deleted

[GoldenSW]

Deleted

 

[eibgrad]

"Prevent client auto DoH" should be Yes. Browsers (at least so far) have agreed to check this setting in DNSMasq, and if enabled, NOT use DoH within the browser and bypass your settings in DNSMasq. Not unless you've already disabled DoH in the browser itself.

 

[dave14305]

The Cloudflare help page doesn’t work when DNSSEC is enabled. Test again with DNSSEC disabled.

 

[dave14305]

So basically there's nothing wrong with my initial config but just the test not working as it should?

Looks good to me. Do you have DNSFilter enabled at all?

 

[Wolfclaw]

My AX86U settings

 

[heysoundude]

Hello, I'm trying to set up the DNS encryption on my RT-AX86U using Cloudflare. However, I just can't get 1.1.1.1/help to recognize that I'm connected to 1.1.1.1 or that I'm using either DoT or DoH (DoH when active in Mozilla). I also want my browser to always use Cloudflare's DoH, meaning it needs to overwrite the router.
I've posted the WAN configuration below. LAN section DNS servers are blank. Should I change that as well?

Spoiler: Screenshot of current settings

View attachment 36216

I don't. I've been doing some reading on this topic and from what I understood letting the router handle all the DNS queries can be beneficial for performance since it can cache relevant information, as opposed to letting Firefox use DoH which I assume has to contact the server for every request?

I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?


^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.

so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?

unbound - This Is The Way

 

[bbunge]

Here are some settings for CloudFlare Secure: