What's more secure, 1.1.1.1 encrypted or 1.1.1.2?

Hi, I’ve noticed that Windows 11 doesn’t allow me to set “encrypted” for Cloudflare dns family server settings (1.1.1.2 / 1.0.0.2 and the IPv6 equivalents). So what’s more secure? Use 1.1.1.1. with Encrypted only (DNS over HTTPS) or 1.1.1.2 with malware blocking?

Also, should I disable Avast Premium Security’s “Real Site” feature that prevents DNS hacking by apparatenly forcing the use of Avast DNS servers? Which Cloudflare server settings would be most comparable to that, 1.1.1.1 encrypted or 1.1.1.2? Any thoughts one which is more secure between Avast and Cloudflare? Can they co-exist?

Thank you,
Parker

You can use DoH with 1.1.1.1 for Families too. Have a look at Set up Cloudflare 1.1.1.1 resolver · Cloudflare 1.1.1.1 docs.

Adult Content and Malware Blocking:

https://family.cloudflare-dns.com/dns-query

Malware Blocking:

https://security.cloudflare-dns.com/dns-query

Pick one, Avast or Cloudflare, and use that. I’ve not used Avast DNS, but have used Cloudflare’s Malware (i.e. security) one though. Nowadays, I still use Cloudflare for DNS resolution, but do it through their Zero Trust Gateway though.

Thanks for the reply but I still have some questions. First, I don’t have a DoH compliant router (it’s an Asus RT-AC88U) but it has DoT feature. I’ve set my DNS servers to 1.1.1.2 / 1.0.0.2 (no IPv6 settings available) and enabled Dot in the router. I’ve been able to add 4 Cloudflare servers (2 IPv4 and 2 IPv6) with TLS Hostname “security.cloudflare-dns.com” to my “DNS-over-TLS” list with IP addresses 1.1.1.2, 1.0.0.2 and their IPv6 counterparts.

When I go to test on https://1.1.1.1/help it appears the TLS is working, but the Connectivity to Resolver IP Addresses lists 1.1.1.1, 1.0.0.1, etc. (not 1.1.1.2, i.e. 1.1.1.1 for Families). See: https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJZZXMiLCJkYXRhY2VudGVyTG9jYXRpb24iOiJCT1MiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

A FAQ at Community Tip - Best Practices for 1.1.1.1 for Families from 4/1/20 says “We support DoH, we’re working DoT.” Is DoT working for 1.1.1.2 (i.e. 1.1.1.1 for Families) now? I’ve tested a site that should be blocked and it is.

Have I set this up correctly, is it really working and secure? I need to know before turning off Avast “Real Site” which supposedly forces use of their secure DNS resolvers in the background…

Btw, I’ve set my DNS settings to Auto in Windows 11 so they pull from the router because when I manually enter 1.1.1.2, 1.0.0.2 or their IPv6 equivalents the pull downs to select encryped are greyed out to “unencrypted”. So it appears Windows 11 doesn’t think encrypted DoH is available for those dns servers…

These are the various DoT hostnames for 1.1.1.1…

1.1.1.1:

1dot1dot1dot1.cloudflare-dns.com
one.one.one.one

Set up Cloudflare 1.1.1.1 resolver · Cloudflare 1.1.1.1 docs

1.1.1.1 for Families — Adult Content and Malware Blocking:

family.cloudflare-dns.com

1.1.1.1 for Families — Malware Blocking:

security.cloudflare-dns.com

The 1.1.1.1 debug information you provided shows that you’re connected using DoT.

Previously I had set 1.1.1.1/1.0.0.2 as my dns servers in my router and had set the DoT hostname just “cloudflare-dns.com” at IP 1.1.1.1., etc. per the Asus preset servers. When I changed to the family dns servers in the router (1.1.1.2, etc.) I changed the DoT hostname to security.cloudflare-dns.com (as you listed above) but set the associated IP for those hostnames to 1.1.1.2, etc. My remaining question is, are those DoT servers set up correctly using those 1.1.1.1 for Familiest IP addresses (e.g. 1.1.1.2, etc)


?

The security hostnames look all right, but you should remove the first 1.1.1.1 entry in your server list though. I assume you don’t inadvertently want some of your DNS queries going to the regular 1.1.1.1 resolver and want them all to go to the security one.

>nslookup security.cloudflare-dns.com

Non-authoritative answer:
Name:    security.cloudflare-dns.com
Addresses:  2606:4700:4700::1112
          2606:4700:4700::1002
          1.0.0.2
          1.1.1.2