help cloudflare configuration

[Unetwork]

Hello,
I have a problem with Cloudlare's DNS, when I test on their site, it tells me that I am not using their DNS :

I can't figure out why. The internet is working perfectly well and when testing thoroughly on another site, Cloudflare's DNS is found without any problem :

Can you tell me if everything is OK ? I don't use DNS filter, no VPN and no scripts.
Thanks for your help.

 

[Zastoff]

Hello,
I have a problem with Cloudlare's DNS, when I test on their site, it tells me that I am not using their DNS :
View attachment 39555

View attachment 39556

I can't figure out why. The internet is working perfectly well and when testing thoroughly on another site, Cloudflare's DNS is found without any problem :
View attachment 39559

Here is the configuration of my router (AX88U ; 386.4)
View attachment 39557

View attachment 39558
Can you tell me if everything is OK ? I don't use DNS filter, no VPN and no scripts.
Thanks for your help.

Try to disable dnssec when you do the cloudflare test.
It's a known bug with their test
Edit:
And re enable dnssec again after the test! It works with dnssec..only the cloudflare test site that do not.

 

[Unetwork]

Thanks for your quick response, I will do the test later today.
Otherwise, are my settings in the router correct for optimal operation ? For example, I don't know if I should activate the option "Automatically connect to DNS server" or not.
In the DHCP settings, should "Default Gateway" and "DNS Server 1 and 2" be left blank ?
Thank you for your help.

 

[eibgrad]

You should consider trying my DNS monitoring utility.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

It can detect if there are possibly any *rogue* clients bypassing your router's DNS in favor of their own DNS resolvers (at least if they're using Do53 or DoT; DoH would be much more difficult to detect since it uses port 443), something we're seeing more of these days w/ browsers and other apps. IOW, you can't always assume the router is the sole means to DNS resolution on your network.

Even if the Cloudflare results were perfect, it doesn't mean you can't still have rogue clients over time. The Cloudflare site can only detect what's happening w/ that client at that specific moment.

You would also know if you followed the DNS monitoring thread that it's NOT ideal to be specifying the Cloudflare DNS servers as custom servers when using DoT.

Tutorial - How to monitor DNS traffic in real-time

Been following this thread. I recall many questions about leaving DNS Server 1/DNS Server 2 blank was answered moons ago. @RMerlin 's guidance was: "do not leave'm blank or NTP and other time dependent services (VPNs, ...) cannot start properly." What did I miss? We are concerned that the...

www.snbforums.com

As you're currently configured, the router itself is likely NOT using DoT (at least not exclusively), only the WLAN/LAN clients. Some ppl would consider that a DNS leak. Again, this is something the Cloudflare test can't detect because the client in question is the router itself (in effect, your router has become the rogue client!), which is NOT testable from a WLAN/LAN device.

 

[Unetwork]

Thank you for your feedback. I just disabled DNSSEC support and restarted the cloudflare test, it is now OK :

Does this mean that my configuration is correct ? So I have to re-enable DNSSEC, even if the cloudflare test is wrong afterwards ?
After reactivating DNSSEC, I just did a netstat (do not resolve names and tcp sockets) and the requests are encrypted and go through the dns 1.1.1.1:853 and 1.0.0.1:853 so I think it's good ?

 

[bbunge]

If you want a bit more DNS security you can use Cloudflare Secure.

Change 1.1.1.1 and 1.0.0.1 to 1.1.1.2 and 1.0.0.2. In TLS Hostname change cloudflare-dns.com to security.cloudflare-dns.com

Also, in LAN/DNS Filter enable the DNS Filter and global filter mode to router

 

[Zastoff]

Thank you for your feedback. I just disabled DNSSEC support and restarted the cloudflare test, it is now OK :
View attachment 39568
View attachment 39569
View attachment 39570
Does this mean that my configuration is correct ? So I have to re-enable DNSSEC, even if the cloudflare test is wrong afterwards ?
After reactivating DNSSEC, I just did a netstat (do not resolve names and tcp sockets) and the requests are encrypted and go through the dns 1.1.1.1:853 and 1.0.0.1:853 so I think it's good ?
View attachment 39571

Yes re enable DNSSec after the test, Your config looks good
It is Cloudflare`s test site that is buggy with DNSSec.

 

[Unetwork]

Yes re enable DNSSec after the test, Your config looks good
It is Cloudflare`s test site that is buggy with DNSSec.

Thank you for your advice, everything is perfect

 

[Unetwork]

If you want a bit more DNS security you can use Cloudflare Secure.

Change 1.1.1.1 and 1.0.0.1 to 1.1.1.2 and 1.0.0.2. In TLS Hostname change cloudflare-dns.com to security.cloudflare-dns.com

Also, in LAN/DNS Filter enable the DNS Filter and global filter mode to router

Thank you for your help. I don't understand the role of the "DNS-based Filtering" knowing that my Cloudflare TLS DNS are already present in "DNS-over-TLS Server List".
Will the "DNS-based Filtering" do double duty ? Also, what should I put as DNS in the cases below ?

 

[bbunge]

Thank you for your help. I don't understand the role of the "DNS-based Filtering" knowing that my Cloudflare TLS DNS are already present in "DNS-over-TLS Server List".
Will the "DNS-based Filtering" do double duty ? Also, what should I put as DNS in the cases below ?

View attachment 39577

Some devices, especially IOT Clients, have hard coded DNS settings. Enabling DNS Filter to router will intercept those DNS queries and use the router as the DNS forwarder and thus, in your case, the DoT resolvers you have set in WAN.
You can leave the custom blank or at the default.
If needed you can use the custom field to assign a DNS resolver to a specific client by MAC address.

 

[Unetwork]

Some devices, especially IOT Clients, have hard coded DNS settings. Enabling DNS Filter to router will intercept those DNS queries and use the router as the DNS forwarder and thus, in your case, the DoT resolvers you have set in WAN.
You can leave the custom blank or at the default.
If needed you can use the custom field to assign a DNS resolver to a specific client by MAC address.

Thanks for your advice. So if I understand correctly, in this list you have to choose "ROUTE" ? and leave the boxes empty as below, is that correct ?

 

[FernandoF]

Thanks for your advice. So if I understand correctly, in this list you have to choose "ROUTE" ? and leave the boxes empty as below, is that correct ?

View attachment 39583
View attachment 39580

That is correct.