CLOUDFLARE WARP Β· FIELD GUIDE
What can
your ISP see?
Everything you do online passes through your internet provider β so with nothing protecting it, they can see where you go, and by default it's logged. The real questions aren't whether that happens, but how long they keep the record and what they do with it. These WARP settings change the one part you control: how much they can read in the first place. Here's an overview.
What your browsing data can be used for
π°
Sold for profit
Your browsing history can be packaged and sold to data brokers and others willing to pay for it.
π§©
Profiling
Patterns in where you go can infer things you never stated β political leanings, group affiliations, gender, relationship status, opinions, even health.
π£
Advertising
Your activity feeds ad targeting β shaping which ads you're shown and letting advertisers pay to reach you specifically.
π’
Throttling
Seeing that you're streaming, gaming, or downloading, a provider can deliberately slow it.
π«
Blocked or restricted
Where you're connecting can be used to deny the request β sites blocked by a network or government, or content withheld because of your region.
π
Handed over
Logs can be handed to authorities β or compelled by a legal request, even from a private party such as a copyright holder.
π
Leaked in a breach
Whatever the provider stores can spill out if they're hacked β exposure you can't control.
Exactly what's permitted varies by provider and country β but the less they can read, the less any of this is possible.
01
Who's on the wire
π±
You
Your device
Your phone or laptop. Every site you open starts here as a request.
β WARP can't protect this
Your OS (Android, iOS) and installed apps β social media, say β can read your data right here, before any request leaves. How much depends on each app's privacy policy. A tunnel only guards data once it's on the wire.
ποΈ
The watcher
Your ISP
The company you pay for internet. Every request passes through them, so unless it's hidden, they can see and record it.
β Lawful access
In many countries, ISPs are legally required to give authorities direct β sometimes realβtime β access to the traffic on their network, beyond caseβbyβcase requests.
π΅οΈ
Uninvited
Eavesdroppers
On public WiβFi β a cafΓ©, airport, or hotel β someone on the same network can quietly intercept unprotected traffic. That's the everyday risk; at the far end, network operators and even state actors can tap the cables your data crosses.
π‘οΈ
The tunnel
Cloudflare WARP
A free app that wraps your traffic in a sealed tunnel and carries it for you β past everyone watching the wire.
One word you'll see: DNS. Opening a website starts with a lookup β like asking a phone book, "what's the number for wikipedia.org?" That question is a DNS lookup. By itself it travels in plain text, so the watcher can read it.
02
The same line, redacted three ways
Here's a single page of your ISP's logbook for one website visit. As you turn on more protection, more of the line gets blacked out β until there's almost nothing left to read.
β WARP off β plain DNS
No tunnel Β· DNS over UDP
14:09 lookup: wikipedia.org β visit: 208.80.153.224 (wikipedia.org)
β ISP reads your lookup
β ISP reads where you go
β‘ Encrypted DNS only
No tunnel Β· DNS over HTTPS / TLS
14:09 lookup: wikipedia.org β visit: 208.80.153.224 (wikipedia.org)
β Lookup hidden
β ISP still sees where you connect
β’ Full WARP β Traffic and DNS
Tunnel on Β· any DNS protocol
14:09 lookup: wikipedia.org β visit: 208.80.153.224 sealed tunnel β Cloudflare
β Lookup hidden
β Destination hidden
β ISP only sees "talking to Cloudflare"
Tip: hover or tap a black bar to peek at what would have leaked without protection.
03
The three switches
Everything in the app comes down to three independent choices. The first two change what your ISP sees. The third only changes what you can reach.
Switch 1 Β· Mode
What travels in the tunnel
- Traffic and DNSEverything goes through the tunnel. Strongest hiding from your ISP.
- DNS onlyOnly your lookups are protected. Your actual visits stay on the ISP's wire.
Switch 2 Β· DNS protocol
How your lookups travel
- DNS over UDPPlain text. Only safe inside the full tunnel β fastest, no extra wrapping.
- over HTTPS (DoH)Locked on its own. Blends in with normal web traffic; safe anywhere.
- over TLS (DoT)Also locked on its own, but on a dedicated lane that's easier to spot or block.
Switch 3 Β· 1.1.1.1 for Families
What gets filtered out
- NoneNo filtering. Fastest, nothing blocked.
- Block malwareRefuses to look up known dangerous sites. Near-invisible day to day.
- + adult contentAlso blocks adult sites. Good for kids' devices; a net, not a wall.
Filtering works by giving you a "no answer" for bad sites, so your device never connects. It doesn't change what your ISP sees β it's about your safety, not your privacy.
04
Choose your tunnel
Find your goal on the left. The meter on the right shows how much your ISP can still see β fuller bars mean more exposed.
If you wantMaximum privacy from your ISP
Choose this mode
Traffic and DNS (HTTPS)βΎ
+ filter: Block malware
What your ISP sees
ALMOST NOTHING
Just an encrypted tunnel to Cloudflare.
If you wantFastest setup that still hides you
Choose this mode
Traffic and DNS (UDP)βΎ
+ filter: Block malware
What your ISP sees
ALMOST NOTHING
Tunnel does the work; no double-wrapping, less overhead.
If you wantA safe device for kids
Choose this mode
Traffic and DNS (HTTPS)βΎ
+ filter: Block malware & adult content
What your ISP sees
ALMOST NOTHING
Same ISP blindness, plus content filtering.
If you wantJust hide my lookups, keep it light
Choose this mode
DNS only (HTTPS)βΎ
+ filter: Block malware
What your ISP sees
SOME
Lookups hidden, but ISP still sees the sites you connect to.
If you wantTo not route everything through one company
Choose this mode
DNS only (HTTPS)βΎ
+ filter: optional Β· traffic stays on your ISP
What your ISP sees
SOME
You keep trust with your ISP for traffic; only DNS goes to Cloudflare.
If you doNothing (WARP turned off)
Choose this mode
WARP turned offβΎ
no filter Β· default DNS over UDP
What your ISP sees
EVERYTHING
Your lookups and your destinations are both readable.
05
The catch
READ THIS
You're not invisible β you're changing who holds the logbook.
Turning on full WARP hides you from your ISP. But the tunnel has to end somewhere: now Cloudflare carries your traffic instead. They commit to not logging or selling it, and they're independently audited β but the trust simply moves to them. WARP secures the path; it isn't an anonymity cloak or a way to fake your location.
Trust your ISP
β
Trust Cloudflare
And there's a bigger twist: the very same app has a second life. Everything in this guide describes the free consumer version of WARP. But when a workplace or school enrolls your device into their Cloudflare Zero Trust account, the app is built to do the opposite β let the organisation see and control your traffic instead of hiding it.
This guide Β· Consumer WARP
Your tool, to hide you
- You install it for yourself.
- Cloudflare carries your traffic and pledges not to log or sell it.
- The goal is to hide your activity from your ISP.
Zero Trust Β· Work / school device
Their tool, to watch you
- An organisation enrols your device into their account.
- Every DNS lookup and web request is logged with your identity and device attached.
- They filter what you can reach and check your device's health (OS, disk encryption, installed apps).
- They can even read your encrypted (HTTPS) traffic β if their security certificate is installed on the device.
"Zero Trust" means "never trust, always verify" β every request is checked against the organisation's rules rather than waved through. So if your device is managed by an employer or school, the privacy in this guide may not apply: the watcher simply becomes your organisation, by design. (You can usually tell: a Zero Trust device shows your organisation's name and a login in the app.)
06
Go deeper
Straight from the source β download the app and read Cloudflare's own documentation on every setting in this guide.