Cloudflare 1.1.1.2 & 1.1.1.3 DoT

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

brself2

New Around Here
Greetings,

I'm not sure if my below Cloudflare settings for DoT are working properly for 1.1.1.3 (family.cloudflare-dns.com) as they are not part of the dropdown menu options. As you can see, I manually tweaked the entries.

This was recently posted by a cloudflare team member:

1615246221916.png


Current settings for ipv4 & ipv6:

1615246479698.png


1.1.1.1/help results with "DNSSEC Replies" set to No. I'm assuming "Connected to 1.1.1.1" is hardcoded on their website.

1615246665115.png


It appears to be blocking the appropriate sites. I'm hoping someone can run tcpdump on ports 53 & 853 and confirm that Cloudflare is playing nice with 1.1.1.2 & 1.1.1.3. If yes, then I wonder if Merlin could add these to the dropdown options.
 

Mutzli

Very Senior Member
I'm using 1.1.1.2 for the last 7 months. I switched from 1.1.1.1. to .2 right after they added DoT to the filtered DNS options. Haven't had any issues since. tcpdump shows all traffic on port 853 (example output below)
Code:
20:21:10.937618 IP XX.XXX.XXX.XXX.35994 > 1.1.1.2.853: Flags [P.], seq 507:659, ack 3769, win 297, length 152
20:21:10.950938 IP 1.1.1.2.853 > XX.XXX.XXX.XXX.35994: Flags [.], ack 659, win 68, length 0
20:21:10.953061 IP 1.1.1.2.853 > XX.XXX.XXX.XXX.35994: Flags [P.], seq 3769:4729, ack 659, win 68, length 960
20:21:10.953105 IP XX.XXX.XXX.XXX.35994 > 1.1.1.2.853: Flags [.], ack 4729, win 320, length 0
20:21:10.953875 IP XX.XXX.XXX.XXX.57794 > 1.0.0.2.853: Flags [P.], seq 507:659, ack 3770, win 297, length 152
20:21:10.993464 IP6 2606:4700:4700::1112.853 > XXXX:XXX:XXXX:XX:XXXX:XXXX:XXXX:XXXX.XXXXX: Flags [.], ack 811, win 69, length 0
20:21:11.052243 IP6 2606:4700:4700::1112.853 > XXXX:XXX:XXXX:XX:XXXX:XXXX:XXXX:XXXX.XXXXX: Flags [P.], seq 4263:4755, ack 811, win 69, length 492
 

bbunge

Very Senior Member
TLS Host Name can be the same as 1.1.1.1/1.0.0.1 which is:
cloudflare-dns.com
 

Treadler

Very Senior Member
Greetings,

I'm not sure if my below Cloudflare settings for DoT are working properly for 1.1.1.3 (family.cloudflare-dns.com) as they are not part of the dropdown menu options. As you can see, I manually tweaked the entries.

This was recently posted by a cloudflare team member:

View attachment 31765

Current settings for ipv4 & ipv6:

View attachment 31766

1.1.1.1/help results with "DNSSEC Replies" set to No. I'm assuming "Connected to 1.1.1.1" is hardcoded on their website.

View attachment 31767

It appears to be blocking the appropriate sites. I'm hoping someone can run tcpdump on ports 53 & 853 and confirm that Cloudflare is playing nice with 1.1.1.2 & 1.1.1.3. If yes, then I wonder if Merlin could add these to the dropdown options.

You’re good to go.....

As stated in the Cloudflare blog:
Hi all, the following are the mappings for hostnames to IP addresses for DoT:

security.cloudflare-dns.com -> 1.1.1.2, 1.0.0.2, 2606:4700:4700::1112, 2606:4700:4700::1002

family.cloudflare-dns.com -> 1.1.1.3, 1.0.0.3, 2606:4700:4700::1113, 2606:4700:4700::1003

Hope this helps for those clients that need both a hostname and an IP address.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top