Cloudflare launches 1.1.1.1 For Families with filter support
Cloudflare launched its DNS service back in 2018 (on April 1) to the public promising a fast, private, and secure service. The company promised that 1.1.1.1 would be privacy-friendly, that it would not sell user data or use it for targeted advertising, and revealed that the service would never log full user IP addresses and erase logs every 24 hours. A recently published audit by independent auditing companyKPMG uncovered some minor issues but backed up Cloudflare's claims.
Yesterday, on April 1, Cloudflare announced an expansion of its DNS service called 1.1.1.1 for Families which adds new DNS Server IP addresses and filters to the service to block certain requests automatically. Users who used OpenDNS and some other DNS providers in the past may recall that these providers offered something very similar for quite some time already.
Filtering functionality was the number one request from home users according to Cloudflare and the main reason why 1.1.1.1 for Families was created.
1.1.1.1 For Families
1.1.1.1 for Families comes in two different versions: the first blocks known malware requests, the second malware and adult requests. Here is the information required to use the new DNS servers on your devices:
Malware Blocking Only
- Primary DNS: 1.1.1.2
- Secondary DNS: 1.0.0.2
- IPv6: 2606:4700:4700::1112
- IPv6: 2606:4700:4700::1002
Malware and Adult Content Blocking
- Primary DNS: 1.1.1.3
- Secondary DNS: 1.0.0.3
- IPv6: 2606:4700:4700::1113
- IPv6: 2606:4700:4700::1003
Cloudflare DNS without Filtering
- Primary DNS: 1.1.1.1
- Secondary DNS: 1.0.0.1
- IPv6: 2606:4700:4700::1111
- IPv6: 2606:4700:4700::1001
The filtering is automated at this point in time; Cloudflare plans to introduce management options in the coming months to whitelist or blacklist sites, schedule filters for certain times of the day, and more.
For now, the only option that you have to bypass filters, e,g. when a non-malware or non-adult site is blocked, is to switch the DNS service.
How to set up 1.1.1.1 for Families
Windows users may do the following to replace the current DNS provider with Cloudflare's:
- Use the keyboard shortcut Windows-R to open the run box.
- Type netcpl.cpl to open the Network and Sharing Center (note that this may not be available in the newest builds of Windows 10)
- If it is not available, right-click on the network icon in the System Tray and select Open Network and Internet settings.
- On the page that opens, click on "change adapter options".
- Right-click on the active connection and select properties from the menu.
- Double-click on "Internet Protocol Version 4 (TCP/IPv4)
- Switch to "Use the following DNS server addresses".
- Enter the primary and secondary DNS server in the respective fields.
- Close the configuration window.
Pro Tip: You may also change DNS servers using PowerShell.
Here is how that is done:
- Use Windows-X to display the "secret" menu.
- Select Windows PowerShell (Admin) from the menu to open an elevated PowerShell console.
- Confirm the UAC prompt.
- Run the command Get-NetIPConfiguration and note the value of InterfaceIndex of the Network Adapter that you are using (use other information, e.g. the InterfaceAlias value to identify the right interface if multiple are available).
- Modify the command Set-DnsClientServerAddress -InterfaceIndex 10 -ServerAddresses 1.1.1.2, 1.0.0.2 and run it afterward. Change the value after -InterfaceIndex to the right one on your device, and the IP addresses behind ServerAddresses to the desired DNS servers (first primary then secondary)
Installation guides are available here for routers, Linux, Windows, and Mac. Cloudflare has created applications for Android and iOS that users may download to use the DNS service on their devices.
You may use a program like Gibson's DNS Bechmark to test the performance of the servers.
Now You: Which DNS service do you use, and why?
Yandex DNS 4 Life, USA dns go to Hell !!
Yandex sucks. Cloudflare is an independent company, allowing them to not store users’ records, and they remove all logs every 24 hours. If you trust Yandex does that better than Cloudflare, fine. Personally, I don’t trust trust anything connected to mother Russia.
Good morning Martin,
I tested yesterday the 1 1 1 3 and 1 0 0 3 and they worked fine.
Except that today, problem, it doesn’t work anymore, pornographic sites are not filtered anymore (I wanted to protect my children).
I wanted to contact them to ask them if there was a technical problem, they deleted all my messages from the comments area, someone tested them today?
Could anyone tell me if DNS over HTTPS works on all sites even if they are HTTP or does it only work on sites that are HTTPS?
DNS lookups are independent and work regardless of the protocol a site uses.
Thank you.
Having a lot of issues with the 1.1.1.3 variant with YouTube videos blocked or prompting to log in.
Had to stop using Cloudflare DNS a while ago because many sites simply wouldn’t load or load correctly with Cloudflare.
