those addresses with the 1.1.1.1 DNS addresses:
- For IPv4: 1.1.1.1 and 1.0.0.1
- For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
MacOS
For macOS, open System Preferences, and then do the following:
- Search for DNS Servers and select it from the dropdown.
- Click the + button to add a DNS Server and enter 1.1.1.1
- Click + again and enter 1.0.0.1
- Click Ok, then click Apply.
Linux
With Linux, use Network Manager. There, click the IPv4 or IPv6 tab to view your DNS settings, and then do the following steps:
- Set the "Automatic" toggle on the DNS entry to Off.
- Provide the 1.1.1.1 DNS addresses in the DNS entries field:
- 1.0.0.1
- For IPv6: 2606:4700:4700::1111,2606:4700:4700::1001
- Click Apply, then restart your browser.
iPhone
From your iPhone's home screen, open the Settings app.
- Tap Wi-Fi, then tap your preferred network in the list.
- Tap Configure DNS, then tap Manual.
- If there are any existing entries, tap the - button, and Delete next to each one.
- Tap the + Add Server button, then type 1.1.1.1
- Tap the + Add Server button again, then type 1.0.0.1. This is for redundancy.
- Tap the Save button on the top right.
Android
On Android, it's far harder to set up DNS than with other operating systems.
The easiest way, which works across most Android devices, is to install DNS Changer. This works by creating a local VPN work on your device. This VPN only exists within your device and your mobile or Wi-Fi connection. To use it, you place 1.1.1.1 and 1.0.0.1 in as your DNS entries.
Read also: How Cloudflare uses lava lamps to encrypt the Internet
Can your ISP still snoop on you? You bet. But, it'll have to go to some trouble instead of simply grabbing the low-hanging fruit of your DNS searches. Using 1.1.1.1 gives you more privacy protection, but it's not perfect.