Securing DNS Traffic on Windows 11 with Cloudflare for Families

Cloudflare’s DNS service, known as 1.1.1.1, has transformed the internet for the better and continues to make a significant impact every day.

From setting DNS on your device to installing the dedicated app for using WARP technology, you can make your connections faster by choosing optimised routes for traffic.

If you are an advanced user, you can secure your entire network at home or in the workplace by implementing Cloudflare technology at your router.

For some users, this may feel too overwhelming.

Windows 11 introduced built-in integration for Secured DNS (Encrypted) that can be implemented at the interface level (your network card, whether wired or wireless). Thanks to this, all the DNS requests going through it will be encrypted.

Cloudflare offers the so-called 1.1.1.1 for Families, which, with additional DNS addresses, allows you to implement unmanaged protection against malware or even add adult content blocking alongside malware protection.

In addition to providing specific addresses for malware and adult content blocking, they also provide instructions on how to implement this on a Windows 11 device. Still, there is one crucial addition that I would like to highlight — encryption.

Even the shortest and simplest instruction may not help without visual input, so let’s go through adding this setting with some images.

Set up in Windows 11

Based on Windows 11 (24H2)

1. Click on the Start menu and select Settings.

2. Go to Network & internet.

3. Click the Edit button near the DNS server assignment section.

4. Change the Automatic (DHCP) option to Manual.

5. Switch the toggle On for IPv4 and type the desired DNS server in Preferred DNS as well as Alternative DNS.

1.1.1.1
1.0.0.1

1.1.1.2
1.0.0.2

1.1.1.3
1.0.0.3

6. Change the setting of DNS over HTTPS from Off to On (automatic template).

As you will see, the template below will be filled with the relevant data for the Cloudflare service.

https://cloudflare-dns.com/dns-query

https://one.one.one.one/dns-query

https://security.cloudflare-dns.com/dns-query

https://family.cloudflare-dns.com/dns-query

If your network uses IPv6, follow the same steps for that protocol.

7. Switch the toggle On for IPv6 and type the desired DNS server in Preferred DNS as well as Alternative DNS.

2606:4700:4700::1111
2606:4700:4700::1001

2606:4700:4700::1112
2606:4700:4700::1002

2606:4700:4700::1113
2606:4700:4700::1003

If you select On (automatic template) for the IPv6 connection and the template is not automatically populated, it means your network connection may lack proper communication over IPv6, and you may not be able to set this. In that case, keep the IPv6 toggle turned Off.

Click Save to apply the changes.

If everything is done correctly, you will see that your DNS is set to use Cloudflare’s service and, additionally, it’s encrypted, as shown below:

If you selected just the 1.1.1.1 DNS servers, your requests will be encrypted and optimised.

If you choose the Security option with the 1.1.1.2 servers, your traffic will also be filtered for potential malware.

For the Family option 1.1.1.3, in addition to filtering malware, you will implement a block for adult content.

And just like that, without installing any extra software, we’ve made changes to the entire system to make our traffic more secure.

In the above example, we implemented the change for our Ethernet network card (wired). For most users, this will be applied to Wireless, but it’s worth applying this to all interfaces available.

To verify that encrypted DNS is working, simply head to 1.1.1.1/help, where after a short analysis, you should see a response of Yes under Using DNS over HTTPS (DoH).