Cloudflare 1.1.1.1

CLOUDFLARE RESOLVER PRIVACY FREQUENTLY ASKED QUESTIONS

WHAT IS THE CLOUDFLARE RESOLVER?

Every time you type a web address such as www.cloudflare.com into a web browser, the web browser sends a query to a DNS resolver. If DNS is like the card catalog of the Internet, then a DNS resolver is like a helpful librarian that knows how to use the information from that catalog to track down the exact location of a website. Whenever a resolver receives your query, it looks up the IP address associated with the web address that you entered and relays that information to your web browser. “DNS resolution” as this process is referred to, is a crucial component of your Internet experience. Without DNS resolution, your web browser would be unable to communicate with the servers that host your favorite websites since communication requires knowing the IP addresses of those websites.

For most Internet users the DNS resolver that they use is either the one that comes with the operating system running on their machines or the one that is set by their network provider. Unfortunately, what this means is that your DNS is usually slow and insecure. Moreover, your Internet service provider, and anyone else listening in on the Internet, can see every website that you visit and every app that you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.

Given the current state of affairs, Cloudflare decided that it was time to create a DNS resolver with your privacy and security in mind. What this means is that whenever you click on or type a web address in your internet browser your DNS lookup request will be sent over a secure channel to the Cloudflare Resolver rather than to an unknown DNS resolver, significantly decreasing the odds of any unwanted spying or man in the middle attacks.

WHAT IS THE CLOUDFLARE PROMISE?

Cloudflare understands how important your data is to you which is why we promise to use the information that we collect from the Cloudflare Resolver solely to improve the performance of Cloudflare Resolver and to assist us in our debugging efforts if an issue arises. The Cloudflare Resolver is governed by our Privacy Policy. We have provided additional details here because we want you to understand what we will and will not be doing with your data when you use our 1.1.1.1. Resolver. In addition to limiting our collection and use of your data, Cloudflare also promises:

Cloudflare will not retain or sell or transfer to any third party (except as described in the section below and as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent to the Cloudflare Resolver;

Cloudflare will not combine the data that it collects from DNS queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; and

Cloudflare will not sell, license, sublicense, or grant any rights to your data that we collect from DNS queries to any other person or entity without your consent. For additional information on Cloudflare’s information-sharing policies, please see our Privacy Policy.

WHAT INFORMATION DOES THE CLOUDFLARE RESOLVER COLLECT?

Cloudflare will collect only the following anonymized DNS query data that is sent to the Cloudflare Resolver:

  • Timestamp
  • IP Version (IPv4 vs IPv6)
  • Cloudflare Resolver IP address + Destination Port
  • Protocol (TCP, UDP, TLS or HTTPS)
  • Query Name
  • Query Type
  • Query Class
  • Query Rd bit set
  • Query Do bit set
  • Query Size
  • Query EDNS enabled
  • EDNS Version
  • EDNS Requested Max Buffer Size
  • EDNS Nsid
  • Response Type (normal, timeout, blocked)
  • Response Code
  • Response Size
  • Records in Response
  • Response Time in Milliseconds
  • Response served from Cache
  • DNSSEC Validation State (secure, insecure, bogus, indeterminate)
  • PoP ID
  • Server ID
  • Autonomous System Number

Except for the three DNS query types discussed below, all of the log information above will be deleted within 24 hours of Cloudflare’s receipt of such information.

There is some telemetry information (i.e. performance related metrics), however, that Cloudflare will store indefinitely as part of its permanent logs in order to assist Cloudflare in enhancing the overall performance of Cloudflare Resolver and identifying security threats. Cloudflare will only store permanent logs of the following such information:

  • Total number of queries with different protocol settings (e.g tcp/udp/dnssec) by Cloudflare PoP
  • Response code/time quantiles with different protocol settings by Cloudflare PoP
  • Total Number of Requests Processed by Cloudflare PoP
  • Aggregate List of All Domain Names Requested, and timestamp of first time requested
  • Number of unique users, queries over IPv4, queries over IPv6, queries with the RD bit set, queries asking for DNSSEC, number of bogus, valid, and invalid DNSSEC answers, queries by type, number of answers with each response code, response time quantiles (e.g. 50 percentile), and number of cached answers per minute, per day, per protocol (HTTPS/UDP/TCP/TLS), per Cloudflare data center, and per Autonomous System Number.
  • Number of queries, number of queries with EDNS, number of bytes and time in answers quantiles (e.g. 50 percentile) by day, month, Cloudflare data center, and by IPv4 vs IPv6.
  • Number of queries, response codes and response code quantiles (e.g. 50 percentile) by day, region, name and type.

All information collected by Cloudflare, no matter whether such information is part of Cloudflare’s temporary or permanent logs, will be cleansed of any personally identifiable data (including your IP addresses). Additionally information that is stored as part of Cloudflare’s permanent logs will be further anonymized.

WILL CLOUDFLARE SHARE MY DATA WITH ANYONE?

Cloudflare has partnered with APNIC, the regional internet registry for the Asia-Pacific region to make the 1.1.1.1 IP address the home of the Cloudflare Resolver. As part of its mission to ensure a global, open and secure Internet, APNIC conducts research about the functioning and governance of the Internet, which it makes available on its website, located at www.apnic.net.

Cloudflare has agreed to provide APNIC with access to some of the data that Cloudflare collects through the Cloudflare Resolver. Specifically, APNIC will be permitted to access query names, query types, resolver location and other metadata via a Cloudflare API, that will allow APNIC to study topics like the volume of DDoS attacks launched on the Internet and adoption of IPv6.

In return for access to the Cloudflare Resolver data, APNIC has agreed to use such data solely for non-profit operational research. APNIC has also agreed not to use the data in any manner that would allow it to associate any individual with a DNS query, or publish any studies containing any references to particular query names or individual behavior. As part of Cloudflare’s commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address or port associated with a client.

Aside from APNIC, Cloudflare will not share your data with any third party.