Let’s be real for a second: your ISP knows way too much about you. Even if you use HTTPS for everything (which you should), your DNS queries (the phonebook lookup that connects google.com to an IP address) are usually sent in plain text.
That means your internet provider can see exactly what domains you’re visiting. And depending on where you live, they might be legally allowed to sell that data.
I don’t know about you, but I’d rather keep my browsing history between me and my browser history deletion habits.
Today, we’re setting up Cloudflare Warp on Ubuntu. But here’s the trick: we aren’t using the full VPN mode (which can mess with your local network or slow down your connection). We are going to configure it to run in DoH (DNS over HTTPS) mode.
It’s free, it’s faster than your ISP’s DNS, and it encrypts your requests. Let’s do this.
Step 1: The Setup (GPG Keys & Repos)
First, we need to tell Ubuntu that Cloudflare is a friend. Open your terminal and grab curl if you don’t have it already.
sudo apt install curlNext, add Cloudflare’s GPG key so apt trusts the packages:
curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \
| sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpgNow, let’s add the repository.
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] \
https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/cloudflare-client.listThe “Gotcha” Moment: Check Your Distro Name
Stop here for a second. Depending on your version of Ubuntu (or if you are on a derivative like Mint or Pop!_OS), the command above might insert a codename that Cloudflare doesn’t have a repo for (like “questing” or a bleeding-edge name).
We need to make sure it’s pointing to a stable release, like jammy.
Run this to check the file:
sudo nano /etc/apt/sources.list.d/cloudflare-client.listLook at the text. If you see your distro’s codename and apt update throws an error later, come back here and change the codename to jammy.
Save and exit (Ctrl+O, Enter, Ctrl+X).
Step 2: Install Warp
Now that the plumbing is done, let’s install the actual client.
sudo apt update
sudo apt install cloudflare-warpStep 3: Configure for DNS-Only Mode
By default, Warp wants to act like a full VPN. We don’t want that right now; we just want the encrypted DNS magic.
First, register the client (it’s free, you don’t need an account):
warp-cli registerNow, force it into DoH mode:
warp-cli mode dohCheck the status to make sure it’s alive:
warp-cli statusYou should see something like Status: Connected and Mode: DoH. If you see that, congratulations, your DNS is now encrypted.
Step 4: Make it stick (Autostart)
Warp usually behaves well, but I like to make sure it connects automatically when the server (or desktop) reboots. We’ll use a simple cron job for this.
Edit your crontab:
sudo crontab -eScroll to the very bottom and add this line:
@reboot /usr/bin/warp-cli connectSave and exit.
Why did we do this?
You now have enterprise-grade DNS encryption running on your Linux machine.
- Privacy: Your ISP sees you connecting to Cloudflare, but they can’t see the specific websites you are asking for.
- Speed: Cloudflare’s 1.1.1.1 is ridiculously fast compared to most default ISP resolvers.
That’s it. Enjoy!
