VPN vs Cloudflare DNS: Which is best for privacy?

Digital clouds against a blue background.
(Image credit: Shutterstock / Blackboard)

Cloudflare originally launched its new DNS resolver service, 1.1.1.1 way back in 2018. At the time, the company proudly claimed it to be the internet’s fastest, privacy-first consumer DNS service.

This was very welcome news at the time and couldn’t have come any sooner. Back then, there was news of Facebook misusing user data and there was the looming repeal of net neutrality. Cloudflare argued that 1.1.1.1 would provide a faster and safer connection to the internet and all by simply changing their resolver. 

The years have rolled on, but 1.1.1.1. is still available and, in fact, has become even more widely available. As of now, the 1.1.1.1. app is available for mobile devices via Apple’s App Store and for Android from Google Play. Better still though, it is also available for macOS, Windows and Linux too, which has opened it up to all sorts of new users on all the main platforms.

Cloudflare WARP

Things have been improved even more too, thanks to the addition last year of Cloudflare WARP. This has allowed the service to become even more potent, with one-touch simplicity that allows mobile devices to be connected to the internet using the combination of a WireGuard tunnel and a nearby Cloudflare data center. 

From there, Cloudflare WARP has since been rolled out for use by desktop users, which has also meant that it’s not only favored by individual users, but the scope for business needs has exploded too. Anyone can now use the Cloudflare WARP application to get corporate desktops connected using the Cloudflare Gateway. 

Cloudflare reckons this has provided business users with a great way of offering connectivity, while also delivering enhanced privacy, security and speed to boot. Cloudflare Gateway is proving to be extremely useful for organisations and their teams because it includes the likes of secure DNS filtering and the ability to block unsafe DNS queries. Ultimately, that can help employees steer clear of harmful destinations, which might open them up to the likes of malware, phishing or ransomware threats. 

As Cloudflare and, indeed, everyone else is aware, security threats on the internet have evolved over time and there’s never been a greater need for individuals and business users alike to remain diligent. Lots of folks are still very happy to use the services of a solid VPN though, with plenty of choice out there for those who choose to do so.

So, just how good is the evolving 1.1.1.1. option really? And how does it compare to a VPN? We dig through the details to find out which one is better for your privacy, and why.

What is DNS?

The Domain Name System (DNS) is often likened to a phonebook for the internet. Computers recognize each other by their IP addresses, not by the site names associated with them, so whenever you type in a website like Google.com, the DNS service locates the IP address linked to Google and connects you to it.

The DNS service that connects you to the internet is provided by your ISP, which logs all the websites you visit. If your ISP can do this, your government certainly can, and this can land you in hot water if you’re living in a country that isn’t so open to opposing social and political views.

Add in snoopers, hackers, and Man-in-the-Middle attacks, and your DNS could expose you to a host of online vulnerabilities and attacks that can extract your personal information.

Cloudflare’s 1.1.1.1 promise is to fix these DNS-related problems, while also providing super-fast connection speeds.

What is 1.1.1.1?

Cloudflare’s 1.1.1.1 is a DNS resolver. When configured properly on your device, all your connection requests will route through it. Released on April 1 (playing on the pun of ‘four ones’), 1.1.1.1 takes your requests and resolves them at crazy fast speeds (up to 28% faster, according to the official website), while also pledging to delete all DNS logs after 24 hours. The system doesn’t save your IP address queries either.

By channeling all your queries to 1.1.1.1 instead of your ISP’s DNS service, you’re entrusting your IP address queries with Cloudflare and APNIC, the regional internet registry the company partnered with to get the resolver.

Cloudflare DNS also minimizes the query names sent to authoritative DNS servers – instead of sending “www.one.example.com”, it just discloses the “example.com” part of your request to authoritative DNS servers, reducing any privacy leakages that could occur when making a request.

More importantly, 1.1.1.1 provides an alternative to Google’s DNS-over-HTTPS support, which is the biggest provider of such support, from Google’s Public DNS and Android operating system. With Cloudflare throwing its hat into the ring and providing its own DNS-over-HTTPS support, there’s a hope that more providers will take a step in creating privacy-oriented DNS protocols like 1.1.1.1.  

How private is 1.1.1.1?

By changing your DNS server to 1.1.1.1, you’re channeling your traffic to 1.1.1.1, and not your ISP. Cloudflare says it won’t log your IP address with 1.1.1.1, and the firm seems committed to that promise.

While it doesn’t log your IP address, the outfit does log anonymized DNS query data. According to its Commitment to Privacy, Cloudflare states that the only information it will collect are “anonymized DNS query data sent to the Cloudflare Resolver”. Some of that information is logged permanently, including the number of queries, unique users, and an aggregated list of all domain names requested.

While the firm won’t give this information to third-party advertisers, Cloudflare’s partner, APNIC, will be using the information for non-profit operational research, including being able to better understand DNS and to reduce DDoS attacks.

One thing to keep in mind when using 1.1.1.1 is that while your ISP can’t see your DNS traffic when you visit sites that use HTTPS, it can still view the contents on any unencrypted website i.e. sites that are HTTP rather than HTTPS. There’s also the obvious issue of having to trust Cloudflare and APNIC not to record your information.

How is 1.1.1.1 different to a VPN?

When it comes to speed, the additional encryption used, and the connection distance to a remote server which is further away, can make VPN connections slower than Cloudflare’s 1.1.1.1. With a good VPN that offers fast speeds, however, the difference narrows.

Both 1.1.1.1 and Virtual Private Networks (VPNs) route your DNS traffic through their servers, bypassing your ISP and preventing anyone from seeing your traffic. Good VPNs also don’t log your personal and identifiable data.

A VPN is different in a couple of ways, however. A VPN is a network that encrypts all the traffic that flows through it, including both HTTP and HTTPS. The VPN server you connect to acts as an intermediary server in a location of your choosing, which not only encrypts your traffic through its server, but also masks your real location so you can browse the internet as if you were in a different country. 1.1.1.1 doesn’t do this.

Which one is better at protecting your privacy?

1.1.1.1 may give you faster connection speeds and protect you from most snoops, but if you want to hide all your traffic, and are willing to pay for it, then go for a good VPN that doesn’t keep logs that can identify you. As with Cloudflare and APNIC’s 1.1.1.1, trust plays a part in selecting a VPN you want to use.

There are also other benefits to having a VPN such as being able to mask your real location with another location. This especially helps if a site you want to access is geo-blocked, like Netflix or Google, and you’re in a country where those sites are blocked.

Remember too, that you have a lot of options when it comes to choosing a VPN providers, with literally hundred to choose from. Equally though, if you’re using a VPN primarily to help with connectivity and also want speed and security, it’s always going to be worth heading in the direction of paid-for VPN providers. 

While there are cheap VPNs and, in some cases, free VPNs to consider, there can be disadvantages to using a less high-profile VPN name. This is the reason why the likes of ExpressVPN, NordVPN, Surfshark and other premium brands have become so popular in the last few years. They also come with the added benefit of 24/7 customer support in most cases. That can be worth a lot if you start having technical issues.

The best VPNs don’t keep logs, and offer server locations from all over the world too. ExpressVPN does a good job with this as a prime example. It offers apps for a variety of systems and devices, so no matter what device you’re using, you are protected.

Protect your online privacy with the best VPN services.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.

With contributions from