Cloudflare’s 1.1.1.1 DNS Resolver Just Passed Its Toughest Privacy Test Yet — And the Results Matter More Than You Think

Cloudflare's 1.1.1.1 DNS resolver passed its fourth consecutive KPMG privacy audit with no exceptions found. The examination confirms the company isn't logging personal data, selling queries, or targeting ads — a rare case of a tech firm delivering exactly on its privacy promises.
Cloudflare’s 1.1.1.1 DNS Resolver Just Passed Its Toughest Privacy Test Yet — And the Results Matter More Than You Think
Written by John Marshall

When Cloudflare launched its 1.1.1.1 public DNS resolver in April 2018, the company made a promise that sounded almost too good to be true: it would never sell user data, never use DNS queries for ad targeting, and purge all transaction logs within 24 hours. Seven years later, that promise has survived another independent audit — its fourth — and the findings reveal something rare in the technology industry: a company doing exactly what it said it would do.

The results, published in a blog post by Cloudflare on July 10, 2025, detail the conclusions of an examination conducted by KPMG, one of the Big Four accounting firms. KPMG’s assessment covered the period from February 1, 2024, through January 31, 2025, and evaluated Cloudflare’s 1.1.1.1 resolver against the company’s own published privacy commitments. The verdict: no exceptions found. Cloudflare is not logging user IP addresses to disk, not selling query data, and not using DNS information to build advertising profiles.

That might sound like table stakes. It isn’t.

DNS — the Domain Name System — is the internet’s phone book. Every time a user types a website address into a browser, a DNS query translates that human-readable domain into a numerical IP address. Whoever operates the DNS resolver you use can, in theory, see every website you visit. Your internet service provider typically handles this by default, and ISPs in the United States have faced repeated scrutiny over how they monetize that data. The Federal Trade Commission published a 2021 report documenting how six major ISPs collected and shared browsing data in ways consumers didn’t fully understand.

Cloudflare positioned 1.1.1.1 as the alternative. Faster than most ISP resolvers, and built with privacy as its foundational design constraint. But promises from technology companies age poorly without verification. Which is why the recurring KPMG examinations matter — and why the specific methodology deserves closer scrutiny than most coverage gives it.

What KPMG Actually Tested — and What It Didn’t

The examination follows the SOC 2 Type II framework, adapted to Cloudflare’s specific privacy commitments. Those commitments, which Cloudflare publishes publicly, include five core pledges: the company will not retain any personal data in its 1.1.1.1 logs; it will not sell, license, sublicense, or otherwise share query data with third parties; it will not use query data to target users with advertising; it will retain only limited transaction logs (purged within 24 hours) and anonymized logs for long-term research; and it will engage an independent auditor to verify compliance annually.

KPMG’s role was to test whether Cloudflare’s internal controls actually enforced those commitments during the audit period. The firm examined system configurations, data retention policies, access controls, and log management practices. According to Cloudflare’s blog post, KPMG found no exceptions — meaning every control tested operated as described.

But there are limits to what this kind of examination covers. SOC 2 audits evaluate whether controls exist and function as designed. They don’t involve adversarial penetration testing of the resolver infrastructure. They don’t assess whether a sophisticated state actor could intercept queries in transit. And they don’t evaluate the privacy implications of Cloudflare’s broader product line — only the 1.1.1.1 resolver specifically.

Still, the consistency matters. This is the fourth consecutive year Cloudflare has passed. The company first engaged KPMG for this purpose in 2020, and the auditor has returned the same clean finding each time. In an industry where privacy policies frequently contain carve-outs wide enough to drive a truck through, a multi-year track record of independent verification carries weight.

Cloudflare also makes the full KPMG report available to anyone who requests it, though it requires filling out a form on the company’s website. That’s a friction point — competitors like Quad9 publish their audit results more directly — but it’s still more transparency than most DNS providers offer. Google’s 8.8.8.8 resolver, for instance, operates under Google’s general privacy policy, which permits the retention of anonymized data and doesn’t involve a comparable independent audit regime specific to its DNS service.

