DNS-over-TLS Not Showing On Win11 PC

[dsneed]

I setup DNS-over-TLS, but they don't show on my Win 11 PC. The router's IP shows instead. Is this expected?

 

[ColinTaylor]

I setup DNS-over-TLS, but they don't show on my Win 11 PC. The router's IP shows instead. Is this expected?

Yes. DoT is between your router and the internet DNS servers.

 

[dsneed]

Thank you!

 

[OzarkEdge]

I setup DNS-over-TLS,

I find Cloudflare's documentation to be a bit confusing... I don't think 1.1.1.1 filters anything(?)

You may want to consider Cloudflare's DNS filtering options... block malware or block malware+adult content:

Set up

Learn how to set up Cloudflare's 1.1.1.1 DNS resolver for enhanced security and privacy. Protect against malware and adult content with easy configuration.

developers.cloudflare.com

I use the following router WAN DNS configuration to block malware, i.e., block access to known malicious websites (no kids here):

This tool will give you feedback on your DNS configuration:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

OE

 

[dsneed]

I find Cloudflare's documentation to be a bit confusing... I don't think 1.1.1.1 filters anything(?)

You may want to consider Cloudflare's DNS filtering options... block malware or block malware+adult content:

Set up

Learn how to set up Cloudflare's 1.1.1.1 DNS resolver for enhanced security and privacy. Protect against malware and adult content with easy configuration.

developers.cloudflare.com

I use the following router WAN DNS configuration to block malware, i.e., block access to known malicious websites (no kids here):
View attachment 63959

This tool will give you feedback on your DNS configuration:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

OE

Thanks for the tip. It's just me in the house, and I have Malwarebytes and Kaspersky on my PC. I don't think I need more malware protection. Plus, most of my activities are on my iPhone and iPad, which I have Malwarebytes and Apple's Safari anti-malware settings.

 

[OzarkEdge]

Thanks for the tip. It's just me in the house, and I have Malwarebytes and Kaspersky on my PC. I don't think I need more malware protection. Plus, most of my activities are on my iPhone and iPad, which I have Malwarebytes and Apple's Safari anti-malware settings.

DNS filtering blocks your entire network of users from reaching known malicious websites... since you are already using Cloudflare DNS-over-TLS, you might as well using their Security option settings as shown configured in the pic I posted above. Security comes in layers.

OE

 

[Tech9]

For this type of protection the reaction time is most important. I don't know where Cloudflare gets the blocklists, but seems like they regularly score lower than other popular filtering DNS services.

Public DNS malware filters tested

How well do public DNS resolvers that claim to block malware domains really score? Which provider is the safest? We did the test!

techblog.nexxwave.eu

Public DNS malware filters tested in 2024

How well do the largest public DNS resolvers that protect you against malware domains score in January 2024? We did the test!

techblog.nexxwave.eu

AiProtection with once a month signature updates is mostly useless.

 

[OzarkEdge]

For this type of protection the reaction time is most important. I don't know where Cloudflare gets the blocklists, but seems like they regularly score lower than other popular filtering DNS services.

Public DNS malware filters tested

How well do public DNS resolvers that claim to block malware domains really score? Which provider is the safest? We did the test!

techblog.nexxwave.eu

Public DNS malware filters tested in 2024

How well do the largest public DNS resolvers that protect you against malware domains score in January 2024? We did the test!

techblog.nexxwave.eu

AiProtection with once a month signature updates is mostly useless.

Anyone reading the test article should click through to view the 9/2024 test results.

I've been going back and forth between Cloudflare Security and Quad9. It may be time to settle on Quad9.

AiProtection on my AX88U Pro has done nothing since I got the router, but my safe computing habits do not challenge it much.

OE

 

[Tech9]

I use lately infiltered DNS upstream and local filtering. Makes it easier to diagnose when something isn't working.

 

[Justinh]

Quad9. It may be time to settle on Quad9.

@OzarkEdge Do you have have random/intermittent but very short-lived outages with Quad9?

 

[OzarkEdge]

@OzarkEdge Do you have have random/intermittent but very short-lived outages with Quad9?

In the distant past, I have had random/intermittent delays (Q9 growing pains?)... I can't recall full outages, but possible. I have not used Quad9 yet with my current router. I'll report back if I experience anything unusual.

I did try Quad9 briefly a little while ago and noticed a laggy speedtest, so backed out. But that turned out to be Spectrum cable service 'time of day' behavior, imo.

For my location, DNS Check shows more routing and finishes a bit slower than when using Cloudflare Security.

OE

 

[sfx2000]

Give this a try...

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

 

[rudoyeugene]

I setup DNS-over-TLS, but they don't show on my Win 11 PC. The router's IP shows instead. Is this expected?
View attachment 63956

View attachment 63957

View attachment 63958

Hi there! It's a correct behavior because router can not propagate a DoT settings as they are managed by client. Technically your device is the client of router while router is a client of DoT. You can feel safe.
I use for a couple of years the NextDNS service. They works awesome and has a checker page that allows you to ensure you are behind DoT.
Here it is https://test.nextdns.io/
It also supports profiling so that all my devices that goes outside router also behind NextDNS.

 

[Currently Studying]

Hi there! It's a correct behavior because touted is nit a le to propagate a DoT settings as they are managed by client. Technically your device is the client of router while router is a client of DoT. You can feel safe.
I use for a couple of years the NextDNS service. They works awesome and has a checker page that allows you to ensure you are behind DoT.
Here it is https://test.nextdns.io/
It also supports profiling so that all my devices that goes outside router also behind NextDNS.

NextDNS. I have been using it for a while on several devices and it's great. It blocks about 32% of the traffic on my network.

 

[128bit]

Thanks for the tip. It's just me in the house, and I have Malwarebytes and Kaspersky on my PC. I don't think I need more malware protection. Plus, most of my activities are on my iPhone and iPad, which I have Malwarebytes and Apple's Safari anti-malware settings.

on another note, be advised, kaspersky is russian. i'd consider an alternative.

 

[Currently Studying]

on another note, be advised, kaspersky is russian. i'd consider an alternative.

Yes, they are not to be trusted. Windows defender and common sense is usually enough.

 

[Currently Studying]

So I just went to my laptop and configured it with NextDNS in the wireless adapter *and the browser* and got these results.

DNSSec with TLS 1.3 + Encrypted Client Hello.

Edited: I was using Brave Browser. Edge can do it if you launch it with specific command switches from what I've read