--- title: 1.1.1.1 (DNS Resolver) description: Fast, private DNS resolution with Cloudflare 1.1.1.1 public resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # 1.1.1.1 (DNS Resolver) Speed up your online experience with Cloudflare's public DNS resolver. Available on all plans 1.1.1.1 is Cloudflare’s public DNS resolver. It offers a fast and private way to browse the Internet. [DNS resolvers ↗](https://www.cloudflare.com/learning/dns/what-is-dns/) translate domains like `cloudflare.com` into the IP addresses necessary to reach the website (like `104.16.123.96`). Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. 1.1.1.1 has also been measured to be the [fastest DNS resolver available ↗](https://www.dnsperf.com/#!dns-resolvers) — it is deployed in [hundreds of cities worldwide ↗](https://www.cloudflare.com/network/), and has access to the addresses of millions of domain names on the same servers it runs on. 1.1.1.1 is completely free. Setting it up takes minutes and requires no special software. --- ## Features ### 1.1.1.1 for Families 1.1.1.1 for Families has additional protection against malware and adult content. [ Use 1.1.1.1 for Families ](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) ### Encrypted service 1.1.1.1 offers an encrypted service through DNS over HTTPS (DoH) or DNS over TLS (DoT) for increased security and privacy. You can also access 1.1.1.1 [as a Tor hidden service](https://developers.cloudflare.com/1.1.1.1/additional-options/dns-over-tor/). [ Use Encrypted service ](https://developers.cloudflare.com/1.1.1.1/encryption/) --- ## Related products **[WARP Client](https://developers.cloudflare.com/warp-client/)** Access the Internet in a more secure and private way. **[DNS](https://developers.cloudflare.com/dns/)** Cloudflare's global DNS platform provides speed and resilience. DNS customers also benefit from free DNSSEC, and protection against route leaks and hijacking. **[Cloudflare Spectrum](https://developers.cloudflare.com/spectrum/)** Secure and accelerate your TCP or UDP based applications. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}}]} ``` --- --- title: IP addresses description: Get IPv4 and IPv6 addresses for Cloudflare DNS resolvers, 1.1.1.1 and 1.1.1.1 for Families. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/ip-addresses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # IP addresses Consider the tables below to know which IPv4 or IPv6 addresses are used by the different Cloudflare DNS resolver offerings. For detailed guidance refer to [Set up](https://developers.cloudflare.com/1.1.1.1/setup/). --- ## 1.1.1.1 1.1.1.1 is Cloudflare’s public DNS resolver. It offers a fast and private way to browse the Internet. | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 | Refer to [Encryption](https://developers.cloudflare.com/1.1.1.1/encryption/) to learn how to use 1.1.1.1 in an encrypted way. --- ## 1.1.1.1 for Families 1.1.1.1 for Families categorizes destinations on the Internet based on the potential threat they pose regarding malware, phishing, or other types of security risks. For more information, refer to [1.1.1.1 for Families set up](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families). ### Block malware | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.2 1.0.0.2 | 2606:4700:4700::1112 2606:4700:4700::1002 | ### Block malware and adult content | IPv4 | IPv6 | | --------------- | ----------------------------------------- | | 1.1.1.3 1.0.0.3 | 2606:4700:4700::1113 2606:4700:4700::1003 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/ip-addresses/","name":"IP addresses"}}]} ``` --- --- title: Set up description: Learn how to set up Cloudflare's 1.1.1.1 DNS resolver for enhanced security and privacy. Protect against malware and adult content with easy configuration. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Set up By default, the [DNS server ↗](https://www.cloudflare.com/learning/dns/what-is-dns/) your devices use is provided by your Internet service provider (ISP). Some [ISPs and network equipment providers](https://developers.cloudflare.com/1.1.1.1/infrastructure/network-operators/) partner with Cloudflare to add safer browsing to their offerings. If your providers are not currently using Cloudflare, you can change the DNS settings on your device or router as detailed in the following instructions. Device or router specific guides * [ Android ](https://developers.cloudflare.com/1.1.1.1/setup/android/) * [ Azure ](https://developers.cloudflare.com/1.1.1.1/setup/azure/) * [ Gaming consoles ](https://developers.cloudflare.com/1.1.1.1/setup/gaming-consoles/) * [ Google Cloud ](https://developers.cloudflare.com/1.1.1.1/setup/google-cloud/) * [ iOS ](https://developers.cloudflare.com/1.1.1.1/setup/ios/) * [ Linux ](https://developers.cloudflare.com/1.1.1.1/setup/linux/) * [ macOS ](https://developers.cloudflare.com/1.1.1.1/setup/macos/) * [ Router ](https://developers.cloudflare.com/1.1.1.1/setup/router/) * [ Windows ](https://developers.cloudflare.com/1.1.1.1/setup/windows/) You can also set up [1.1.1.1 for Families](#1111-for-families) for an added layer of protection on your home network against malware and adult content. 1.1.1.1 for Families leverages Cloudflare's global network to ensure that it is fast and secure around the world, and includes the same [strong privacy guarantees](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) that Cloudflare committed to when launching 1.1.1.1. --- ## 1.1.1.1 for Families 1.1.1.1 for Families categorizes destinations on the Internet based on the potential threat they pose regarding malware, phishing, or other types of security risks. 1.1.1.1 for Families has two default options: Block malware Use the following DNS resolvers to block malicious content: * `1.1.1.2` * `1.0.0.2` * `2606:4700:4700::1112` * `2606:4700:4700::1002` Block malware and adult content Use the following DNS resolvers to block malware and adult content: * `1.1.1.3` * `1.0.0.3` * `2606:4700:4700::1113` * `2606:4700:4700::1003` Cloudflare returns `0.0.0.0` if the [fully qualified domain name (FQDN) ↗](https://en.wikipedia.org/wiki/Fully%5Fqualified%5Fdomain%5Fname) or IP in a DNS query is classified as malicious. Domain miscategorization If you are using 1.1.1.1 for Families and see a domain that you believe is miscategorized, [fill in this form ↗](https://radar.cloudflare.com/categorization-feedback/) to bring it to our attention. Your submission will remain anonymous. We review these submissions to improve Cloudflare’s categorization. ### Test 1.1.1.1 for Families After configuring 1.1.1.1 for Families, you can test if it is working as intended with the following URLs: * [https://malware.testcategory.com/ ↗](https://malware.testcategory.com/): Use this to test if 1.1.1.1 for Families is blocking known malware addresses correctly. * [https://nudity.testcategory.com/ ↗](https://nudity.testcategory.com/): Use this to test if 1.1.1.1 for Families is blocking known adult content and malware addresses correctly. ### DNS over HTTPS (DoH) If you have a DoH-compliant client, such as a compatible router, you can set up 1.1.1.1 for Families to encrypt your DNS queries over HTTPS. This prevents spoofing and tracking by malicious actors, advertisers, ISPs, and others. For more information on DoH, refer to the [Learning Center article on DNS encryption ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/). To configure an encrypted DoH connection to 1.1.1.1 for Families, type one of the following URLs into the appropriate field of your DoH-compliant client: Block malware ``` https://security.cloudflare-dns.com/dns-query ``` Block malware and adult content ``` https://family.cloudflare-dns.com/dns-query ``` ### DNS over TLS (DoT) 1.1.1.1 for Families also supports DoT if you have a compliant client, such as a compatible DoT router. DoT allows you to encrypt your DNS queries, protecting you from spoofing, malicious actors, and others. You can learn more about DoT in the [Learning Center article on DNS encryption ↗](https://www.cloudflare.com/learning/dns/dns-over-tls/). To configure an encrypted DoT connection to 1.1.1.1 for Families, type one of the following URLs into the appropriate field of your DoT-compliant client: Block malware ``` security.cloudflare-dns.com ``` Block malware and adult content ``` family.cloudflare-dns.com ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}}]} ``` --- --- title: Android description: Learn how to set up Cloudflare's 1.1.1.1 DNS resolver on Android devices. Encrypt DNS queries with DoT or DoH, and enable 1.1.1.1 for Families. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/android.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Android [1.1.1.1: Faster Internet ↗](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) is the preferred method of setting up 1.1.1.1 DNS resolver and 1.1.1.1 for Families. It allows you to automatically configure your phone to use 1.1.1.1 on any network you connect to. The app also allows you to enable encryption for DNS queries or enable [WARP mode](https://developers.cloudflare.com/warp-client/), which keeps all your HTTP traffic private and secure, including your DNS queries to 1.1.1.1. You can select between the options available in the app settings. By default, 1.1.1.1: Faster Internet is configured to WARP mode. ## Set up 1.1.1.1: Faster Internet 1. Download [1.1.1.1: Faster Internet from Google Play ↗](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone) for free. 2. Launch 1.1.1.1: Faster Internet and accept the Terms of Service. 3. Toggle the **WARP** button to **Connected**. 4. Install the VPN profile that allows your phone to connect securely to 1.1.1.1. Your connection to the Internet and your DNS queries are now protected. ### Enable 1.1.1.1 for Families 1. Open 1.1.1.1: Faster Internet. 2. Tap the **menu button**. 3. Select **Advanced** \> **Connection options**. 4. In **DNS settings** \> **1.1.1.1 for Families**, select the option you want to use. ## Configure 1.1.1.1 manually ### Android 11 or later Android 11 or later versions support both DNS over TLS (DoT) and DNS over HTTPS (DoH). 1. Go to **Settings** \> **Network & internet**. 2. Select **Advanced** \> **Private DNS**. 3. Select the **Private DNS provider hostname** option. 4. Depending on what you want to configure, use one of the following DNS hostnames or [IP addresses](https://developers.cloudflare.com/1.1.1.1/ip-addresses/) and select **Save**. Use 1.1.1.1 resolver * `one.one.one.one` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.1` or `1.0.0.1` * **IPv6**: `2606:4700:4700::1111` or `2606:4700:4700::1001` Block malware with 1.1.1.1 for Families * `security.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.2` or `1.0.0.2` * **IPv6**: `2606:4700:4700::1112` or `2606:4700:4700::1002` Block malware and adult content with 1.1.1.1 for Families * `family.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.3` or `1.0.0.3` * **IPv6**: `2606:4700:4700::1113` or `2606:4700:4700::1003` ### Android 9 or 10 Android 9 and Android 10 support DNS over TLS to secure your queries through encryption. In Android, this option is called Private DNS. It prevents your queries from being tracked, modified or surveilled by third-parties. Unlike previous versions of Android, this method also ensures 1.1.1.1 does not need to be configured for each new Wi-Fi network your smartphone joins. 1. Go to **Settings** \> **Network & internet**. 2. Select **Advanced** \> **Private DNS**. 3. Select the **Private DNS provider hostname** option. 4. Enter `one.one.one.one` and select **Save**. Or consider the following options if you want to use 1.1.1.1 for Families. Block malware with 1.1.1.1 for Families * `security.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.2` or `1.0.0.2` * **IPv6**: `2606:4700:4700::1112` or `2606:4700:4700::1002` Block malware and adult content with 1.1.1.1 for Families * `family.cloudflare-dns.com` Or the corresponding IP address if your device requires it: * **IPv4**: `1.1.1.3` or `1.0.0.3` * **IPv6**: `2606:4700:4700::1113` or `2606:4700:4700::1003` ### Previous Android versions Before making changes, take note of any DNS addresses you might have and save them in a safe place in case you need to use them later. 1. Open **Settings** \> **Wi-Fi**. 2. Press down and hold the name of the network you are currently connected to. 3. Select **Modify Network**. 4. Select the checkbox **Show Advanced Options**. 5. Change the IP Settings to **Static**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 8. Select **Save**. You may need to disconnect from the Wi-Fi and reconnect for the changes to take place. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/android/","name":"Android"}}]} ``` --- --- title: Azure description: Configure 1.1.1.1 on Microsoft Azure virtual networks. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/azure.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Azure 1. Log in to your Azure portal. 2. From the Azure portal side menu, select **Virtual Networks**. 3. Navigate to the virtual network associated with your virtual machine (VM). 4. Select **DNS Servers** \> **Custom**, and add two entries: ``` 1.1.1.1 1.0.0.1 ``` 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/azure/","name":"Azure"}}]} ``` --- --- title: Gaming consoles description: Configure 1.1.1.1 on PlayStation and Xbox. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/gaming-consoles.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Gaming consoles ## PS4 1. Go to **Settings** \> **Network** \> **Set Up Internet Connection**. 2. Select **Wi-Fi** or **LAN** depending on your Internet connection. 3. Select **Custom**. 4. Set **IP Address Settings** to **Automatic**. 5. Change **DHCP Host Name** to **Do Not Specify**. 6. Set **DNS Settings** to **Manual**. 7. Change **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 8. If you are able to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 9. Set **MTU Settings** to **Automatic**. 10. Set **Proxy Server** to **Do Not Use**. ## Xbox One 1. Open the Network screen by pressing the Xbox button on your controller. 2. Go to **Settings** \> **Network** \> **Network Settings**. 3. Next, go to **Advanced Settings** \> **DNS Settings**. 4. Select **Manual**. 5. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 6. If you have the option to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 7. When you are done, you will be shown a confirmation screen. Press **B** to save. ## Nintendo The following instructions work on New Nintendo 3DS, New Nintendo 3DS XL, New Nintendo 2DS XL, Nintendo 3DS, Nintendo 3DS XL, and Nintendo 2DS. 1. Go to the home menu and choose **System Settings** (the wrench icon). 2. Select **Internet Settings** \> **Connection Settings**. 3. Select your Internet connection and then select **Change Settings**. 4. Select **Change DNS**. 5. Set **Auto-Obtain DNS** to **No**. 6. Select **Detailed Setup**. 7. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 8. If you are able to add more DNS servers, you can add the IPv6 addresses as well: ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` 9. Select **Save** \> **OK**. ## Nintendo Switch 1. Press the home button and select **System Settings**. 2. Scroll down and select **Internet** \> **Internet Settings**. 3. Select your Internet connection and then select **Change Settings**. 4. Select **DNS Settings** \> **Manual**. 5. Set **Primary DNS** and **Secondary DNS** to: ``` 1.1.1.1 1.0.0.1 ``` 6. Select **Save** \> **OK**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/gaming-consoles/","name":"Gaming consoles"}}]} ``` --- --- title: Google Cloud description: Configure 1.1.1.1 on Google Cloud instances. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/google-cloud.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Google Cloud Google Cloud supports configuring [outbound server policy ↗](https://cloud.google.com/dns/docs/server-policies-overview#dns-server-policy-out) within Cloud DNS. Policies are applied per Virtual Private Cloud (VPC) network, and will affect all resources within that VPC network, including any existing virtual machines. Note If you are using [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/), you can choose assigned [locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/) to apply custom [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) via Gateway. To configure 1.1.1.1 for your Google Cloud VPC network(s): 1. Open the [Google Cloud Console ↗](https://console.cloud.google.com). 2. Navigate to **Network Services** \> **Cloud DNS** and select [**DNS Server Policies** ↗](https://console.cloud.google.com/net-services/dns/policies). 3. Select **Create Policy**. 4. Provide a name for your Policy (such as `cloudflare-1-1-1-1`) and select associated VPC network or networks. 5. Under **Alternate DNS servers**, select **Add Item** and type: ``` 1.1.1.1 1.0.0.1 ``` 6. Select **Create**. DNS requests within the configured VPC network(s) will now use 1.1.1.1. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/google-cloud/","name":"Google Cloud"}}]} ``` --- --- title: iOS description: Configure 1.1.1.1 on iOS devices. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/ios.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # iOS [1.1.1.1: Faster Internet ↗](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) is the preferred method of setting up 1.1.1.1 DNS resolver and 1.1.1.1 for Families in iOS devices. It allows you to automatically configure your phone to use 1.1.1.1 on any network you connect to, and solves iOS inability of using an alternative DNS resolver in cellular connections. The app also allows you to enable encryption for DNS queries or enable [WARP mode](https://developers.cloudflare.com/warp-client/), which keeps all your HTTP traffic private and secure, including your DNS queries to 1.1.1.1. You can select between the options available in the app's settings. By default, 1.1.1.1: Faster Internet is configured to WARP mode. ## Set up 1.1.1.1: Faster Internet 1. Download [1.1.1.1: Faster Internet from the App Store ↗](https://apps.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) for free. 2. Launch 1.1.1.1: Faster Internet and accept the Terms of Service. 3. Install the VPN profile that allows your phone to connect securely to 1.1.1.1. 4. Toggle the **WARP** button to **Connected**. ### Enable 1.1.1.1 for Families 1. Open 1.1.1.1: Faster Internet. 2. Tap the **menu button**. 3. Select **Advanced** \> **Connection options**. 4. In **DNS settings** \> **1.1.1.1 for Families**, select the option you want to use. ## Configure 1.1.1.1 manually Note If you configure 1.1.1.1 manually, you will have to do it for every Wi-Fi network your device connects to. This method does not work for cellular connections. Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Go to **Settings** \> **Wi-Fi**. 2. Select the **'i'** icon next to the Wi-Fi network you are connected to. 3. Scroll down and select **Configure DNS**. 4. Change the configuration from **Automatic** to **Manual**. 5. Select **Add Server**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 8. Select **Save**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/ios/","name":"iOS"}}]} ``` --- --- title: Linux description: Learn how to set up 1.1.1.1 as your DNS resolver on a Linux system. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/linux.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Linux Before you begin, take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. Consider the sections below to set up 1.1.1.1 using either the [command line interface (CLI)](#use-command-line-interface-cli) or a [graphical user interface (GUI)](#use-graphical-user-interface-gui) of your preference. ## Use command line interface (CLI) Choose whether you want to use 1.1.1.1 or 1.1.1.1 For Families, and replace `1.1.1.1` with the corresponding [IPv4 or IPv6 address](https://developers.cloudflare.com/1.1.1.1/ip-addresses/) accordingly. ### `resolv.conf` Usually, `/etc/resolv.conf` is where you can configure the resolver IPs that your system is using. In that case, you can use the following one-line command to specify `1.1.1.1` as your DNS resolver and `1.0.0.1` as backup: Terminal window ``` echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1" | sudo tee /etc/resolv.conf ``` Warning Note that other systems, such as dynamic host configuration protocol (DHCP), may automatically write to `/etc/resolv.conf` and change that configuration. In those cases, consider changing your network settings or DHCP to use `1.1.1.1`. Alternatively, you can use an editor (`nano` or `vim`, for example) to manually edit the file. ### `systemd-resolved` If you use `systemd-resolved` utility and the resolver IPs configuration is in `/etc/systemd/resolved.conf`, consider the steps below: 1. Run the following command, replacing `` with your preferred editor. Terminal window ``` sudo /etc/systemd/resolved.conf ``` 1. In the editor, add or edit the following lines: ``` [Resolve] DNS=1.1.1.1 ``` To use DNS over TLS, add `#one.one.one.one` and set `DNSOverTLS` to `yes`, as in the following example: ``` [Resolve] DNS=1.1.1.1#one.one.one.one DNSOverTLS=yes ``` ## Use graphical user interface (GUI) ### GNOME 1. Go to **Show Applications** \> **Settings** \> **Network**. 2. Select the adapter you want to configure — like your Ethernet adapter or Wi-Fi card — and select the **Settings** button. 3. On the **IPv4** tab > **DNS** section, disable the **Automatic** toggle. 4. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 5. Go to **IPv6**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 7. Select **Apply**. ### KDE Plasma 1. Go to **System Settings** \> **Wi-Fi & Internet** \> **Wi-Fi & Networking**. (or **Connections**, if on Plasma 5) 2. Select the connection you want to configure - like your current connected network. 3. On the **IPv4** tab, select the **Method** drop-down menu > _Automatic (Only addresses)_. 4. Select the text box next to **DNS servers**. 5. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 6. On the **IPv6** tab, select the **Method** drop-down menu > _Automatic (Only addresses)_. 7. Select the text box next to **DNS servers**. 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **Apply**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/linux/","name":"Linux"}}]} ``` --- --- title: macOS description: Configure 1.1.1.1 on macOS. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/macos.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # macOS Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Go to **System Settings**. You can find it by pressing `CMD + Space` on your keyboard and typing `System Settings`. 2. Go to **Network**. 3. Select a network service. 4. Select **Details**. 5. Go to **DNS**. 6. Under **DNS Servers**, select **Add**. 7. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **OK**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ## Encrypt your DNS queries 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. For more information on how to encrypt your DNS queries, please refer to the [Encrypted DNS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/macos/","name":"macOS"}}]} ``` --- --- title: Router description: Configure 1.1.1.1 on your router. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/router.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Router 1. Go to the **IP address** used to access your router's admin console in your browser. * Linksys and Asus routers typically use `http://192.168.1.1` or `http://router.asus.com` (for ASUS). * Netgear routers typically use `http://192.168.1.1` or `http://routerlogin.net`. * D-Link routers typically use `http://192.168.0.1`. * Ubiquiti routers typically use `http://unifi.ubnt.com`. * MikroTik routers typically use `http://192.168.88.1`. 2. Enter the router credentials. For consumer routers, the default credentials for the admin console are often found under or behind the device. 3. In the admin console, locate the section where **DNS settings** are configured. This may be contained within categories such as **WAN** and **IPv6** (Asus routers), **IP** (MikroTik routers), or **Internet** (Netgear routers). Consult your router's documentation for details. 4. Take note of any DNS addresses that are currently set and save them in a safe place in case you need to use them later. 5. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 7. Save the updated settings. ## Using DNS-Over-TLS on OpenWrt It is possible to encrypt DNS traffic out from your router using DNS-over-TLS if it is running OpenWrt. For more details, see our blog post on the topic: [Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound ↗](https://blog.cloudflare.com/dns-over-tls-for-openwrt/). ## FRITZ!Box Starting with [FRITZ!OS 7.20 ↗](https://en.avm.de/press/press-releases/2020/07/fritzos-720-more-performance-convenience-security/), DNS over TLS is supported, see [Configuring different DNS servers in the FRITZ!Box ↗](https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/165%5FConfiguring-different-DNS-servers-in-the-FRITZ-Box/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/router/","name":"Router"}}]} ``` --- --- title: Windows description: Configure 1.1.1.1 on Windows. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/setup/windows.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Windows ## Windows 10 Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Select the **Start menu** \> **Settings**. 2. On **Network and Internet**, select **Change Adapter Options**. 3. Right-click on the Ethernet or Wi-Fi network you are connected to and select **Properties**. 4. Choose **Internet Protocol Version 4**. 5. Select **Properties** \> **Use the following DNS server addresses**. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Select **OK**. 8. Go to **Internet Protocol Version 6**. 9. Select **Properties** \> **Use the following DNS server addresses**. 10. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 11. Select **OK**. ## Windows 11 Take note of any DNS addresses you might have set up, and save them in a safe place in case you need to use them later. 1. Select the **Start menu** \> **Settings**. 2. On **Network and Internet**, choose the adapter you want to configure - like your Ethernet adapter or Wi-Fi card. 3. Scroll to **DNS server assignment** and select **Edit**. 4. Select the **Automatic (DHCP)** drop-down menu > **Manual**. 5. Select the **IPv4** toggle to turn it on. 6. Depending on what you want to configure, choose one of the following DNS addresses for IPv4: Use 1.1.1.1 resolver ``` 1.1.1.1 1.0.0.1 ``` Block malware with 1.1.1.1 for Families ``` 1.1.1.2 1.0.0.2 ``` Block malware and adult content with 1.1.1.1 for Families ``` 1.1.1.3 1.0.0.3 ``` 7. Select the **IPv6** toggle. 8. Depending on what you want to configure, choose one of the following DNS addresses for IPv6: Use 1.1.1.1 resolver ``` 2606:4700:4700::1111 2606:4700:4700::1001 ``` Block malware with 1.1.1.1 for Families ``` 2606:4700:4700::1112 2606:4700:4700::1002 ``` Block malware and adult content with 1.1.1.1 for Families ``` 2606:4700:4700::1113 2606:4700:4700::1003 ``` 9. Select **Save**. Note Setting up a static IP address to configure a DNS server may prevent you from connecting to some public Wi-Fi networks that use captive portals — these are the web pages some wireless networks employ to let users log in and use their services. If you are experiencing connectivity issues related to captive portals: 1. Remove the static IP addresses from the device or disable the 1.1.1.1 app. 2. Connect to the Wi-Fi network. 3. Once the connection has been established, re-add the static IP addresses or enable the 1.1.1.1 app. ## Encrypt your DNS queries 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. For more information on how to encrypt your DNS queries, please refer to the [Encrypted DNS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/setup/","name":"Set up"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/setup/windows/","name":"Windows"}}]} ``` --- --- title: Encryption description: Encryption options for DNS queries to 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Encryption Traditionally, DNS queries and replies are performed over plaintext. They are sent over the Internet without any kind of encryption or protection, even when you are accessing a secured website. This has a great impact on security and privacy, as these queries might be subject to surveillance, spoofing and tracking by malicious actors, advertisers, ISPs, and others. To prevent untrustworthy entities from interpreting and manipulating your queries, 1.1.1.1 supports different standards to encrypt plaintext DNS traffic and improve DNS privacy: * [DNS over TLS (DoT)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) * [DNS over HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) * [Oblivious DNS over HTTPS (ODoH)](https://developers.cloudflare.com/1.1.1.1/encryption/oblivious-dns-over-https/) You can also [configure your browser](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) to secure your DNS queries. If you need to secure connections in your smartphone, refer to 1.1.1.1 [iOS](https://developers.cloudflare.com/1.1.1.1/setup/ios/) or [Android](https://developers.cloudflare.com/1.1.1.1/setup/android/) apps. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}}]} ``` --- --- title: DNS over HTTPS description: Encrypt DNS queries using HTTPS with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS over HTTPS With DNS over HTTPS (DoH), DNS queries and responses are encrypted and sent via the HTTP, HTTP/2 and HTTP/3 protocols. DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port. * [ Configure DoH on your browser ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) * [ Connect to 1.1.1.1 using DoH clients ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/) * [ Make API requests to 1.1.1.1 ](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}}]} ``` --- --- title: Connect to 1.1.1.1 using DoH clients description: Learn how to connect to Cloudflare's 1.1.1.1 using DNS over HTTPS (DoH) clients. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/dns-over-https-client.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Connect to 1.1.1.1 using DoH clients Several DoH clients are available for connecting to 1.1.1.1. ## Cloudflare WARP client Refer to [WARP client](https://developers.cloudflare.com/warp-client/) for guidance on WARP modes and get-started information for different [operating systems](https://developers.cloudflare.com/warp-client/get-started/). ## DNSCrypt-Proxy The [DNSCrypt-Proxy ↗](https://dnscrypt.info) 2.0+ supports DoH out of the box. It supports both 1.1.1.1 and other services. It also includes more advanced features, such as load balancing and local filtering. 1. [Install DNSCrypt-Proxy ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation). 2. Verify that `dnscrypt-proxy` is installed and the version is 2.0 or later: Terminal window ``` dnscrypt-proxy -version ``` ``` 2.0.8 ``` 3. Set up the configuration file using the [official instructions ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation#setting-up-dnscrypt-proxy), and add `cloudflare` and `cloudflare-ipv6` to the server list in `dnscrypt-proxy.toml`: TOML ``` server_names = ['cloudflare', 'cloudflare-ipv6'] ``` 4. Make sure that nothing else is running on `localhost:53`, and check that everything works as expected: Terminal window ``` dnscrypt-proxy -resolve cloudflare-dns.com ``` ``` Resolving [cloudflare-dns.com] Domain exists: yes, 3 name servers found Canonical name: cloudflare-dns.com. IP addresses: 2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019, 104.16.111.25, 104.16.112.25 TXT records: - Resolver IP: 172.68.140.217 ``` 5. Register it as a system service according to the [DNSCrypt-Proxy installation instructions ↗](https://github.com/jedisct1/dnscrypt-proxy/wiki/installation). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/dns-over-https-client/","name":"Connect to 1.1.1.1 using DoH clients"}}]} ``` --- --- title: Configure DoH on your browser description: Configure DNS over HTTPS in your browser. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Configure DoH on your browser Several browsers support DNS over HTTPS (DoH), a protocol that encrypts your connection to 1.1.1.1 to protect your DNS queries from privacy intrusions and tampering. Some browsers might already have this setting enabled. Note To use 1.1.1.1 For Families, follow the steps below but, instead of choosing the default 1.1.1.1 option, refer to [Set up](https://developers.cloudflare.com/1.1.1.1/setup/#dns-over-https-doh) and specify the URL you want to use. ## Mozilla Firefox 1. Select the menu button > **Settings**. 2. In the **Privacy & Security** menu, scroll down to the **Enable secure DNS using:** section. 3. Select **Increased Protection** or **Max Protection**. By default, it will use the **Cloudflare** provider. 4. If this is not the case, select **Cloudflare** in the **Choose Provider** dropdown. ## Google Chrome 1. Select the three-dot menu in your browser > **Settings**. 2. Select **Privacy and security** \> **Security**. 3. Scroll down and enable **Use secure DNS**. 4. Select the **With** option, and from the drop-down menu choose _Cloudflare (1.1.1.1)_. ## Microsoft Edge 1. Select the three-dot menu in your browser > **Settings**. 2. Select **Privacy, Search, and Services**, and scroll down to **Security**. 3. Enable **Use secure DNS**. 4. Select **Choose a service provider**. 5. Select the **Enter custom provider** drop-down menu and choose _Cloudflare (1.1.1.1)_. ## Brave 1. Select the menu button in your browser > **Settings**. 2. Select **Privacy and security** \> **Security**. 3. Under **Advanced**, enable **Use secure DNS**. 4. From the **Select DNS provider** drop-down menu, choose _Cloudflare (1.1.1.1)_. ## Check if the browser is configured correctly Visit [1.1.1.1 help page ↗](https://one.one.one.one/help) and check if `Using DNS over HTTPS (DoH)` shows `Yes`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/","name":"Configure DoH on your browser"}}]} ``` --- --- title: Make API requests to 1.1.1.1 description: Make programmatic DNS queries to 1.1.1.1 over HTTPS. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/make-api-requests/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Make API requests to 1.1.1.1 Cloudflare offers a DNS over HTTPS resolver at: ``` https://cloudflare-dns.com/dns-query ``` ## HTTP method Cloudflare's DNS-over-HTTPS (DOH) endpoint supports `POST` and `GET` for DNS wireformat, and `GET` for JSON format. When making requests using `POST`, the DNS query is included as the message body of the HTTP request, and the MIME type (`application/dns-message`) is sent in the `Content-Type` request header. Cloudflare will use the message body of the HTTP request as sent by the client, so the message body should not be encoded. When making requests using `GET`, the DNS query is encoded into the URL. ## Valid MIME types If you use JSON format, set `application/dns-json`, and if you use DNS wireformat, use `application/dns-message`. Refer to [DNS wireformat](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/) and [JSON](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/) for cURL examples. ## Send multiple questions in a query Sending more than one question when making requests depends on the HTTP version used, as each DNS query maps to exactly one HTTP request. HTTP/2 and HTTP/3 have multiplexing capabilities, allowing multiple requests to start concurrently. HTTP/2 is, in fact, the minimum recommended version of HTTP for use with DNS over HTTPS (DoH). This behavior is not specific to 1.1.1.1, but rather how DoH operates. You can learn more about how DoH works in RFC 8484, more specifically [the HTTP layer requirements ↗](https://datatracker.ietf.org/doc/html/rfc8484#section-5.2). Example request: Terminal window ``` curl --http2 --header "accept: application/dns-json" "https://one.one.one.one/dns-query?name=cloudflare.com" --next --http2 --header "accept: application/dns-json" "https://one.one.one.one/dns-query?name=example.com" ``` ## Authentication No authentication is required to send requests to this API. ## Supported TLS versions Cloudflare's DNS over HTTPS resolver supports TLS 1.2 and TLS 1.3. ## Return codes | HTTP Status | Meaning | | ----------- | ---------------------------------------------------------- | | 400 | DNS query not specified or too small. | | 413 | DNS query is larger than maximum allowed DNS message size. | | 415 | Unsupported content type. | | 504 | Resolver timeout while waiting for the query response. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}}]} ``` --- --- title: Using JSON description: Query 1.1.1.1 DNS over HTTPS using JSON format. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Using JSON Warning The DNS over HTTPS JSON format does not have a formal RFC, which means behavior might be different between providers. Additionally, there might be small changes in behavior in the future. For critical use cases, it is recommended to use the [DNS over HTTPS wireformat](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/), which is defined in [RFC 1035 ↗](https://www.rfc-editor.org/rfc/rfc1035.html). Cloudflare's DNS over HTTPS endpoint also supports JSON format for querying DNS data. For lack of an agreed upon JSON schema for DNS over HTTPS in the Internet Engineering Task Force (IETF), Cloudflare has chosen to follow the same schema as Google's DNS over HTTPS resolver. JSON formatted queries are sent using a `GET` request. When making requests using `GET`, the DNS query is encoded into the URL. The client should include an HTTP `Accept` request header field with a MIME type of `application/dns-json` to indicate that the client is able to accept a JSON response from the DNS over HTTPS resolver. ## Supported parameters | Field | Required? | Description | Default | | ----- | --------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- | | name | Yes | Query name. | \- | | type | No | Query type (either a [numeric value or text ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4)). | A | | do | No | DO bit - whether the client wants DNSSEC data (either empty or one of 0, false, 1, or true). | false | | cd | No | CD bit - disable validation (either empty or one of 0, false, 1, or true). | false | ## Examples Example request and response: Terminal window ``` curl --header "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA" ``` ``` { "Status": 0, "TC": false, "RD": true, "RA": true, "AD": true, "CD": false, "Question": [ { "name": "example.com.", "type": 28 } ], "Answer": [ { "name": "example.com.", "type": 28, "TTL": 1726, "data": "2606:2800:220:1:248:1893:25c8:1946" } ] } ``` Explain Code In the case of an invalid request a `400 Bad Request` error is returned: Terminal window ``` curl --header "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&cd=2" ``` ``` { "error": "Invalid CD flag `2`. Expected to be empty or one of `0`, `false`, `1`, or `true`." } ``` ## Response fields The following tables have more information on each response field. ### Successful response | Field | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Status | The Response Code of the DNS Query. The codes are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6). | | TC | If the TC field is true, the truncated bit was set. This occurs when the DNS answer exceeds the size of a single UDP or TCP packet. With Cloudflare DNS over HTTPS, the TC field is almost always false because Cloudflare supports the maximum response size. | | RD | If true, it means the Recursive Desired bit was set. This is always set to true for Cloudflare DNS over HTTPS. | | RA | If true, it means the Recursion Available bit was set. This is always set to true for Cloudflare DNS over HTTPS. | | AD | If true, it means that every record in the answer was verified with DNSSEC. | | CD | If true, the client asked to disable DNSSEC validation. In this case, Cloudflare will still fetch the DNSSEC-related records, but it will not attempt to validate the records. | | Question: name | The record name requested. | | Question: type | The type of DNS record requested. