Why Cloudflare’s New DNS Service Won’t Improve Your Privacy

It’s no privacy panacea. In fact, it won’t make a difference to your privacy at all.


Cloudflare, a major internet company dedicated to speeding up websites and making the internet more secure, recently announced a free DNS service that’s intended to be faster and more private than other DNS options currently available.

If you’re not sure what DNS is, think of it as a kind of “phonebook” that helps you find websites. Just like looking up a name in a phonebook will acquaint you with the person’s phone number, looking up the name of website, such as “google.com”, in DNS will return that website’s unique “number” or IP address.

DNS, which stands for Domain Name System, is a major component of the internet. Without it, it would be impossible to find a website by typing in a domain name (such as “google.com” or “BestSafeVPN.com”) in your browser’s address bar. Your computer must know the IP address associated with that domain name before it can find the website—and DNS is the global “phonebook” that allows it to locate those IP addresses.

Most of the time, your computer’s DNS queries go straight to your ISP. Your ISP looks up the domain that you’re interested in, and if they have the corresponding IP address stored in their DNS servers, they send it back to your computer. If they don’t have the right IP address, they send off your request to a more authoritative server that will know where to find it.

If you’re at all concerned about privacy, you can see where this system fails. By receiving all of your DNS queries, your ISP gets a record of every single website that you visit. They can then sell this information, use it to monitor your traffic, or hand it over to government-sponsored internet snoopers.

The good news is that your computer stores many DNS records in a local cache. That means that if you’ve visited a website before, your computer won’t need to send a DNS query to your ISP. But if you haven’t visited a website yet, or if you clear your computer’s DNS cache, your ISP will still receive your DNS queries.

Hiding From Your ISP

The solution to this problem is obvious: use a private DNS service that won’t log or monitor your queries.

That’s where Cloudflare’s service is intended to come in. They claim that if you use their DNS service, they won’t keep records of your DNS queries or sell them to third parties. Unlike Google, which also offers its own DNS service, Clouflare has even retained external auditors to help back up their claims.

Cloudflare’s intentions may be genuine, but there’s one small problem: your ISP is able keep a log of which websites you visit, no matter which DNS service you use. That’s because all website traffic (both HTTP and HTTPS) contains, in plain, unencrypted text, a record that indicates the domain of the website it’s being sent to (or where it’s coming from).

Your ISP needs to know where your traffic is going in order to route it properly, so it makes sense that they always know which websites you’re visiting, even if they can’t see the actual content of your traffic (as with HTTPS). I’m always flummoxed whenever I hear that your ISP can’t see which websites you’re visiting if you’re browsing HTTPS-enabled websites (which use a special protocol called TLS to encrypt your connection). Your ISP always knows which websites you’re visiting—they just can’t see or tamper with the content of the website itself if you’re using HTTPS.

Moreover, if your DNS requests aren’t encrypted (which is generally not the case, unless you have specific software and settings enabled on your computer) your ISP can still record your queries, no matter which DNS service you’re using.

How to Actually Become Private

So changing your DNS service provider in hopes that your browsing data will be more private is akin to trying to dam a river with chickenwire. It’s simply beside the point.

If you are looking to keep your traffic completely private from your ISP, the only correct solution is to use a VPN (or use the Tor browser). You might think we’re biased here because we run a site dedicated to VPNs, but I’d be hard-pressed to find an alternative solution that doesn’t involve taking yourself off the internet altogether.

Most reputable VPN services run their own DNS servers, so your DNS queries are never sent to your ISP if you use a VPN. Your traffic is also fully routed through the VPN, so your ISP can’t see which websites you’re visiting at all. The same is true if you use the free Tor browser: your ISP has no idea which websites you’re visiting, and all of your DNS queries are routed through remote servers that never pass through your ISP.

In short, if you’re at all concerned with privacy, changing your DNS settings won’t make any difference. Even if Cloudflare promises not to sell your data, your ISP can still keep a record of every website you visit without needing to see your DNS requests. While is a catchy address, it’s certainly no privacy tool (as some outlets have characterized it) and you should not rely on it to keep your data private.

Need safe VPN recommendations? Check out our curated list.

Justin Uther

Writer, BestSafeVPN.com (justin@bestsafevpn.com)

Comments are welcome

Leave a reply