The technical architecture behind 1.1.1.1’s privacy claims has evolved since launch. Cloudflare now supports DNS over HTTPS (DoH) and DNS over TLS (DoT), both of which encrypt queries in transit. The company also supports Oblivious DNS over HTTPS (ODoH), a protocol developed in collaboration with Apple and Fastly that separates the identity of the user from the content of the query. With ODoH, a proxy server knows who you are but not what you asked; Cloudflare’s resolver knows what you asked but not who you are. Neither party has the full picture.

That protocol hasn’t seen mass adoption yet. Apple’s iCloud Private Relay uses a conceptually similar two-hop architecture for Safari browsing traffic, but ODoH for general DNS resolution remains niche. Its existence, though, signals something about where Cloudflare wants to position itself: not just as a privacy-respecting resolver, but as a company pushing the technical boundaries of what DNS privacy can look like.

The timing of this latest audit publication isn’t accidental. Privacy regulation continues to tighten globally. The European Union’s enforcement of the General Data Protection Regulation has intensified, with the Irish Data Protection Commission levying a €1.2 billion fine against Meta in 2023 for transatlantic data transfers. In the United States, state-level privacy laws continue to proliferate — Texas, Oregon, Montana, and others have enacted comprehensive privacy statutes in the past two years. DNS data, which can reveal sensitive information about health concerns, political interests, and personal habits, sits squarely in the crosshairs of these regulatory trends.

For enterprise customers, Cloudflare’s audit results serve a dual purpose. They provide assurance about the company’s consumer DNS product, but they also function as a signal about Cloudflare’s broader organizational posture toward data handling. Companies evaluating Cloudflare’s paid services — its content delivery network, DDoS protection, Zero Trust platform, and Workers compute product — can point to the 1.1.1.1 audit as evidence of institutional discipline around privacy commitments. It’s a trust-building exercise with commercial implications.

Cloudflare’s competitors aren’t standing still. Quad9, a nonprofit DNS resolver operated out of Switzerland, publishes its own audit results and benefits from Swiss privacy law, which is among the strictest in the world. NextDNS offers granular user controls and transparent logging policies. And Apple’s Private Relay, while not a traditional DNS resolver, has raised the baseline consumer expectation for network-level privacy on Apple devices.

But Cloudflare’s scale gives it a different kind of advantage. The company operates data centers in over 330 cities across more than 120 countries, which means 1.1.1.1 queries are typically resolved at a server geographically close to the user. That proximity translates to speed — Cloudflare consistently ranks among the fastest public DNS resolvers in independent benchmarks — and speed drives adoption. According to data from Cloudflare’s own S-1 filing and subsequent earnings reports, 1.1.1.1 handles tens of millions of DNS queries per second.

So what’s the catch? There are a few. First, Cloudflare is a publicly traded company with a fiduciary obligation to shareholders. Its privacy commitments around 1.1.1.1 are voluntary and could, in theory, be revised. The company has shown no indication of doing so, but the structural incentive exists. Second, while the KPMG audit covers the resolver itself, Cloudflare’s broader business involves processing enormous volumes of internet traffic through its network. The company’s transparency reports show it receives and responds to law enforcement requests, as all major internet infrastructure companies do. Third, centralization of DNS resolution in a handful of providers — Cloudflare, Google, Quad9 — creates concentration risk. If a single provider’s privacy practices change, the impact affects millions of users simultaneously.

None of these concerns negate the value of what Cloudflare has built. They simply frame it accurately. A DNS resolver that keeps its privacy promises, proves it annually through independent examination, and pushes the technical state of the art on encrypted and anonymized query resolution is genuinely uncommon. The 2025 KPMG audit confirms that 1.1.1.1 continues to operate as advertised.

And in an industry where the gap between marketing claims and operational reality often resembles a canyon, that confirmation is worth paying attention to.

Subscribe for Updates

NetworkNews Newsletter

News for network engineers/admins and managers, CTO’s, & IT pros.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us