help cloudflare configuration

Unetwork

Regular Contributor
Hello,
I have a problem with Cloudlare's DNS, when I test on their site, it tells me that I am not using their DNS :

Sans titre 2.png

I can't figure out why. The internet is working perfectly well and when testing thoroughly on another site, Cloudflare's DNS is found without any problem :

Can you tell me if everything is OK ? I don't use DNS filter, no VPN and no scripts.
Thanks for your help.
 
Last edited:

Zastoff

Very Senior Member
Hello,
I have a problem with Cloudlare's DNS, when I test on their site, it tells me that I am not using their DNS :
View attachment 39555

View attachment 39556

I can't figure out why. The internet is working perfectly well and when testing thoroughly on another site, Cloudflare's DNS is found without any problem :
View attachment 39559

Here is the configuration of my router (AX88U ; 386.4)
View attachment 39557

View attachment 39558
Can you tell me if everything is OK ? I don't use DNS filter, no VPN and no scripts.
Thanks for your help.
Try to disable dnssec when you do the cloudflare test.
It's a known bug with their test
Edit:
And re enable dnssec again after the test! It works with dnssec..only the cloudflare test site that do not.
 

Unetwork

Regular Contributor
Thanks for your quick response, I will do the test later today.
Otherwise, are my settings in the router correct for optimal operation ? For example, I don't know if I should activate the option "Automatically connect to DNS server" or not.
In the DHCP settings, should "Default Gateway" and "DNS Server 1 and 2" be left blank ?
Thank you for your help.
 
Last edited:

eibgrad

Part of the Furniture
You should consider trying my DNS monitoring utility.


It can detect if there are possibly any *rogue* clients bypassing your router's DNS in favor of their own DNS resolvers (at least if they're using Do53 or DoT; DoH would be much more difficult to detect since it uses port 443), something we're seeing more of these days w/ browsers and other apps. IOW, you can't always assume the router is the sole means to DNS resolution on your network.

Even if the Cloudflare results were perfect, it doesn't mean you can't still have rogue clients over time. The Cloudflare site can only detect what's happening w/ that client at that specific moment.

You would also know if you followed the DNS monitoring thread that it's NOT ideal to be specifying the Cloudflare DNS servers as custom servers when using DoT.


As you're currently configured, the router itself is likely NOT using DoT (at least not exclusively), only the WLAN/LAN clients. Some ppl would consider that a DNS leak. Again, this is something the Cloudflare test can't detect because the client in question is the router itself (in effect, your router has become the rogue client!), which is NOT testable from a WLAN/LAN device.
 
Last edited:

Unetwork

Regular Contributor
Thank you for your feedback. I just disabled DNSSEC support and restarted the cloudflare test, it is now OK :

Sans titre 3.png

Does this mean that my configuration is correct ? So I have to re-enable DNSSEC, even if the cloudflare test is wrong afterwards ?
After reactivating DNSSEC, I just did a netstat (do not resolve names and tcp sockets) and the requests are encrypted and go through the dns 1.1.1.1:853 and 1.0.0.1:853 so I think it's good ?
 
Last edited:

bbunge

Part of the Furniture
If you want a bit more DNS security you can use Cloudflare Secure.

Change 1.1.1.1 and 1.0.0.1 to 1.1.1.2 and 1.0.0.2. In TLS Hostname change cloudflare-dns.com to security.cloudflare-dns.com

Also, in LAN/DNS Filter enable the DNS Filter and global filter mode to router
 

Zastoff

Very Senior Member
Thank you for your feedback. I just disabled DNSSEC support and restarted the cloudflare test, it is now OK :
View attachment 39568
View attachment 39569
View attachment 39570
Does this mean that my configuration is correct ? So I have to re-enable DNSSEC, even if the cloudflare test is wrong afterwards ?
After reactivating DNSSEC, I just did a netstat (do not resolve names and tcp sockets) and the requests are encrypted and go through the dns 1.1.1.1:853 and 1.0.0.1:853 so I think it's good ?
View attachment 39571
Yes re enable DNSSec after the test, Your config looks good ;)
It is Cloudflare`s test site that is buggy with DNSSec.
 

Unetwork

Regular Contributor
If you want a bit more DNS security you can use Cloudflare Secure.

Change 1.1.1.1 and 1.0.0.1 to 1.1.1.2 and 1.0.0.2. In TLS Hostname change cloudflare-dns.com to security.cloudflare-dns.com
Also, in LAN/DNS Filter enable the DNS Filter and global filter mode to router
Thank you for your help. I don't understand the role of the "DNS-based Filtering" knowing that my Cloudflare TLS DNS are already present in "DNS-over-TLS Server List".
Will the "DNS-based Filtering" do double duty ? Also, what should I put as DNS in the cases below ?

Sans titre 1.png
 

bbunge

Part of the Furniture
Thank you for your help. I don't understand the role of the "DNS-based Filtering" knowing that my Cloudflare TLS DNS are already present in "DNS-over-TLS Server List".
Will the "DNS-based Filtering" do double duty ? Also, what should I put as DNS in the cases below ?

View attachment 39577
Some devices, especially IOT Clients, have hard coded DNS settings. Enabling DNS Filter to router will intercept those DNS queries and use the router as the DNS forwarder and thus, in your case, the DoT resolvers you have set in WAN.
You can leave the custom blank or at the default.
If needed you can use the custom field to assign a DNS resolver to a specific client by MAC address.
 

Unetwork

Regular Contributor
Some devices, especially IOT Clients, have hard coded DNS settings. Enabling DNS Filter to router will intercept those DNS queries and use the router as the DNS forwarder and thus, in your case, the DoT resolvers you have set in WAN.
You can leave the custom blank or at the default.
If needed you can use the custom field to assign a DNS resolver to a specific client by MAC address.
Thanks for your advice. So if I understand correctly, in this list you have to choose "ROUTE" ? and leave the boxes empty as below, is that correct ?


Sans titre 2.png
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top