Every website you visit starts with a DNS (domain name system) lookup. It’s a request to a DNS resolver that goes out in plaintext by default, and can be read by your ISP, anyone on your network (with the right software tools), and possibly malicious actors monitoring your traffic. Most of us don’t realize this is happening.
Your ISP can log every domain you look up and sell that to advertisers and you’d be none the wiser. Cloudflare’s free app, available on Windows, Android, macOS, Linux, and iOS, encrypts these lookups with a simple tap (or click). Here’s what it actually does, how to set it up, and what it won’t protect you from.
I didn’t know my ISP could see every website I visit until I checked this setting
Your ISP sees more than you think.
Your DNS traffic is exposed by default
Here’s why
DNS has existed since 1983 and has been unencrypted since the start. Everything between your device and the DNS resolver, including anyone on your local Wi-Fi, your ISP, and transit providers, can see or even modify your DNS queries and responses. ISPs can log your DNS queries and share them with third parties. You don’t get a say in this and might not even know it’s happening. ISPs can also use DNS hijacking to redirect traffic for advertising and data collection.
Every domain you look up (try to navigate to) is revealed in the DNS query, even if the connection is encrypted via HTTPS. Over time, your browsing patterns can be used to build a profile that’s unique to you.
DNS encryption protects your queries, but your ISP can still see which sites you’re connecting to through other metadata — for full traffic privacy, you need a VPN.
Cloudflare WARP explained
Two modes to know
Cloudflare’s 1.1.1.1 with WARP resembles a VPN in practice, as it acts like a secure tunnel and installs via your OS’s VPN framework. Still, Cloudflare resists this definition, calling the service a free app to improve your privacy.
There are two modes you’ll want to pay attention to, as well. There’s DNS-only mode, or 1.1.1.1. The app can be configured to just encrypt DNS queries and leave the rest of your traffic unencrypted. This is the lowest overhead, too, without a lot of battery or performance hits. Then there’s full WARP mode, which Cloudflare says uses MASQUE to encrypt and send traffic from your device directly to Cloudflare’s global network, making sure all the internet traffic between your device and the internet is private.
While that might sound like a VPN, it really isn’t. WARP uses the same OS-level tunnel infrastructure as a VPN and encrypts your traffic, but it won’t hide your identity or mask your location. It’s not built for geo-shifting or anonymity. It’s more of a security tool than a privacy tool, though it does work similarly to a traditional VPN.
Which mode should you use, though? It depends on what you want to do.
|
Situation |
Recommended mode |
|
Home network, just want DNS privacy |
DNS-only (1.1.1.1) |
|
Public Wi-Fi, coffee shop, airport |
Full WARP |
|
Want geo-shifting or IP masking |
Neither: Use a VPN |
How to set up WARP
Android and iOS
First, use Google Play to download 1.1.1.1 + WARP: Safer Internet for free. On iOS, it’s 1.1.1.1: Faster Internet. Launch the app, accept the Terms of Service, and then your phone will ask you to install the VPN profile that lets your phone connect securely to the service. Next, toggle the WARP button to Connected. You can switch between DNS-only 1.1.1.1 mode and WARP mode easily in the hamburger menu in the top right of your screen. There’s also an upgraded version you can grab for $4.99 per month, which Cloudflare says will give you “access to optimized, faster Internet paths.” I didn’t upgrade, so can’t comment on how that works or if it’s worth it to upgrade.
Other OSes (macOS, Windows, Linux, ChromeOS)
Head over to the WARP page and download the client for your specific OS. Install as usual, following the prompts. on my Mac, there’s a menubar widget that lets me toggle the service on or off, and a settings gear icon that allows me to switch between modes. Windows adds a little icon in the system tray to let you toggle the service on or off and choose your preferred mode.
What about speed and performance?
You probably won’t even notice
I haven’t seen any difference in how fast my phones or computers access the web, and independent testing from DNSPerf consistently ranks 1.1.1.1 as one of the fastest DNS service, even outperforming Google Public DNS and OpenDNS as of last year. The advantage is likely due to Cloudflare’s giant Anycast network that has hundreds of servers across the planet.
Full WARP mode could add some overhead compared to DNS-only, according to some reviewers, and real-world impact will vary by where you are and what network you’re on.
Not a VPN, but still good
Using Cloudflare WARP and 1.1.1.1 can help close off a gap in your everyday internet privacy, even if it’s one you didn’t think to manage. DNS encryption like this won’t make you anonymous and it isn’t a VPN replacement, but for most of us, it’s a free, low-effort solution that can keep your queries from being logged and sold. The only caveat is that you’re trading trust in your ISP for trust in Cloudflare. Cloudflare has done more than most to back its privacy promises with evidence, however, and an independent study found the company generally followed its commitments to anonymize source IP addresses and delete logs within 25 hours. It’s likely your ISP doesn’t do that.