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Answer: name | The record owner. | | Answer: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Answer: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Answer: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Authority: name | The record owner. | | Authority: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Authority: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Authority: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Additional: name | The record owner. | | Additional: type | The type of DNS record. These are defined here: [https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 ↗](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4). | | Additional: TTL | The number of seconds the answer can be stored in cache before it is considered stale. | | Additional: data | The value of the DNS record for the given name and type. The data will be in text for standardized record types and in hex for unknown types. | | Comment | List of EDE messages. Refer to [Extended DNS error codes](https://developers.cloudflare.com/1.1.1.1/infrastructure/extended-dns-error-codes/) for more information. | ### Error response | Field | Description | | ----- | ------------------------------------------ | | error | An explanation of the error that occurred. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}},{"@type":"ListItem","position":6,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/","name":"Using JSON"}}]} ``` --- --- title: DNS Wireformat description: Query 1.1.1.1 DNS over HTTPS using wireformat. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS Wireformat Cloudflare respects DNS wireformat as defined in [RFC 1035 ↗](https://www.rfc-editor.org/rfc/rfc1035.html). To send queries using DNS wireformat, set the header `accept: application/dns-message`, or `content-type: application/dns-message` if using `POST` to indicate the media type of the query. Queries using DNS wireformat can be sent using `POST` or `GET`. ## Using POST When making requests using `POST`, the DNS query is included as the message body of the HTTP request, and the MIME type (see below) is included in the `Content-Type` request header. Cloudflare will use the message body of the HTTP request as sent by the client, so the message body should not be encoded. The following is an example request. The same DNS query for `www.example.com`, using the POST method would be: ``` :method = POST :scheme = https :authority = cloudflare-dns.com :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 ``` Explain Code And would return the answer in wireformat: ``` :status = 200 content-type = application/dns-message content-length = 64 cache-control = max-age=128 <64 bytes represented by the following hex encoding> 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00 00 80 00 04 C0 00 02 01 ``` Explain Code To try this using cURL, write: Terminal window ``` echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 --decode | curl --header 'content-type: application/dns-message' --data-binary @- https://cloudflare-dns.com/dns-query --output - | hexdump ``` ## Using GET When making requests using `GET`, the DNS query is encoded into the URL. The `accept` header can be used to indicate the MIME type (default: `application/dns-message`). Example request: Terminal window ``` curl --header 'accept: application/dns-message' --verbose 'https://cloudflare-dns.com/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump ``` ``` * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f968700a400) GET /dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2 Host: cloudflare-dns.com User-Agent: curl/7.54.0 accept: application/dns-message * Connection state changed (MAX_CONCURRENT_STREAMS updated)! HTTP/2 200 date: Fri, 23 Mar 2018 05:14:02 GMT content-type: application/dns-message content-length: 49 cache-control: max-age=0 set-cookie: \__cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly server: cloudflare-nginx cf-ray: 3ffe69838a418c4c-SFO-DOG { [49 bytes data] 100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494 * Connection #0 to host cloudflare-dns.com left intact 0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77 0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8 0000030 22 0000031 ``` Explain Code ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/","name":"DNS over HTTPS"}},{"@type":"ListItem","position":5,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/","name":"Make API requests to 1.1.1.1"}},{"@type":"ListItem","position":6,"item":{"@id":"/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-wireformat/","name":"DNS Wireformat"}}]} ``` --- --- title: DNS over TLS description: Encrypt DNS queries using TLS with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS over TLS By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is one way to send DNS queries over an encrypted connection. Cloudflare supports DNS over TLS on standard port 853 and is compliant with [RFC 7858 ↗](https://tools.ietf.org/html/rfc7858). With DoT, the encryption happens at the transport layer, where it adds TLS encryption on top of a TCP connection. ## How it works Cloudflare supports DNS over TLS (DoT) on `1.1.1.1`, `1.0.0.1`, and the corresponding IPv6 addresses (`2606:4700:4700::1111` and `2606:4700:4700::1001`) on port `853`. If your DoT client does not support IP addresses, Cloudflare's DoT endpoint can also be reached by hostname on `one.one.one.one`. A stub resolver (the DNS client on a device that talks to the DNS resolver) connects to the resolver over a TLS connection: 1. Before the connection, the DNS stub resolver has stored a base64 encoded SHA256 hash of the TLS certificate from 1.1.1.1 (called SPKI). 2. DNS stub resolver establishes a TCP connection with `1.1.1.1:853`. 3. DNS stub resolver initiates a TLS handshake. 4. In the TLS handshake, 1.1.1.1 presents its TLS certificate. 5. Once the TLS connection is established, the DNS stub resolver can send DNS over an encrypted connection, preventing eavesdropping and tampering. 6. All DNS queries sent over the TLS connection must comply with specifications of [sending DNS over TCP ↗](https://tools.ietf.org/html/rfc1035#section-4.2.2). ## Example Terminal window ``` kdig -d @1.1.1.1 +tls-ca +tls-host=one.one.one.one example.com ``` ``` ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 138 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com ;; DEBUG: SHA-256 PIN: GP8Knf7qBae+aIfythytMbYnL+yowaWVeD6MoLHkVRg= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 ;; DEBUG: SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3395 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR ;; PADDING: 408 B ;; QUESTION SECTION: ;; example.com. IN A ;; ANSWER SECTION: example.com. 75897 IN A 93.184.216.34 ;; Received 468 B ;; Time 2023-06-23 18:05:42 PDT ;; From 1.1.1.1@853(TCP) in 12.1 ms ``` Explain Code ## Supported TLS versions Cloudflare's DNS over TLS supports TLS 1.3 and TLS 1.2. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dns-over-tls/","name":"DNS over TLS"}}]} ``` --- --- title: DNSKEY description: DNSKEY records used by the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/dnskey.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNSKEY [DNSSEC is a protocol ↗](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) that adds a layer of security to the domain name system (DNS). DNSSEC does this by providing authentication through public signing keys using two DNS records: DNSKEY and DS. They can be used to verify DNSSEC signatures in [RRSIG records ↗](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/). 1.1.1.1 supports the following signature algorithms: * RSA/SHA-1 * RSA/SHA-256 * RSA/SHA-512 * RSASHA1-NSEC3-SHA1 * ECDSA Curve P-256 with SHA-256 (ECDSAP256SHA256) * ECDSA Curve P-384 with SHA-384 (ECDSAP384SHA384) * ED25519 ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/dnskey/","name":"DNSKEY"}}]} ``` --- --- title: Oblivious DNS over HTTPS description: Learn how Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) to enhance privacy by separating HTTP request contents from requester IP addresses. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Oblivious DNS over HTTPS As announced on [our blog ↗](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH). Warning ODoH is defined in [RFC 9230 ↗](https://www.rfc-editor.org/rfc/rfc9230.html). This RFC is experimental and is not endorsed by the IETF. ## How ODoH works ODoH improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this, a proxy and a target are introduced between the client and the upstream DNS resolver: * The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. * The target only has access to the encrypted query and the proxy's IP address, while not having visibility over the client's IP address. * Only the intended target can read the content of the query and produce a response, which is also encrypted. This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection. Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption (HPKE). A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. ## Cloudflare and third-party products Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`. To make ODoH queries you can use open source clients such as [dnscrypt-proxy ↗](https://github.com/DNSCrypt/dnscrypt-proxy). Also, [iCloud Private Relay ↗](https://support.apple.com/102602) is based on ODoH and uses [Cloudflare as one of their partners ↗](https://blog.cloudflare.com/icloud-private-relay/). ## Related resources * [HPKE: Standardizing public-key encryption ↗](https://blog.cloudflare.com/hybrid-public-key-encryption/) blog post * [Privacy Gateway](https://developers.cloudflare.com/privacy-gateway/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/encryption/","name":"Encryption"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/encryption/oblivious-dns-over-https/","name":"Oblivious DNS over HTTPS"}}]} ``` --- --- title: Verify connection description: Verify your device is connected to 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/check.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Verify connection After setting up `1.1.1.1`, you can check if you are correctly connected to Cloudflare's resolver. 1. Open a web browser on a configured device (smartphone or computer) or on a device connected to your configured router. 2. Enter [https://1.1.1.1/help ↗](https://one.one.one.one/help) on the browser address bar. Wait for the page to load and run its tests. The page will present you a summary of the type of connection you have to `1.1.1.1`, as well as the Cloudflare data center you are connected to. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/check/","name":"Verify connection"}}]} ``` --- --- title: Privacy description: Privacy commitments and audits for the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/privacy/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Privacy * [1.1.1.1 Public DNS Resolver](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/): This document provides details on our collection, use, and disclosure of the information processed by the 1.1.1.1 public DNS resolver. The 1.1.1.1 public DNS resolver service is governed by our [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). * [Resolver for Firefox](https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox/): This document outlines our collection, use, and disclosure of the information processed by the Cloudflare Resolver for Firefox. Any data Cloudflare processes in connection with the Cloudflare Resolver for Firefox is as a data processor acting pursuant to Mozilla’s data processing instructions. Cloudflare Resolver for Firefox is not covered by our main Privacy Policy and is separate from the 1.1.1.1 public DNS resolver. * [1.1.1.1 Application ↗](https://www.cloudflare.com/application/privacypolicy/): This policy applies to our collection, use, and disclosure of the information from Cloudflare’s consumer-facing 1.1.1.1 Applications, such as our 1.1.1.1 Application for iOS and Android. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}}]} ``` --- --- title: Cloudflare Resolver for Firefox description: How 1.1.1.1 works as the trusted resolver for Firefox. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/privacy/cloudflare-resolver-firefox.