I’ve been using Cloudflare’s free and fantastic 22.214.171.124 DNS service since it’s inception in 2018. The idea is that you configure your home network to query their DNS (at 126.96.36.199), and they promise a no-hassle, free and fast DNS query service in return. If you wish to configure your network to use 188.8.131.52, see the guidance here.
Another aspect is performance. This is evident especially if you’re used to cloud-based SaaS services, such as Microsoft Teams, part of Office 365. Microsoft has a nicely documented set of principles for network connectivity, and to paraphrase that, DNS latency is crucial here. Microsoft has documented their peering policy, and they also offer a program called Microsoft Edge Caching Program. Thankfully, Cloudflare is peering with several access providers, including Equinix – which in return is a platform partner with Microsoft.
On a high level, using Cloudflare’s 184.108.40.206 DNS services seems like it ticks the boxes for privacy, security and latency – especially if you consider swift access to Microsoft cloud services.
Cloudflare recently announced an expansion to their 220.127.116.11 services, called 18.104.22.168 for Families and it includes two new services:
- 22.214.171.124 and 126.96.36.199 for malware blocking
- 188.8.131.52 and 184.108.40.206 for malware and adult content blocking
IPv6 is also supported, you can view the addresses here.
Again, on paper this looks very promising – a DNS service that filters out malware? Great! And filtering out adult content – especially for devices my kids use? Even better! But how, specifically is it filtered out? Who decided what gets filtered?
I couldn’t find a straight answer to this. The announcement points to Cloudflare Gateway, which I’m not familiar with. I logged in to the Cloudflare for Teams console to figure out what sort of filtering might be happening with the 220.127.116.11/18.104.22.168 DNS services.
They list SafeSearch and YouTube Restricted mode, which are both technologies from Google. In addition, one can configure security threats to block:
And also content categories to filter out:
(Child abuse was selected by default, and it’s hard to disagree with.)
These controls are thus available through Cloudflare for Teams, and if the new DNS services are based on this, I’d imagine there is enough data to define what malware and adult content to block.
I’ve configured my kids’ devices to weed out certain content on Youtube and similar, but now that I have the capability to do it on infrastructure level, it’s even better. Cloudflare is promising further controls for the service at a later date, also.
I’ve now enabled the 22.214.171.124 service within my Unifi equipment, and should that prove work well, I’ll move on to 126.96.36.199 next.
I’m still using Google’s 188.8.131.52 as a tertiary option, should Cloudflare have technical issues at any time.
I work with Azure and frequently write about my experiences. I’m a Microsoft Most Valuable Professional, ex-MSFT. Based in Helsinki, Finland.