For example, if you’re using Cloudflare right now, try loading archive.is and I bet you it still doesn’t work…
Anonee, — https://twitter.com/archiveis/status/1018691421182791680
Next time do some research before you run your ignorant mouth on the Internet.
@Anonee2, uhh yeah, exactly.
Thanks for posting that tweet showing that archive.is doesn’t work with Cloudflare dns. There are many other sites I had problems with as well until I got fed up and finally just dumped cloudflare.
@Notanon. Yes. Sick world.
Your have forgotten the DOH addresses in the article
Q: Does 1.1.1.1 for Families support DNS over HTTPS?
R: Yes, to block malware, use https://security.cloudflare-dns.com/dns-query
to block malware & adult content, usehttps://family.cloudflare-dns.com/dns-query.
Q: Does 1.1.1.1 for Families support DNS over TLS ?
R: No. But our team is working on it.
Seems stupid & pointless by Cloudflare, if they allow LGBTQXYZ sites on the “Adult filter” 1.1.1.3.
“The Mistake that Caused 1.1.1.3 to Block LGBTQIA+ Sites Today”
https://blog.cloudflare.com/the-mistake-that-caused-1-1-1-3-to-block-lgbtqia-sites-today/
So you’re telling parents their children are safe on 1.1.1.3, but Cloudflare allows sites will show underaged an underaged dancing in drag to stripper music, while LGBTQXYZ people throw money at him & tell children how “stunning & brave” the child is.
So tranny dick porn is okay (because it’s LGBTQXYZ), but regular porn is forbidden.
Clown world.
That’s the pseudo liberals for you. It’s a messed up world.
Martin, you’ve missed out the IPs for malware and adult content blocking.
A nice thing about the 1.1.1.1 service is that cloudflare has a “tester” page at
1.1.1.1./help
where you can verify that 1.1.1.1 is actually being used. They do not seem to have an equivalent thing for the two new services.
If you set manual DNS in your router then you might see a third DNS resolver field. I suggest filling this in as leaving it blank lets devices use default resolvers if the first two don’t work.
For the third entry either put in OpenDNS normal DNS of 1.1.1.1 or any one of the following filtering DNS servers (I’m sure other folks will list others too). Some of these have varying degrees logging of DNS requests so do your research for what you need.
Quad9: 9.9.9.9
OpenDNS: 208.67.222.123 (their free version)
CleanBrowsing: 185.228.168.9
Norton ConnectSafe (Malware, Phishing and Scam sites): 199.85.126.10
Comodo Secure: 8.26.56.26
It blocks a lot of Youtube videos: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
I don’t believe it has much to do with safe search. Innocent stuff like organ music is blocked.
Is it just me? When I used the adware and adult DNS it caused all of the YouTube comment and playlist etc. stuff to disappear. All I was left with was just the video.
malware blocking seems nice (not really interested in adult content censorship).
but even with 1.1.1.2, i’m curious, who gets to decide what is malware?
meaning, there is nothing to stop cloudflare from flagging some website as malware for example on grounds of some business interests conflict between them..
so i will continue using 1.1.1.1 for now
I use Adguard DNS with ad blocking …it does very good job.
1.1.1.2 and 1.0.0.2. Check. Just added to my router at the top of the list.
Every little bit helps.
This was added to my pfSense / pfBlockerNG blocking of a large number of sites. Pihole also works well for those with retail routers and a spare device for pihole.
Yandex on PC, Adguard on phone.
I have been using the Cloudflare DNS for a long time. I only had a problem with it once. I was trying to connect to the internet in a hotel. I set the DNS back to automatic, and I got a connection. When I showed it to the hotel IT support guy, he told me that he would make sure it works the next time I stay with them.
more censorship! great!
Fortunately, you don’t have to use the one with filtering. So no censorship!
I’ve been using OpenDNS since DNS over HTTPS became a thing, with no issues thus far.
For websites I’ve been using Cloudflare for almost a decade now, also without any issues whatsoever. These days I’m somewhat trying to avoid them just out of principle.
What about for IPv6?
Added, thanks!
I hope they expand the filtering options, as with nextdns’ many options. I still use 1.1.1.1 generally, as it is fastest and nearby with good feedback options for testing.
It all reminds me of when the 14 year old nephew was around, I had to use opendns pr0n and gambling filtering, as he was becoming an “enthusiast”.
NextDNS.io is better, even providing analytics, selectable block lists, and white/black listing as well as logs and device detail.
Supports direct, DoH and DNS over TLS (Stubby), and they have apps to create vpn type filters for devices.
Cloudflare isn’t blocking trackers, facebook libraries in apps trying to grab your phone logs and contacts, and the rest.