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Cloudflare Resolver for Firefox ## Frequently asked questions about the Cloudflare resolver for Firefox ### What is the Cloudflare resolver for Firefox? Every time you type a web address, such as [www.mozilla.org ↗](http://www.mozilla.org) or [www.firefox.com ↗](http://www.firefox.com), into a web browser, the web browser sends a query to a DNS resolver. If DNS is like the card catalog of the Internet, then a DNS resolver is like a helpful librarian that knows how to use the information from that catalog to track down the exact location of a website. Whenever a resolver receives your query it looks up the IP address associated with the web address that you entered and relays that information to your web browser. “DNS resolution” as this process is referred to, is a crucial component of your Internet experience because without it your web browser would be unable to communicate with the servers that host your favorite websites, since communication requires knowing the IP addresses of those websites. For most Internet users, the DNS resolver that they use is either the one that comes with the operating system running on their machines or the one that is set by their network provider. In some cases, these resolvers leave a lot to be desired because of their susceptibility to unwanted spying and other security threats. To counter such threats, Mozilla has partnered with Cloudflare to provide direct DNS resolution from within the Firefox browser using the Cloudflare Resolver for Firefox. What this means is that whenever you select or type a web address in the Firefox browser your DNS lookup request will be sent over a secure channel to the Cloudflare Resolver for Firefox rather than to an unknown DNS resolver, significantly decreasing the odds of any unwanted spying or man in the middle attacks. ### What information does the Cloudflare resolver for Firefox collect? Any data Cloudflare handles as a result of its resolver for Firefox is as a data processor acting pursuant to Firefox’s data processing instructions. Therefore, the data Cloudflare collects and processes pursuant to its agreement with Firefox is not covered by the [Cloudflare Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). As part of its agreement with Firefox, Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser. Cloudflare will collect only the following information from Firefox users: * date * dateTime * srcAsNum * srcIPVersion * dstIPVersion * dstIPv6 * dstIPv4 * dstPort * protocol * queryName * queryType * queryClass * queryRd * queryDo * querySize * queryEdns * ednsVersion * ednsPayload * ednsNsid * responseType * responseCode * responseSize * responseCount * responseTimeMs * responseCached * responseMinTTL * answerData type * answerData * validationState * coloID (unique Cloudflare data center ID) * metalId (unique Cloudflare data center ID) All of the above information will be stored briefly as part of Cloudflare’s temporary logs, and then permanently deleted within 24 hours of Cloudflare’s receipt of such information. In addition to the above information, Cloudflare will also collect and store the following information as part of its permanent logs. * Total number of requests processed by each Cloudflare co-location facility. * Aggregate list of all domain names requested. * Samples of domain names queried along with the times of such queries. Information stored in Cloudflare’s permanent logs will be anonymized and may be held indefinitely by Cloudflare for its own internal research and development purposes. ### What is the Cloudflare promise? Cloudflare understands how important your data is to you, which is why we promise to use the information that we collect from the Cloudflare Resolver for Firefox solely to improve the performance of Cloudflare Resolver for Firefox and to assist us in debugging efforts if an issue arises. In addition to limiting our collection and use of your data, Cloudflare also promises: * Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox; * Cloudflare will not combine the data that it collects from such queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; * Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission. ### What about government requests for content blocking? Cloudflare does not block or filter content through the Cloudflare Resolver for Firefox. As part of its agreement with Mozilla, Cloudflare is providing only direct DNS resolution. If Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the Cloudflare resolver for Firefox, Cloudflare would, in consultation with Mozilla, exhaust our legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/privacy/cloudflare-resolver-firefox/","name":"Cloudflare Resolver for Firefox"}}]} ``` --- --- title: 1.1.1.1 Public DNS Resolver description: Learn more about Cloudflare's commitment to privacy with the 1.1.1.1 Public DNS Resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/privacy/public-dns-resolver.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # 1.1.1.1 Public DNS Resolver _Last updated March 27, 2024_ ## Cloudflare’s commitment to privacy: 1.1.1.1 Public DNS Resolver The 1.1.1.1 public DNS resolver is governed by our [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). This document provides additional details on our collection, use, and disclosure of the information collected from the 1.1.1.1 public DNS resolver. --- Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Select a link, open an app, send an email, and the first thing your phone or computer does is ask its directory: where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads. Given the current state of affairs, Cloudflare created a DNS resolver with your privacy and security in mind. Cloudflare, in partnership with APNIC, runs the 1.1.1.1 public resolver, a recursive DNS service that values user privacy and security. DNS requests sent to our public resolver can be sent over a secure channel, significantly decreasing the odds of any unwanted spying or man in the middle attacks. The 1.1.1.1 public DNS resolver was designed for privacy first, and Cloudflare commits to the following: 1. Cloudflare will not sell or share Public Resolver users’ personal data with third parties or use personal data from the Public Resolver to target any user with advertisements. 2. Cloudflare will only retain or use what is being asked, not information that will identify who is asking it. Except for randomly sampled network packets captured from at most 0.05% of all traffic sent to Cloudflare’s network infrastructure, Cloudflare will not retain the source IP from DNS queries to the Public Resolver in non-volatile storage. These randomly sampled packets are solely used for network troubleshooting and DoS mitigation purposes. 3. A Public Resolver user’s IP address (referred to as the client or source IP address) will not be stored in non-volatile storage. Cloudflare will anonymize source IP addresses via IP truncation methods (last octet for IPv4 and last 80 bits for IPv6). Cloudflare will delete the truncated IP address within 25 hours. 4. Cloudflare will retain only the limited transaction and debug log data (“Public Resolver Logs”) set forth below, for the legitimate operation of our Public Resolver and research purposes, and Cloudflare will delete the Public Resolver Logs within 25 hours. 5. Cloudflare will not share the Public Resolver Logs with any third parties except for APNIC pursuant to a Research Cooperative Agreement. APNIC will only have limited access to query the anonymized data in the Public Resolver Logs and conduct research related to the operation of the DNS system. Cloudflare has taken technical steps to ensure that we cannot retain our user’s information. We have also retained one of the top four accounting firms to audit our practices and publish a public report confirming we are doing what we said we would. The report is available in the [Certifications and compliance resources ↗](https://www.cloudflare.com/trust-hub/compliance-resources/) page. ## Limited data sharing with APNIC Cloudflare has partnered with [APNIC Labs ↗](https://labs.apnic.net/?p=1127), the regional Internet registry for the Asia-Pacific region to make the 1.1.1.1 IP address the home of the Cloudflare Public DNS Resolver. As part of its mission to ensure a global, open and secure Internet, APNIC conducts research about the functioning and governance of the Internet, which it makes available on its website, located at [www.apnic.net ↗](http://www.apnic.net). Cloudflare has agreed to provide APNIC with access to some of the anonymized data that Cloudflare collects through the Cloudflare Public DNS Resolver. Specifically, APNIC will be permitted to access query names, query types, resolver location and other metadata via a Cloudflare API that will allow APNIC to study topics like the volume of DDoS attacks launched on the Internet and adoption of IPv6. APNIC Labs will use such data for non-profit operational research. As part of Cloudflare’s commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address associated with a client. Aside from APNIC, Cloudflare will not share the Public Resolver Logs with any third party. ## Data in public resolver logs The Public Resolver Logs we store consist entirely of the following fields: * answerData type * answerData * coloID (unique Cloudflare data center ID) * date * dateTime * dstIPVersion * dstIPv6 * dstIPv4 * dstPort * ede * ednsVersion * ednsPayload * ednsNsid * feature.uid * feature.value * metalId (unique Cloudflare data center ID) * ns ip * ns name * protocol * queryName * queryType * queryClass * queryRd * queryDo * querySize * queryEdns * queryCd * responseType * responseCode * responseSize * responseCount * responseTimeMs * responseCached * responseMinTTL * reused * srcAsNum * srcCountry * srcIPVersion * validationState Additionally, recursive resolvers perform outgoing queries to various authoritative nameservers in the DNS hierarchy that are logged in subrequest fields. These logs are used for the operation and debugging of our public DNS resolver service. The following subrequest data is included in the Public Resolver Logs: * subrequest.ipv6 (authoritative nameserver) * subrequest.ipv4 (authoritative nameserver) * subrequest.protocol * subrequest.durationMs * subrequest.queryName * subrequest.queryType * subrequest.responseCode * subrequest.responseCount * subrequest.recordType * subrequest.recordData * subrequest.error Except for the limited sampled data from the Public Resolver Logs (which do not include truncated IP addresses) used to generate the aggregated data described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information. Cloudflare may make the following aggregations: * Total number of queries with different protocol settings (for example, tcp/udp/dnssec) by Cloudflare data centers. * Response code/time quantiles with different protocol settings by Cloudflare data centers. * Total Number of Requests Processed by Cloudflare data centers. * Aggregate List of All Domain Names Requested and aggregate number of requests and timestamp of first time requested by region. * Number of unique clients, queries over IPv4, queries over IPv6, queries with the RD bit set, queries asking for DNSSEC, number of bogus, valid, and invalid DNSSEC answers, queries by type, number of answers with each response code, response time quantiles (e.g. 50 percentile), response TTL, and number of cached answers per minute, per day, per protocol (HTTPS/UDP/TCP/TLS), per region, per Cloudflare data center, and per Autonomous System Number. * Number of queries, number of queries with EDNS, number of bytes and time in answers quantiles (e.g. 50 percentile) by day, month, Cloudflare data center, and by IPv4 vs IPv6. * Number of queries, response codes and response code quantiles (e.g. 50 percentile) by day, region, name and type. Cloudflare may store the data described above indefinitely in order to power Cloudflare Radar and assist Cloudflare in improving Cloudflare services, such as, enhancing the overall performance of the Cloudflare Resolver and identifying security threats. ## What about requests for content blocking? Cloudflare does not block or filter any content through the 1.1.1.1 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 1.1.1.1 for Families, which is designed to help individuals protect their home networks. In general, Cloudflare views government or civil requests to block content at the DNS level as ineffective, inefficient, and overboard. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction. A government request to block content through a globally available public recursive resolver like the 1.1.1.1 Public DNS Resolver and 1.1.1.1 for Families should therefore be evaluated as a request to block content globally. Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 1.1.1.1 Public DNS Resolver or to block access to domains or content through 1.1.1.1 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/privacy/","name":"Privacy"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/privacy/public-dns-resolver/","name":"1.1.1.1 Public DNS Resolver"}}]} ``` --- --- title: Troubleshooting description: Learn how to diagnose and report issues with Cloudflare's DNS Resolver image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Troubleshooting This guide will help you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, you can [verify your connection](https://developers.cloudflare.com/1.1.1.1/check/) to automatically gather relevant information. ## Name resolution issues ### Linux/macOS Terminal window ``` # Test DNS resolution dig example.com @1.1.1.1 dig example.com @1.0.0.1 dig example.com @8.8.8.8 # Check connected nameserver dig +short CHAOS TXT id.server @1.1.1.1 dig +short CHAOS TXT id.server @1.0.0.1 # Optional: Network information dig @ns3.cloudflare.com whoami.cloudflare.com txt +short ``` Explain Code ### Windows Terminal window ``` # Test DNS resolution nslookup example.com 1.1.1.1 nslookup example.com 1.0.0.1 nslookup example.com 8.8.8.8 # Check connected nameserver nslookup -class=chaos -type=txt id.server 1.1.1.1 nslookup -class=chaos -type=txt id.server 1.0.0.1 # Optional: Network information nslookup -type=txt whoami.cloudflare.com ns3.cloudflare.com ``` Explain Code **Note:** The network information command reveals your IP address. Only include this in reports to Cloudflare if you are comfortable sharing this information. For additional analysis, you can generate a [DNSViz ↗](http://dnsviz.net/) report for the domain in question. ## Connectivity and routing issues Before reporting connectivity issues: 1. Search for existing reports from your country and ISP. 2. Run traceroutes to both Cloudflare DNS resolvers. ### Linux/macOS Terminal window ``` # Basic connectivity tests traceroute 1.1.1.1 traceroute 1.0.0.1 # If reachable, check nameserver identity dig +short CHAOS TXT id.server @1.1.1.1 dig +short CHAOS TXT id.server @1.0.0.1 # TCP connection tests dig +tcp @1.1.1.1 id.server CH TXT dig +tcp @1.0.0.1 id.server CH TXT ``` Explain Code ### Windows Terminal window ``` # Basic connectivity tests tracert 1.1.1.1 tracert 1.0.0.1 # If reachable, check nameserver identity nslookup -class=chaos -type=txt id.server 1.1.1.1 nslookup -class=chaos -type=txt id.server 1.0.0.1 # TCP connection tests nslookup -vc -class=chaos -type=txt id.server 1.1.1.1 nslookup -vc -class=chaos -type=txt id.server 1.0.0.1 ``` Explain Code ## DNS-over-TLS (DoT) troubleshooting ### Linux/macOS Terminal window ``` # Test TLS connectivity openssl s_client -connect 1.1.1.1:853 openssl s_client -connect 1.0.0.1:853 # Test DNS resolution over TLS kdig +tls @1.1.1.1 id.server CH TXT kdig +tls @1.0.0.1 id.server CH TXT ``` ### Windows Windows does not include a standalone DoT client. You can test TLS connectivity using OpenSSL after installing it manually. ## DNS-over-HTTPS (DoH) troubleshooting ### Linux/macOS Terminal window ``` curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA' ``` ### Windows PowerShell ``` (Invoke-WebRequest -Uri 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA').RawContent ``` ## Common issues ### First hop failures If your traceroute fails at the first hop, the issue is likely hardware-related. Your router may have a hardcoded route for 1.1.1.1\. When reporting this issue, include: * Router make and model * ISP name * Any relevant router configuration details ## Additional resources * [1.1.1.1 DNS Resolver homepage ↗](https://1.1.1.1) * [DNS over TLS documentation](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) * [Diagnostic tool ↗](https://one.one.one.one/help/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Terms of use description: Terms of use for the 1.1.1.1 DNS resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/terms-of-use.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Terms of use By using 1.1.1.1 Public DNS Resolver or 1.1.1.1 for Families, you consent to be bound by the [Cloudflare Website and Online Services Terms of Use ↗](https://www.cloudflare.com/website-terms/). If you are an [Internet Service Provider (ISP) or network equipment provider](https://developers.cloudflare.com/1.1.1.1/infrastructure/network-operators/), you agree to provide proper attribution to Cloudflare in accordance with our Trademark Guidelines using our Public DNS Resolver. Please reach out to `resolver@cloudflare.com` for such logo requests. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/terms-of-use/","name":"Terms of use"}}]} ``` --- --- title: FAQ description: Find answers to common questions about Cloudflare's 1.1.1.1 DNS resolver, including setup, privacy features, IPv6 support, and troubleshooting tips. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # FAQ Below you will find answers to our most commonly asked questions. If you cannot find the answer you are looking for, refer to the [community page ↗](https://community.cloudflare.com/) to explore more resources. ## What is 1.1.1.1? 1.1.1.1 is Cloudflare's fast and secure DNS resolver. When you request to visit an application like `cloudflare.com`, your computer needs to know which server to connect you to so that it can load the application. Computers do not know how to do this name to address translation, so they ask a specialized server to do it for them. This specialized server is called a DNS recursive resolver. The resolver's job is to find the address for a given name, like `2400:cb00:2048:1::c629:d7a2` for `cloudflare.com`, and return it to the computer that asked for it. Computers are configured to talk to specific DNS resolvers, identified by IP address. Usually the configuration is managed by your ISP (like Comcast or AT&T) if you are on your home or wireless Internet, and by your network administrator if you are connected to the office Internet. You can also change the configured DNS resolver your computer talks to yourself. ## How can I check if my computer / smartphone / tablet is connected to 1.1.1.1? Visit [1.1.1.1/help ↗](https://one.one.one.one/help) to make sure your system is connected to 1.1.1.1 and that it is working. ## What do DNS resolvers do? DNS resolvers are like address books for the Internet. They translate the name of places to addresses so that your browser can figure out how to get there. DNS resolvers do this by working backwards from the top until they find the website you are looking for. Every resolver knows how to find the invisible `.` at the end of domain names (for example, `cloudflare.com.`). There are [hundreds of root servers ↗](http://www.root-servers.org/) all over the world that host the `.` file, and resolvers are [hard coded to know the IP addresses ↗](http://www.internic.net/domain/named.root) of those servers. Cloudflare itself hosts [that file ↗](http://www.internic.net/domain/root.zone) on all of its servers around the world through a [partnership with ISC ↗](https://blog.cloudflare.com/f-root/). The resolver asks one of the root servers where to find the next link in the chain — the top-level domain (abbreviated to TLD) or domain ending. An example of a TLD is `.com` or `.org`. Luckily, the root servers store the locations of all the TLD servers, so they can return which IP address the DNS resolver should go ask next. The resolver then asks the TLD's servers where it can find the domain it is looking for. For example, a resolver might ask `.com` where to find `cloudflare.com`. TLDs host a file containing the location of every domain using the TLD. Once the resolver has the final IP address, it returns the answer to the computer that asked. This whole system is called the [Domain Name System (DNS) ↗](https://www.cloudflare.com/learning/dns/what-is-dns/). This system includes the servers that host the information (called [authoritative DNS ↗](https://www.cloudflare.com/learning/dns/dns-server-types/)) and the servers that seek the information (the DNS resolvers). ## Does 1.1.1.1 support ANY? Cloudflare [stopped supporting the ANY query ↗](https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/) in 2015 as ANY queries are more often used to perpetuate large volumetric attacks against the DNS system than valid use. 1.1.1.1 returns `NOTIMPL` when asked for `qtype==ANY`. ## How does 1.1.1.1 work with DNSSEC? 1.1.1.1 is a DNSSEC validating resolver. 1.1.1.1 sends the `DO` (`DNSSEC OK`) bit on every query to convey to the authoritative server that it wishes to receive signed answers if available. 1.1.1.1 supports the signature algorithms specified in [Supported DNSKEY signature algorithms](https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/). ## ​Does 1.1.1.1 send EDNS Client Subnet header? 1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet (ECS) header to authoritative servers. The exception is the single Akamai debug domain `whoami.ds.akahelp.net` to aid in cross-provider debugging. However, Cloudflare does not send ECS to any of Akamai's production domains, such as `akamaihd.net` or similar. ## Does 1.1.1.1 support IPv6? 1.1.1.1 has full IPv6 support. ## What is Purge Cache? 1.1.1.1's Purge Cache tool allows you to refresh 1.1.1.1's DNS cache for domain names. To refresh the cache for a domain name, visit the [Purge Cache page ↗](https://one.one.one.one/purge-cache/). ## What is query name minimization? Cloudflare minimizes privacy leakage by only sending minimal query name to authoritative DNS servers. For example, if a client is looking for foo.bar.example.com, the only part of the query 1.1.1.1 discloses to .com is that we want to know who's responsible for example.com and the zone internals stay hidden. ## What are root hints? For decreased latency, reduced privacy leakage of queries and lower load on the DNS system, 1.1.1.1 upstreams to [locally hosted root zone files ↗](https://blog.cloudflare.com/f-root/). ## Can IPs used by 1.1.1.1 be allowlisted? Authoritative DNS providers may want to allowlist IP's 1.1.1.1 uses to query upstream DNS providers. The comprehensive list of IP's to allowlist is available at [https://www.cloudflare.com/ips/ ↗](https://www.cloudflare.com/ips/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/faq/","name":"FAQ"}}]} ``` --- --- title: DNS in Google Sheets description: Cloudflare 1.1.1 works directly inside Google Sheets. To get started, create a Google Function with the following code. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/additional-options/dns-in-google-sheets.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS in Google Sheets ## Create a function 1.1.1.1 works directly inside Google Sheets. To get started, create a [Google Function ↗](https://developers.google.com/apps-script/guides/sheets/functions) with the following code: JavaScript ``` function NSLookup(type, domain, useCache = false, minCacheTTL = 30) { if (typeof type == "undefined") { throw new Error("Missing parameter 1 dns type"); } if (typeof domain == "undefined") { throw new Error("Missing parameter 2 domain name"); } if (typeof useCache != "boolean") { throw new Error("Only boolean values allowed in 3 use cache"); } if (typeof minCacheTTL != "number") { throw new Error("Only numeric values allowed in 4 min cache ttl"); } type = type.toUpperCase(); domain = domain.toLowerCase(); let cache = null; if (useCache) { // Cache key and hash cacheKey = domain + "@" + type; cacheHash = Utilities.base64Encode(cacheKey); cacheBinKey = "nslookup-result-" + cacheHash; cache = CacheService.getScriptCache(); const cachedResult = cache.get(cacheBinKey); if (cachedResult != null) { return cachedResult; } } const url = "https://cloudflare-dns.com/dns-query?name=" + encodeURIComponent(domain) + "&type=" + encodeURIComponent(type); const options = { muteHttpExceptions: true, headers: { accept: "application/dns-json", }, }; const result = UrlFetchApp.fetch(url, options); const rc = result.getResponseCode(); const resultText = result.getContentText(); if (rc !== 200) { throw new Error(rc); } const errors = [ { name: "NoError", description: "No Error" }, // 0 { name: "FormErr", description: "Format Error" }, // 1 { name: "ServFail", description: "Server Failure" }, // 2 { name: "NXDomain", description: "Non-Existent Domain" }, // 3 { name: "NotImp", description: "Not Implemented" }, // 4 { name: "Refused", description: "Query Refused" }, // 5 { name: "YXDomain", description: "Name Exists when it should not" }, // 6 { name: "YXRRSet", description: "RR Set Exists when it should not" }, // 7 { name: "NXRRSet", description: "RR Set that should exist does not" }, // 8 { name: "NotAuth", description: "Not Authorized" }, // 9 ]; const response = JSON.parse(resultText); if (response.Status !== 0) { return errors[response.Status].name; } const outputData = []; let cacheTTL = 0; for (const i in response.Answer) { outputData.push(response.Answer[i].data); const ttl = response.Answer[i].TTL; cacheTTL = Math.min(cacheTTL || ttl, ttl); } const outputString = outputData.join(","); if (useCache) { cache.put(cacheBinKey, outputString, Math.max(cacheTTL, minCacheTTL)); } return outputString; } ``` Explain Code ## Using 1.1.1.1 When you feed the function `NSLookup` a record type and a domain, you will get a DNS record value in the cell you called `NSLookup`. To limit the number of DNS lookups and speed up the results (especially in larger Google Sheets), you can cache the returned DNS record value. Both the cache usage and the cache TTL can be controlled in arguments 3 and 4, respectively. Supported DNS record types * `A` * `AAAA` * `CAA` * `CNAME` * `DS` * `DNSKEY` * `MX` * `NS` * `NSEC` * `NSEC3` * `RRSIG` * `SOA` * `TXT` For example, typing: ``` NSLookup(B1, B2) ``` Or - depending on your regional settings - you may have to use this formula: ``` NSLookup(B1; B2) ``` ![Google sheets function](https://developers.cloudflare.com/_astro/google-sheet-function.B_K9dB4i_1pUnIa.webp) Returns ``` 198.41.214.162, 198.41.215.162 ``` ![Google sheets function](https://developers.cloudflare.com/_astro/google-sheet-result.qjsyQyZU_ZJWiV8.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-in-google-sheets/","name":"DNS in Google Sheets"}}]} ``` --- --- title: DNS over Discord description: 1.1. 