Cloudflare 1.1.1.2 & 1.1.1.3 DoT

[brself2]

Greetings,

I'm not sure if my below Cloudflare settings for DoT are working properly for 1.1.1.3 (family.cloudflare-dns.com) as they are not part of the dropdown menu options. As you can see, I manually tweaked the entries.

This was recently posted by a cloudflare team member:

Current settings for ipv4 & ipv6:

1.1.1.1/help results with "DNSSEC Replies" set to No. I'm assuming "Connected to 1.1.1.1" is hardcoded on their website.

It appears to be blocking the appropriate sites. I'm hoping someone can run tcpdump on ports 53 & 853 and confirm that Cloudflare is playing nice with 1.1.1.2 & 1.1.1.3. If yes, then I wonder if Merlin could add these to the dropdown options.

 

[Mutzli]

I'm using 1.1.1.2 for the last 7 months. I switched from 1.1.1.1. to .2 right after they added DoT to the filtered DNS options. Haven't had any issues since. tcpdump shows all traffic on port 853 (example output below)

20:21:10.937618 IP XX.XXX.XXX.XXX.35994 > 1.1.1.2.853: Flags [P.], seq 507:659, ack 3769, win 297, length 152
20:21:10.950938 IP 1.1.1.2.853 > XX.XXX.XXX.XXX.35994: Flags [.], ack 659, win 68, length 0
20:21:10.953061 IP 1.1.1.2.853 > XX.XXX.XXX.XXX.35994: Flags [P.], seq 3769:4729, ack 659, win 68, length 960
20:21:10.953105 IP XX.XXX.XXX.XXX.35994 > 1.1.1.2.853: Flags [.], ack 4729, win 320, length 0
20:21:10.953875 IP XX.XXX.XXX.XXX.57794 > 1.0.0.2.853: Flags [P.], seq 507:659, ack 3770, win 297, length 152
20:21:10.993464 IP6 2606:4700:4700::1112.853 > XXXX:XXX:XXXX:XX:XXXX:XXXX:XXXX:XXXX.XXXXX: Flags [.], ack 811, win 69, length 0
20:21:11.052243 IP6 2606:4700:4700::1112.853 > XXXX:XXX:XXXX:XX:XXXX:XXXX:XXXX:XXXX.XXXXX: Flags [P.], seq 4263:4755, ack 811, win 69, length 492

 

[bbunge]

TLS Host Name can be the same as 1.1.1.1/1.0.0.1 which is:
cloudflare-dns.com

 

[Treadler]

Greetings,

I'm not sure if my below Cloudflare settings for DoT are working properly for 1.1.1.3 (family.cloudflare-dns.com) as they are not part of the dropdown menu options. As you can see, I manually tweaked the entries.

This was recently posted by a cloudflare team member:

View attachment 31765

Current settings for ipv4 & ipv6:

View attachment 31766

1.1.1.1/help results with "DNSSEC Replies" set to No. I'm assuming "Connected to 1.1.1.1" is hardcoded on their website.

View attachment 31767

It appears to be blocking the appropriate sites. I'm hoping someone can run tcpdump on ports 53 & 853 and confirm that Cloudflare is playing nice with 1.1.1.2 & 1.1.1.3. If yes, then I wonder if Merlin could add these to the dropdown options.

You’re good to go.....

As stated in the Cloudflare blog:
Hi all, the following are the mappings for hostnames to IP addresses for DoT:

security.cloudflare-dns.com -> 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002

family.cloudflare-dns.com -> 1.1.1.3, 1.0.0.3, 2606:4700:4700::1113, 2606:4700:4700::1003

Hope this helps for those clients that need both a hostname and an IP address.