Help with DNS encryption configuration

[GoldenSW]

Hello, I'm trying to set up the DNS encryption on my RT-AX86U using Cloudflare. However, I just can't get 1.1.1.1/help to recognize that I'm connected to 1.1.1.1 or that I'm using either DoT or DoH (DoH when active in Mozilla). I also want my browser to always use Cloudflare's DoH, meaning it needs to overwrite the router.
I've posted the WAN configuration below. LAN section DNS servers are blank. Should I change that as well?

Spoiler: Screenshot of current settings

 

[eibgrad]

"Prevent client auto DoH" should be Yes. Browsers (at least so far) have agreed to check this setting in DNSMasq, and if enabled, NOT use DoH within the browser and bypass your settings in DNSMasq. Not unless you've already disabled DoH in the browser itself.

 

[dave14305]

The Cloudflare help page doesn’t work when DNSSEC is enabled. Test again with DNSSEC disabled.

 

[GoldenSW]

"Prevent client auto DoH" should be Yes. Browsers (at least so far) have agreed to check this setting in DNSMasq, and if enabled, NOT use DoH within the browser and bypass your settings in DNSMasq. Not unless you've already disabled DoH in the browser itself.

I want my browser to take priority though. I want TLS used everywhere else except the browser.

The Cloudflare help page doesn’t work when DNSSEC is enabled. Test again with DNSSEC disabled.

It does seem to change the results. Even so, this page seems very unreliable... If I run the test a few times with no changes on my part, sometimes it says I'm connected to 1.1.1.1, other times it says I'm not lol
So basically there's nothing wrong with my initial config but just the test not working as it should?

 

[dave14305]

So basically there's nothing wrong with my initial config but just the test not working as it should?

Looks good to me. Do you have DNSFilter enabled at all?

 

[GoldenSW]

Looks good to me. Do you have DNSFilter enabled at all?

I don't. I've been doing some reading on this topic and from what I understood letting the router handle all the DNS queries can be beneficial for performance since it can cache relevant information, as opposed to letting Firefox use DoH which I assume has to contact the server for every request?

 

[Wolfclaw]

My AX86U settings

 

[heysoundude]

Hello, I'm trying to set up the DNS encryption on my RT-AX86U using Cloudflare. However, I just can't get 1.1.1.1/help to recognize that I'm connected to 1.1.1.1 or that I'm using either DoT or DoH (DoH when active in Mozilla). I also want my browser to always use Cloudflare's DoH, meaning it needs to overwrite the router.
I've posted the WAN configuration below. LAN section DNS servers are blank. Should I change that as well?

Spoiler: Screenshot of current settings

View attachment 36216

I don't. I've been doing some reading on this topic and from what I understood letting the router handle all the DNS queries can be beneficial for performance since it can cache relevant information, as opposed to letting Firefox use DoH which I assume has to contact the server for every request?

I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?


^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.

so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?

unbound - This Is The Way

 

[bbunge]

Here are some settings for CloudFlare Secure:

 

[GoldenSW]

I am unclear on what your end goal is in encrypting DNS - You trust yourself and your users, I'm assuming, and you likely trust that the internet will work. great. set up your own little black book, use the phone book of the internet to fill it with, and let big data and your ISP pound salt:
if you're looking to avoid big data monitoring your DNS lookups, using your own recursive caching DNS server is the way to go.
thankfully, the kind people here have made it VERY simple - they've built/modified a script called unbound.
what that does is builds your network's own DNS server, and for new/unknown/uncached queries, it goes to the internet's Authoritative servers, bypassing google or cloudflare or whomever is evaluating/observing what it is you're looking up. you basically become a peer to google and cloudflare in that regard...but most notably, your DNS pings are notably shorter and faster, because clients on your network only have to look as far as the router for DNS, and if it's not found, the router goes to the same source as google and cloudflare or your ISP (they have their own DNS server, built from tracking all their subscribers actions)
No encryption required. the majority of my network lookups are in the 0-1usec range. I believe non-cached lookups are averaging in the 20ms range...average is likely in the 10-12ms neighbourhood, or faster. what's your ping time to cloudflare?

View attachment 36234
^ that's raw dog pings to cloudflare, google and my router from my desktop. no encryption.

so, do the math - if caching DNS addys on my local network saves me 7.5ms each (or more!), AND affords me the privacy I've come to appreciate, wouldn't you agree that messing with DoH/DoT is inefficient?

unbound - This Is The Way

This is interesting and I see your point, privacy wise it's probably the best way to go then. I'll have to test it and see if it's really worth the hassle over a simple on/off GUI interface.