1.1 works from a Discord server. Invite the bot to your Discord server to start using DNS over Discord. Or, add it to your account to use it anywhere in Discord. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/additional-options/dns-over-discord.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS over Discord 1.1.1.1 works from a Discord server, thanks to the 1.1.1.1 bot. [Invite the bot to your Discord server ↗](https://cfl.re/3nM6VfQ) to start using DNS over Discord. Or, [add the bot to your Discord account ↗](https://dns-over-discord.v4.wtf/invite/user) to use it anywhere in Discord. ## Perform DNS lookups Once the bot is in your server, type `/dig` to start performing DNS lookups. This will provide a native interface within Discord that allows you to specify the domain to lookup, an optional DNS record type and an optional flag for a short result. If only a domain is given for the command, the bot will default to looking for `A` DNS records, and will return the full format result, not the short form. Example: ``` /dig domain: cloudflare.com ``` ### Supported record types Discord has a limit of 25 options in slash commands, so DNS over Discord offers the 25 most common DNS record types to choose from. Supported DNS record types * `A` * `AAAA` * `CAA` * `CDNSKEY` * `CDS` * `CERT` * `CNAME` * `DNSKEY` * `DS` * `HINFO` * `HTTPS` * `LOC` * `MX` * `NAPTR` * `NS` * `PTR` * `SMIMEA` * `SOA` * `SPF` * `SRV` * `SSHFP` * `SVCB` * `TLSA` * `TXT` * `URI` To query other DNS record types, or multiple record types at once, use the `/multi-dig` command. ### Short form response DNS over Discord has an optional flag in the `/dig` command that allows the user to request a response in the short form. When you request a response in the short form, the name and TTL columns will be excluded. The command only returns the data column without formatting, similar to the equivalent `dig` command-line interface response. Example: ``` /dig domain: cloudflare.com type: AAAA records short: True ``` ### Disable DNSSEC checking You can disable DNSSEC checking in the `dig` command by passing `cdflag` as true. This will return the DNS records even if the DNSSEC validation fails. Example: ``` /dig domain: cloudflare.com type: AAAA records cdflag: True ``` ### Refreshing existing results You can refresh the DNS lookup results by clicking the Refresh button. Clicking it will trigger the bot to re-request the DNS query in the message, and update the results in the message. Any user can click this button. The refresh button is available on all responses to the `/dig` command, including those that resulted in an error, such as an unknown domain or no records found. ### Changing DNS provider By default, the DNS over Discord bot uses Cloudflare's 1.1.1.1 DNS service. You can run the DNS lookup with alternate DNS providers by selecting the dropdown below the result. This shows you a list of available providers. Selecting a new provider updates the results in the message. Any user can change the DNS provider. ## `multi-dig` command If you want to look up multiple DNS record types at once, use the `/multi-dig` command. This allows you to specify any supported DNS record type, and multiple types separated by a space. Example: ``` /multi-dig domain: cloudflare.com types: A AAAA ``` ### Supported record types When providing DNS record types for the `/multi-dig` command, Discord will not prompt you with options. You have to provide a space-separated list of valid DNS record types to lookup, as any invalid options will be silently dropped. `A` records will be used as the default if no valid types are given. DNS record types supported and considered valid by the bot Use a `*` (asterisk) in place of a record type to get DNS results for all supported types. * `A` * `AAAA` * `AFSDB` * `APL` * `CAA` * `CDNSKEY` * `CDS` * `CERT` * `CNAME` * `CSYNC` * `DHCID` * `DLV` * `DNAME` * `DNSKEY` * `DS` * `EUI48` * `EUI64` * `HINFO` * `HIP` * `HTTPS` * `IPSECKEY` * `KEY` * `KX` * `LOC` * `MX` * `NAPTR` * `NS` * `NSEC` * `NSEC3` * `NSEC3PARAM` * `OPENPGPKEY` * `PTR` * `RP` * `SMIMEA` * `SOA` * `SPF` * `SRV` * `SSHFP` * `SVCB` * `TA` * `TKEY` * `TLSA` * `TXT` * `URI` * `ZONEMD` ### Short form response Like the main `/dig` command, the `/multi-dig` command also supports the optional short flag after the types have been specified in the slash command. Example: ``` /multi-dig domain: cloudflare.com types: CDS CDNSKEY short: True ``` ### Disable DNSSEC checking As with the `dig` command, you can disable DNSSEC checking by passing `cdflag` as true. This will return the DNS records even if the DNSSEC validation fails. Example: ``` /multi-dig domain: cloudflare.com type: AAAA records cdflag: True ``` ### Refreshing existing results The `/multi-dig` command also provides a refresh button below each set of DNS results requested (or after each block of 10 DNS record types, if you requested more than 10). As with the `/dig` command, any user can press the refresh button to refresh the displayed DNS results, including for DNS queries that had previously failed. ### Changing DNS provider Like the `/dig` command, you can change the DNS provider when using the `/multi-dig` command. The menu appears after each set of DNS results (or after each block of results if more than 10 record types are requested). This menu can be used by any user to change the DNS provider used for the lookup. ## `whois` command The `/whois` command allows you to perform a RDAP/WHOIS lookup right in Discord for a given domain, IP or ASN. Examples: ``` /whois query: cloudflare.com /whois query: 104.16.132.229 /whois query: 2606:4700::6810:84e5 /whois query: 13335 ``` ## Other commands The bot also has a set of helper commands available to get more information about the bot and quick links. ### `help` command The `/help` command provides in-Discord documentation about all the commands available in the 1.1.1.1 DNS over Discord bot. Example: ``` /help ``` ### `privacy` command The `/privacy` command displays the Privacy Policy notice for using the 1.1.1.1 DNS over Discord bot. You can also [refer to the Privacy Policy page ↗](https://dns-over-discord.v4.wtf/privacy) to access it. Example: ``` /privacy ``` ### `terms` command The `/terms` command displays the Terms of Service notice for using the 1.1.1.1 DNS over Discord bot. You can also [refer to the Terms of Service page ↗](https://dns-over-discord.v4.wtf/terms) to access it. Example: ``` /terms ``` ### `github` command The DNS over Discord bot is open-source, and the `/github` command provides a quick link to access the GitHub repository. The GitHub repository can be accessed at [https://github.com/MattIPv4/DNS-over-Discord/ ↗](https://github.com/MattIPv4/DNS-over-Discord/). Example: ``` /github ``` ### `invite` command The `/invite` command provides the user with a quick link to invite the 1.1.1.1 DNS over Discord bot to another Discord server, or to add it to a Discord account. The bot can be invited at any time with [https://cfl.re/3nM6VfQ ↗](https://cfl.re/3nM6VfQ). The bot can also be added to accounts with [https://dns-over-discord.v4.wtf/invite/user ↗](https://dns-over-discord.v4.wtf/invite/user). ``` /invite ``` --- ## Development The DNS over Discord bot is deployed on [Cloudflare Workers ↗](https://workers.cloudflare.com/). You can find the source code for the bot on GitHub, as well as information on getting started with contributing to the project, at [https://github.com/MattIPv4/DNS-over-Discord/ ↗](https://github.com/MattIPv4/DNS-over-Discord/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-over-discord/","name":"DNS over Discord"}}]} ``` --- --- title: DNS over Tor description: If you do not want to disclose your IP address to the resolver, you can use our Tor onion service. Resolving DNS queries through the Tor network guarantees a significantly higher level of anonymity than making the requests directly. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/additional-options/dns-over-tor.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # DNS over Tor Warning The hidden resolver is still an experimental service and should not be used in production or for other critical uses. If you do not want to disclose your IP address to the resolver, you can use our Tor onion service. Resolving DNS queries through the Tor network guarantees a significantly higher level of anonymity than making the requests directly. Not only does doing so prevent the resolver from ever seeing your IP address, but it also prevents your ISP from knowing that you attempted to resolve a domain name. Read more about this service in [this blog post ↗](https://blog.cloudflare.com/welcome-hidden-resolver/). ## Setting up a Tor client The important difference between using all other modes of DNS and this one is that packet routing no longer uses IP addresses, and therefore all connections must be routed through a Tor client. Before you start, head to the [Tor Project website ↗](https://www.torproject.org/download/download.html.en) to download and install a Tor client. If you use the Tor Browser, it will automatically start a [SOCKS proxy ↗](https://en.wikipedia.org/wiki/SOCKS) at `127.0.0.1:9150`. If you use Tor from the command line, create the following configuration file: ``` SOCKSPort 9150 ``` Then you can run tor with: Terminal window ``` tor -f tor.conf ``` Also, if you use the Tor Browser, you can head to the resolver's address to see the usual 1.1.1.1 page: ``` https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/ ``` Note The HTTPS certificate indicator should say "Cloudflare, Inc. (US)." If you ever forget 1.1.1.1's address, use cURL to retrieve it: Terminal window ``` curl -sI https://tor.cloudflare-dns.com | grep -i alt-svc ``` ``` alt-svc: h2="dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:443"; ma=315360000; persist=1 ``` ## Setting up a local DNS proxy using socat Of course, not all DNS clients support connecting to the Tor client, so the easiest way to connect any DNS-speaking software to the hidden resolver is by forwarding ports locally, for instance [using socat ↗](http://www.dest-unreach.org/socat/). ### DNS over TCP, TLS, and HTTPS The hidden resolver is set up to listen on TCP ports 53 and 853 for DNS over TCP and TLS. After setting up a Tor proxy, run the following `socat` command as a privileged user, replacing the port number appropriately: Terminal window ``` PORT=853; socat TCP4-LISTEN:${PORT},reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:${PORT},socksport=9150 ``` From here, you can follow the regular guide for [setting up 1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/), except you should always use `127.0.0.1` instead of `1.1.1.1`. If you need to access the proxy from another device, simply replace `127.0.0.1` in `socat` commands with your local IP address. ### DNS over HTTPS [As explained in the blog post ↗](https://blog.cloudflare.com/welcome-hidden-resolver/), our favorite way of using the hidden resolver is using DNS over HTTPS (DoH). To set it up: 1. Download `cloudflared` by following the guide for [connecting to 1.1.1.1 using DNS over HTTPS clients](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/). 2. Start a Tor SOCKS proxy and use `socat` to forward port TCP:443 to localhost: Terminal window ``` socat TCP4-LISTEN:443,reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:443,socksport=9150 ``` 1. Instruct your machine to treat the `.onion` address as localhost: Terminal window ``` cat << EOF >> /etc/hosts 127.0.0.1 dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion EOF ``` 1. Finally, start a local DNS over UDP daemon: Terminal window ``` cloudflared proxy-dns --upstream "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" ``` ``` INFO[0000] Adding DNS upstream url="https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" INFO[0000] Starting DNS over HTTPS proxy server addr="dns://localhost:53" INFO[0000] Starting metrics server addr="127.0.0.1:35659" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/additional-options/","name":"Other ways to use 1.1.1.1"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/additional-options/dns-over-tor/","name":"DNS over Tor"}}]} ``` --- --- title: Extended DNS error codes description: Extended DNS error codes returned by 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/infrastructure/extended-dns-error-codes.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Extended DNS error codes [Extended DNS Error Codes ↗](https://www.rfc-editor.org/rfc/rfc8914.html) is a method to return additional information about the cause of DNS errors. As there are many reasons why a DNS query might fail, it became necessary to provide additional information on the exact cause of an error. 