Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

FAQ

Below you will find answers to our most commonly asked questions. If you cannot find the answer you are looking for, refer to the community page to explore more resources.

What is 1.1.1.1?

1.1.1.1 is Cloudflare's fast and secure DNS resolver. When you visit a website like cloudflare.com, your computer needs to find the IP address of the server that hosts it. Your computer cannot perform this translation on its own, so it sends the request to a DNS resolver.

A DNS resolver looks up the IP address for a given domain name (for example, 2400:cb00:2048:1::c629:d7a2 for cloudflare.com) and returns it to the requesting device.

Your device is usually configured to use a DNS resolver chosen by your ISP (such as Comcast or AT&T) for home or wireless Internet, or by your network administrator for office networks. You can change which DNS resolver your device uses at any time. Refer to Set up 1.1.1.1 for instructions.

How can I check if my computer / smartphone / tablet is connected to 1.1.1.1?

Visit 1.1.1.1/help to make sure your system is connected to 1.1.1.1 and that it is working.

What do DNS resolvers do?

DNS resolvers are like address books for the Internet. They translate domain names into IP addresses so that your browser knows which server to contact. A resolver does this by working backwards from the top of the domain name hierarchy.

Every resolver knows how to find the invisible . at the end of domain names (for example, cloudflare.com.). There are hundreds of root servers all over the world that host the . file. Resolvers come preconfigured with the IP addresses of those root servers. Cloudflare itself hosts that file on all of its servers around the world through a partnership with ISC.

The resolver asks one of the root servers where to find the next link in the chain — the top-level domain (TLD), which is the domain ending like .com or .org. The root servers return the address of the TLD server responsible for that ending.

The resolver then asks the TLD server where to find the specific domain. For example, a resolver might ask .com where to find cloudflare.com. The TLD server responds with the address of the authoritative nameserver that holds the records for that domain.

Once the resolver has the final IP address, it returns the answer to the device that asked.

This whole system is called the Domain Name System (DNS). It includes the servers that host domain records (called authoritative DNS servers) and the servers that look up those records on behalf of users (DNS resolvers).

Does 1.1.1.1 support ANY?

No. Cloudflare stopped supporting the ANY query type in 2015. The ANY query asks a DNS server to return all record types for a domain at once. In practice, ANY is more often used to amplify denial-of-service attacks than for legitimate purposes. When 1.1.1.1 receives an ANY query, it responds with NOTIMPL (not implemented).

How does 1.1.1.1 work with DNSSEC?

DNSSEC (Domain Name System Security Extensions) lets domain owners cryptographically sign their DNS records. A DNSSEC-validating resolver checks these signatures to confirm that a DNS response is authentic and has not been modified.

1.1.1.1 is a DNSSEC-validating resolver. On every query, it sends the DO (DNSSEC OK) flag to signal that it can accept signed responses. If the authoritative server provides signed records, 1.1.1.1 validates the signatures before returning the answer. 1.1.1.1 supports the signature algorithms listed in Supported DNSKEY signature algorithms.

Does 1.1.1.1 send EDNS Client Subnet header?

No. 1.1.1.1 is a privacy-focused resolver and does not include client IP information in its queries to authoritative servers. It does not send the EDNS Client Subnet (ECS) header. The only exception is the Akamai debug domain whoami.ds.akahelp.net, which is used for cross-provider debugging. Cloudflare does not send ECS to any of Akamai's production domains, such as akamaihd.net.

Does 1.1.1.1 support IPv6?

Yes. 1.1.1.1 has full IPv6 support. Refer to IP addresses for the IPv6 addresses you can use.

What is Purge Cache?

1.1.1.1's Purge Cache tool allows you to refresh 1.1.1.1's DNS cache for domain names. To refresh the cache for a domain name, visit the Purge Cache page.

Can IPs used by 1.1.1.1 be allowlisted?

Authoritative DNS providers may want to allowlist the IP addresses that 1.1.1.1 uses when querying upstream nameservers. The full list of Cloudflare IP addresses is available at https://www.cloudflare.com/ips/.