DNS over TLS can't seem to verify

[Ojee]

I can't seem to get verification that DNS-over-TLS works. I've followed the wiki, and these are my settings:

However, both tenta.com and 1.1.1.1/help report that DNS-over-TLS is not working:

What am I doing wrong?

 

[L&LD]

Maybe because they're different?

1.1.1.1 vs. 1.1.1.2

and

1.0.0.1 vs. 1.0.0.2

 

[dave14305]

Temporarily disable DNSSEC, run the test, then enable DNSSEC again.

 

[bbunge]

I can't seem to get verification that DNS-over-TLS works. I've followed the wiki, and these are my settings:
View attachment 34916

However, both tenta.com and 1.1.1.1/help report that DNS-over-TLS is not working:
View attachment 34917
What am I doing wrong?

Just to confirm, your settings for Cloudflare Secure are correct. As dave14305 noted disable DNSSEC then run the Cloudflare help page again. It will tell you that you are connected to 1.1.1.1 and 1.0.0.1 but that is normal.

Several other DoT "secure" malware blocking sites have test domains to verify that your DNS settings are correct and the upstream resolver is blocking malware. Cloudflare does not seem to have a verification method for their Security and Family service. I do feel confident that the security service does work as my AiProtect almost never records a block from any of the clients in my LAN.

 

[Ojee]

Thank you guys for confirming that my settings are correct. I'll try it without DNSSEC and report back.
Another question I have: should I put the "DNS-to-TLS profile" to opportunistic or strict?

 

[Ojee]

I ran the test again with DNSSEC disabled, and I am happy to report it worked:

I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?

 

[Zastoff]

I ran the test again with DNSSEC disabled, and I am happy to report it worked:
View attachment 35033

I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?

It's a flaw/bug/limitation with the test site.
Dnssec should only be disabled when testing on that site, Otherwise enabled.

 

[RMerlin]

I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?

The cloudflare.com domain is DNSSEC signed, but the temporary hosts it creates on-the-fly for the test aren't properly signed, causing DNSSEC signature failure.

Cloudflare were advised years ago of this issue, they acknowledged it on their support forums, but never addressed it. Solution would be fairly simple - just dedicate a non-signed domain for these temporary DNS allocations, so they won't require DNSSEC validation.

 

[Ojee]

Thanks for the explanation guys!

 

[JohnD5000]

The cloudflare.com domain is DNSSEC signed, but the temporary hosts it creates on-the-fly for the test aren't properly signed, causing DNSSEC signature failure.

Cloudflare were advised years ago of this issue, they acknowledged it on their support forums, but never addressed it. Solution would be fairly simple - just dedicate a non-signed domain for these temporary DNS allocations, so they won't require DNSSEC validation.

Is there a better test site?

 

[RMerlin]

Is there a better test site?

Doubt it. To accurately test DoT, you need to be the provider of that server itself.

The most accurate test for DoT is to run tcpdump and check for outbound traffic on ports 53 and 853.