1.1.1.1 supports Extended DNS Error Codes. Below is a list of error codes 1.1.1.1 returns, what they mean, and steps you may want to take to resolve the issue. | Code number | Code name | Example output | Next steps | | ----------- | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Unsupported DNSKEY Algorithm | EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify example.com. A: unsupported key size, DNSKEY example.com., id = 12345) | The domain did not pass DNSSEC validation. Check which [signature key algorithm](https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/) your website uses and confirm it is supported by 1.1.1.1. | | 2 | Unsupported DS Digest Type | EDE: 2 (Unsupported DS Digest Type): (no supported DS digest type for example.com.) | The domain did not pass DNSSEC validation due to an unsupported digest type on the DS record. If none of the provided DS records are supported, the domain will fail to resolve. Make sure to [add a supported DS record](https://developers.cloudflare.com/dns/dnssec/) with your registrar. | | 3 | Stale Answer | EDE: 3 (Stale Answer) | This is a silent error. It notifies that the DNS resolver could only return stale data. If the issue persists reach out on the 1.1.1.1 [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 6 | DNSSEC Bogus | EDE: 6 (DNSSEC Bogus): (proof of non-existence of example.com. A)EDE: 6 (DNSSEC Bogus): (found duplicate CNAME records for example.com. (1 duplicate RRs)) | This domain did not pass DNSSEC validation. The signatures for the target record, or the proof of non-existence of the target records, are invalid. Check your [DNS configuration](https://developers.cloudflare.com/dns/). | | 7 | Signature Expired | EDE: 7 (Signature Expired): (for DNSKEY example.com., id = 12345: RRSIG example.com., expiration = 123456) | This domain did not pass DNSSEC validation due to an expired signature. Make sure your zone is signed with valid [DNSSEC signatures](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 8 | Signature Not Yet Valid | EDE: 8 (Signature Not Yet Valid): (for DNSKEY example.com., id = 12345: RRSIG example.com., inception = 12345) | This domain did not pass DNSSEC validation. Make sure your zone is signed with valid [DNSSEC signatures](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 9 | DNSKEY Missing | EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for example.com.) | This domain did not pass DNSSEC validation. It does not have a SEP DNSKEY that matches the set of DS records at the registry. Make sure to either sign the zone using keys that match the current DS set, or [add the missing DS records](https://developers.cloudflare.com/dns/dnssec/) with your registrar. | | 10 | RRSIGs Missing | EDE: 10 (RRSIGs Missing): (for DNSKEY example.com., id = 12345) | 1.1.1.1 was unable to retrieve Resource Record Signatures (RRSigs) to verify the authenticity of the records. Check your [DNS configuration](https://developers.cloudflare.com/dns/) and the response code. If the response code is not SERVFAIL, this error indicates that there is a non-operational key issue somewhere along the path, but the resolver found at least one successful path for validation. Examples of non-operational key issues include but are not limited to key rollover in-progress, stand-by key, and attacker stripping signatures made by a certain key. | | 11 | No Zone Key Bit Set | EDE: 11 (No Zone Key Bit Set): (for DNSKEY example.com., id = 12345) | This domain did not pass DNSSEC validation. The zone's SEP DNSKEY must [set a Zone Key flag](https://datatracker.ietf.org/doc/html/rfc4035#section-5.3.1). Check your [DNSSEC configuration](https://developers.cloudflare.com/dns/dnssec/) or DNSSEC's [troubleshooting guide](https://developers.cloudflare.com/dns/dnssec/troubleshooting/). | | 12 | NSEC Missing | EDE: 12 (NSEC Missing): failed to verify an insecure referral proof for example.com | This domain did not pass DNSSEC validation. The upstream nameserver did not include a valid proof of non-existence for the target name. Make sure the zone is [signed with DNSSEC](https://developers.cloudflare.com/dns/dnssec/troubleshooting/) and has valid [NSEC/NSEC3 records](https://www.cloudflare.com/dns/dnssec/dnssec-complexities-and-considerations/). | | 13 | Cached Error | EDE: 13 (Cached Error) | 1.1.1.1 returned a cached error. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 22 | No Reachable Authority | EDE: 22 (No Reachable Authority): (at delegation example.com.) | 1.1.1.1 could not reach some or all of the authoritative nameservers (or they potentially refused to resolve). This can occur if the authoritative nameservers are overloaded or temporarily unavailable. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 23 | Network Error | EDE: 23 (Network Error): (1.1.1.1:53 rcode=SERVFAIL for example.com. A) | 1.1.1.1 could not determine a network path to the upstream nameservers, or the nameserver did not respond. If this issue persists, reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | | 30 | Invalid Query Type | EDE: 30 (Invalid Query Type): Invalid Query Type | The record type in the request cannot give a valid answer. If this is returned for standard query types, such as A or AAAA records, please reach out to the [community forum](https://community.cloudflare.com/c/reliability/dns-1111/47). | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/extended-dns-error-codes/","name":"Extended DNS error codes"}}]} ``` --- --- title: Support for IPv6-only networks description: Use 1.1.1.1 on IPv6-only networks. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Tags [ IPv6 ](https://developers.cloudflare.com/search/?tags=IPv6) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/infrastructure/ipv6-networks.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Support for IPv6-only networks While network infrastructure is shifting towards IPv6-only networks, providers still need to support IPv4 addresses. Dual-stack networks are networks in which all nodes have both IPv4 and IPv6 connectivity capabilities, and can therefore understand both IPv4 and IPv6 packets. 1.1.1.1 supports DNS64, a mechanism that synthesizes AAAA records from A records when no AAAA records exist. DNS64 allows configuring a DNS resolver to synthesize IPv6 addresses from IPv4 answers. Note You should only enable DNS64 if you are managing or using an IPv6-only network. While the resolver can synthesize IPv6 addresses, it cannot synthesize their record signatures for domains using DNSSEC, so a DNS client that is able to revalidate signatures would reject these extra records without signatures. A good tradeoff is to use a secure protocol such as DNS over TLS, or DNS over HTTPS between the client and the resolver to prevent tampering. ## Configure DNS64 DNS64 is specifically for networks that already have NAT64 support. If you are a network operator who has NAT64, you can test our DNS64 support by updating it to the following IP addresses: ``` 2606:4700:4700::64 2606:4700:4700::6400 ``` Some devices use separate fields for all eight parts of IPv6 addresses and cannot accept the `::` IPv6 abbreviation syntax. For such fields enter: ``` 2606:4700:4700:0:0:0:0:64 2606:4700:4700:0:0:0:0:6400 ``` ## Test DNS64 After your configuration, visit an IPv4 only address to check if you can reach it. For example, you can visit [https://ipv4.google.com ↗](https://ipv4.google.com). Visit [http://test-ipv6.com/ ↗](http://test-ipv6.com/) to test if it can detect your IPv6 address. If you receive a `10/10`, your IPv6 is configured correctly. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/ipv6-networks/","name":"Support for IPv6-only networks"}}]} ``` --- --- title: Network operators description: Information for network operators peering with 1.1.1.1. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/infrastructure/network-operators.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # Network operators Network operators, including Internet Service Providers (ISPs), device manufacturers, public Wi-Fi networks, municipal broadband providers, and security scanning services can use [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/setup/) in place of operating their own recursive DNS infrastructure. Cloudflare also partners with ISPs and network equipment providers to make [1.1.1.1 for Families](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) available within their offerings. Refer to our [blog post ↗](https://blog.cloudflare.com/safer-resolver/) for details. Using 1.1.1.1 can improve performance for end-users due to Cloudflare's extensive [global network ↗](https://www.cloudflare.com/network/), as well as provide higher overall cache hit rates due to our regional caches. The 1.1.1.1 resolver was designed with a privacy-first approach. Refer to our [data and privacy policies](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) for what is logged and retained by 1.1.1.1. ## Configuring 1.1.1.1 There are multiple ways to use 1.1.1.1 as an operator: * Including a [DNS over HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) or [DNS over TLS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) proxy on end-user routers or devices (best for privacy). * Pushing 1.1.1.1 to devices via DHCP/PPP within an operator network (recommended; most practical). * Having a DNS proxy on a edge router make requests to 1.1.1.1 on behalf of all connected devices. Where possible, we recommend using encrypted transports (DNS over HTTPS or TLS) for queries, as this provides the highest degree of privacy for users over last-mile networks. ## Available Endpoints Note [Cloudflare Zero Trust ↗](https://www.cloudflare.com/products/zero-trust/) supports customizable [DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), analytics, additional built-in filtering categories, and custom rate limiting capabilities. If you require additional controls over our public 1.1.1.1 resolver, [contact us ↗](https://www.cloudflare.com/products/zero-trust/). The publicly available endpoints for 1.1.1.1 are detailed in the following table: | Resolver | IPv4 address | IPv6 address | DNS over HTTPS endpoint | DNS over TLS endpoint | | ---------------------------------- | --------------- | ----------------------------------------- | --------------------------------------------- | --------------------------- | | 1.1.1.1 (unfiltered) | 1.1.1.1 1.0.0.1 | 2606:4700:4700::1111 2606:4700:4700::1001 | https://cloudflare-dns.com/dns-query | one.one.one.one | | Families (Malware) | 1.1.1.2 1.0.0.2 | 2606:4700:4700::1112 2606:4700:4700::1002 | https://security.cloudflare-dns.com/dns-query | security.cloudflare-dns.com | | Families (Adult Content + Malware) | 1.1.1.3 1.0.0.3 | 2606:4700:4700::1113 2606:4700:4700::1003 | https://family.cloudflare-dns.com/dns-query | family.cloudflare-dns.com | You may wish to provide end users with options to change from the default 1.1.1.1 resolver to one of the [1.1.1.1 for Families](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families) endpoints. ## Rate Limiting Operators using 1.1.1.1 for typical Internet-facing applications and/or users should not encounter any rate limiting for their users. In some rare cases, security scanning use-cases or proxied traffic may be rate limited to protect our infrastructure as well as upstream DNS infrastructure from potential abuse. Best practices include: * Avoiding tunneling or proxying all queries from a single IP address at high rates. Distributing queries across multiple public IPs will improve this without impacting cache hit rates (caches are regional). * A high rate of "uncacheable" responses (such as `SERVFAIL`) against the same domain may be rate limited to protect upstream, authoritative nameservers. Many authoritative nameservers enforce their own rate limits, and we strive to avoid overloading third party infrastructure where possible. ## Help If you are a network operator and still have outstanding questions, contact `resolver@cloudflare.com` with your use case, so it can be discussed further. Make sure to visit [1.1.1.1/help ↗](https://one.one.one.one/help) from within your network and share the resulting report when contacting Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/network-operators/","name":"Network operators"}}]} ``` --- --- title: SLA and technical support description: SLA and support details for the 1.1.1.1 resolver. image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) ### Agents toolkit * Agent setup * Copy as Markdown Open the Markdown file in a new tab Ask Claude about this page Ask ChatGPT about this page Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/1.1.1.1/infrastructure/sla-and-support.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) # SLA and technical support As you use 1.1.1.1 in your infrastructure or service, note that dedicated technical support is limited. You are subject to the [Cloudflare Website and Online Services Terms of Use ↗](https://www.cloudflare.com/website-terms/) and no service level agreements (SLAs) are provided. If you need SLAs and dedicated support, consider using [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) instead. Gateway includes other advanced options such as domain categories, customized filtering, and scheduling capabilities. For example, if you are a device manufacturer or network operator, you can use a multi-tenant environment to allow your customers to configure their own individual filters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/1.1.1.1/","name":"1.1.1.1"}},{"@type":"ListItem","position":3,"item":{"@id":"/1.1.1.1/infrastructure/","name":"Infrastructure"}},{"@type":"ListItem","position":4,"item":{"@id":"/1.1.1.1/infrastructure/sla-and-support/","name":"SLA and technical support"}}]} ```