In the modern digital landscape, privacy is not just a feature-it is a necessity. Every time you visit a website, your device performs a DNS lookup. Traditionally, these lookups are sent in plain text, allowing Internet Service Providers (ISPs) and potential attackers to monitor your browsing habits. In this guide, we will explore how to leverage DNS over HTTPS (DoH) and Cloudflare 1.1.1.1 for Families to create a secure, private, and filtered environment within the UniFi ecosystem.
The Power of Encrypted DNS (DoH)
DNS over HTTPS (DoH) wraps your DNS queries in an encrypted layer, making them indistinguishable from normal HTTPS web traffic. This prevents "man-in-the-middle" attacks and ensures that your ISP cannot log the domains you access. By combining DoH with Cloudflare's specialized resolvers, you add a layer of automated security against malicious sites.
Choosing the Right Cloudflare Resolver
Cloudflare provides different tiers of protection depending on your needs. For a balanced home or office setup, the "Security" tier is recommended to block malware and phishing attempts.
| Protection Tier | Primary/Secondary IPv4 | Features |
|---|---|---|
| Cloudflare Security | 1.1.1.2 / 1.0.0.2 | Blocks Malware & Phishing |
| Cloudflare Family | 1.1.1.3 / 1.0.0.3 | Blocks Malware & Adult Content |
Global Configuration via UniFi CyberSecure
With the latest UniFi Network Application updates, implementing DoH no longer requires complex CLI scripts. The CyberSecure dashboard allows for a seamless global implementation using predefined profiles.
- Navigate to the Settings > CyberSecure section in your UniFi dashboard.
- Locate the Encrypted DNS option.
- Switch the setting to Predefined.
- From the list, select Cloudflare-security and Cloudflare-security-ipv6. This ensures that both IPv4 and IPv6 DNS traffic across your entire network is encrypted and filtered.
- Click Apply Changes.
Verification: Ensuring Everything is Encrypted
To confirm that your queries are truly encrypted, use the official Cloudflare diagnostic tool at 1.1.1.1/help. Your status should ideally show:
- Using DNS over HTTPS (DoH): Yes
- Data Center Location: AMS (or your nearest local exchange for low latency)