What's new

DNS over TLS can't seem to verify

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ojee

Occasional Visitor
I can't seem to get verification that DNS-over-TLS works. I've followed the wiki, and these are my settings:
settings.png


However, both tenta.com and 1.1.1.1/help report that DNS-over-TLS is not working:
cloudflare help.png

What am I doing wrong?
 
Maybe because they're different?

1.1.1.1 vs. 1.1.1.2

and

1.0.0.1 vs. 1.0.0.2
 
Temporarily disable DNSSEC, run the test, then enable DNSSEC again.
 
I can't seem to get verification that DNS-over-TLS works. I've followed the wiki, and these are my settings:
View attachment 34916

However, both tenta.com and 1.1.1.1/help report that DNS-over-TLS is not working:
View attachment 34917
What am I doing wrong?
Just to confirm, your settings for Cloudflare Secure are correct. As dave14305 noted disable DNSSEC then run the Cloudflare help page again. It will tell you that you are connected to 1.1.1.1 and 1.0.0.1 but that is normal.

Several other DoT "secure" malware blocking sites have test domains to verify that your DNS settings are correct and the upstream resolver is blocking malware. Cloudflare does not seem to have a verification method for their Security and Family service. I do feel confident that the security service does work as my AiProtect almost never records a block from any of the clients in my LAN.
 
Last edited:
Thank you guys for confirming that my settings are correct. I'll try it without DNSSEC and report back.
Another question I have: should I put the "DNS-to-TLS profile" to opportunistic or strict?
 
I ran the test again with DNSSEC disabled, and I am happy to report it worked:
Inkeddnsovertlsmindnssec_LI.jpg


I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?
 
I ran the test again with DNSSEC disabled, and I am happy to report it worked:
View attachment 35033

I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?
It's a flaw/bug/limitation with the test site.
Dnssec should only be disabled when testing on that site, Otherwise enabled.
 
Last edited:
I am interested to know why DNSSEC invalidates the test when it is enabled? Does that mean DNSSEC and DNS over TLS can't be on at the same time?
The cloudflare.com domain is DNSSEC signed, but the temporary hosts it creates on-the-fly for the test aren't properly signed, causing DNSSEC signature failure.

Cloudflare were advised years ago of this issue, they acknowledged it on their support forums, but never addressed it. Solution would be fairly simple - just dedicate a non-signed domain for these temporary DNS allocations, so they won't require DNSSEC validation.
 
The cloudflare.com domain is DNSSEC signed, but the temporary hosts it creates on-the-fly for the test aren't properly signed, causing DNSSEC signature failure.

Cloudflare were advised years ago of this issue, they acknowledged it on their support forums, but never addressed it. Solution would be fairly simple - just dedicate a non-signed domain for these temporary DNS allocations, so they won't require DNSSEC validation.

Is there a better test site?
 
Is there a better test site?
Doubt it. To accurately test DoT, you need to be the provider of that server itself.

The most accurate test for DoT is to run tcpdump and check for outbound traffic on ports 53 and 853.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top