Problems with CloudFlare DoT

[netware5]

Anyone had recently problems with CloudFlare DoT?

Today I noticed problems working with Facebook. The browser (Mozilla) hanged on connection to static.xx.fbcdn.net. All other sites seems to be resolved fine. The problem appeared on all devices connected to the router (Windows and Linux PCs and Android phones). Finally I resolved it by switching to Quad9 DoT. In the begining I've just added Quad9 - the problem has been resolved partially. Still some unstabillity appear. When totaly removed CloudFlare DoT servers the problem disappeared.

Here is my current (Quad9) configuration. Before it was the same but with CloudFlare servers.

 

[digits n bits]

I had the same issue with cloudflare. I switched to quad9 three months ago and have had zero issues with them.

 

[router89]

Anyone had recently problems with CloudFlare DoT?

Today I noticed problems working with Facebook. The browser (Mozilla) hanged on connection to static.xx.fbcdn.net. All other sites seems to be resolved fine. The problem appeared on all devices connected to the router (Windows and Linux PCs and Android phones). Finally I resolved it by switching to Quad9 DoT. In the begining I've just added Quad9 - the problem has been resolved partially. Still some unstabillity appear. When totaly removed CloudFlare DoT servers the problem disappeared

hello, regarding CloudFlare DoT is it necessary to activate "enabledDns based filtering" or it is not necessary ?



thank you in advance for your advice.

 

[router89]

It is optional.

thank you. If it is not activated, does the dot work perfectly or will it stop leaks ?

I do not understand if it should be activated as a dowry supplement or not.

 

[router89]

Read the explanation on the DNS Filter page and also in the wiki. Then decide whether it is something you need to use.

I do not know what a "dowry supplement" is.

thanks for the documentation.

I just wanted to know if for the proper functioning of DOT it is necessary to activate "enabledDns based filtering" with global filter mode "router"

 

[Treadler]

thanks for the documentation.

I just wanted to know if for the proper functioning of DOT it is necessary to activate "enabledDns based filtering" with global filter mode "router"

I do. I want all clients to be forced to use my selected DoT servers.

[Edit] But no, not necessarily required.

 

[ColinTaylor]

I just wanted to know if for the proper functioning of DOT it is necessary to activate "enabledDns based filtering" with global filter mode "router"

DoT and DNS Filter are two separate things. You choose how you want to use them.

I suggest you create a separate thread if you want to discuss it further as this is not related to the subject of this thread.

 

[Treadler]

Anyone had recently problems with CloudFlare DoT?

Today I noticed problems working with Facebook. The browser (Mozilla) hanged on connection to static.xx.fbcdn.net. All other sites seems to be resolved fine. The problem appeared on all devices connected to the router (Windows and Linux PCs and Android phones). Finally I resolved it by switching to Quad9 DoT. In the begining I've just added Quad9 - the problem has been resolved partially. Still some unstabillity appear. When totaly removed CloudFlare DoT servers the problem disappeared.

Here is my current (Quad9) configuration. Before it was the same but with CloudFlare servers.View attachment 22592 View attachment 22591

Might not be your issue, (you don’t say if you’re using Diversion), but I found DoT Cloudflare + Diversion + Pixelserv don’t play well together.

Quad9, Clean Browsing or Google, no problem.

The fix?
Disable pixelserv, & DoT Cloudflare is suddenly happy, all sites reachable.

Why this should be is above my pay grade......

 

[intr0]

I've only noticed an issue when using CloudFlare's DoT in ways unrelated to Applications such as their own and AdGuard for iOS. In other words, using it from the Router's DNS Privacy module causes not only the performance issue, but also doesn't actually use DoT.

 

[netware5]

Might not be your issue, (you don’t say if you’re using Diversion), but I found DoT Cloudflare + Diversion + Pixelserv don’t play well together.

Quad9, Clean Browsing or Google, no problem.

The fix?
Disable pixelserv, & DoT Cloudflare is suddenly happy, all sites reachable.

Why this should be is above my pay grade......

I don't use Diversion and Pixelserv. Cloudflare DoT worked fine since 2-3 months ago. The problem appeared for a first time two days ago.

 

[Smokey613]

I experienced this same issue. Had to switch from Cloudfare to Quad9 to resolve DNS issues which started a few days ago.

 

[ColinTaylor]

I don't use Diversion and Pixelserv. Cloudflare DoT worked fine since 2-3 months ago. The problem appeared for a first time two days ago.

I don't normally use DoT but did switch it back on about 2 weeks ago to do some testing. Initially 1.1.1.1 was very reliable as it had been previously. However the last few days I've noticed that 3 or 4 times a day 1.1.1.1 would just stop responding to queries and timeout. Switching to NextDNS is better with usually only one timeout a day which lasts just a couple of seconds.

I don't use Diversion or Pixelserv either.

 

[netware5]

I don't normally use DoT but did switch it back on about 2 weeks ago to do some testing. Initially 1.1.1.1 was very reliable as it had been previously. However the last few days I've noticed that 3 or 4 times a day 1.1.1.1 would just stop responding to queries and timeout. Switching to NextDNS is better with usually only one timeout a day which lasts just a couple of seconds.

I don't use Diversion or Pixelserv either.

May be the reason is the increasing number of browser clients worldwide (mainly in US)
configured to use Cloudflare DNS servers via DoH? So their servers became overloaded?

 

[bluzfanmr1]

My testing has showed that 1.1.1.1 is slow for me. That being said, 1.0.0.1 is very fast and in fact the fastest option of any dns server from my location. I wonder if those having issues might experience the same result if you care to try this.

 

[router89]

My testing has showed that 1.1.1.1 is slow for me. That being said, 1.0.0.1 is very fast and in fact the fastest option of any dns server from my location. I wonder if those having issues might experience the same result if you care to try this.

hello,
I use DNS-over-TLS with dns 1.1.1.1 and 1.0.0.1 on my router asus ax88u and no problem, it's very fast.

 

[Quoc Huynh]

I'm using Cloudflare 1.1.1.2 and 1.0.0.2 on my Windows 10 laptop with minor issues, such as occasional timeout, when loading Facebook. Except for that, everything is fine. Maybe they are preparing for their new DNS resolver, 1.1.1.2 (1.0.0.2) and 1.1.1.3 (1.0.03)

 

[intr0]

I did a bit of troubleshooting yesterday - Comcast is my ISP so they're always causing problems such as changing what one can and cannot do with their own network settings without notice of any kind. They provide a "service" they call "Advanced Security /Protection" (I forget the exact name). It's "free" and it was activated on may people's systems without any interaction by the users. I did have a notice for that, thankfully. This was many months ago. It's a terrible "service" and gives mostly false positives.
Having read in this forum that some here have Comcast as their ISP as well, I went ahead and flipped the switch to turn on the "service" and waited ~15 minutes (they recommend 10). I then tried out using CloudFlare's DNS - plain, DoT within my router, and DoT from the iOS App. I then went online and visited various websites. All of them never fully loaded. Some not at all.
I then went inside the xFi App to see what they blocked. And unsurprisingly they blocked:

ipv6b.cloudflare-dns.com

as a security threat.
So, for anyone who uses, knowingly or unknowingly, Comcast's "advanced sec /protection service", you will definitely encounter problems using CloudFlare's DNS servers. The above host name is a legit CloudFlare host used to serve, you got it, IPv6 DNS -

host ipv6b.cloudflare-dns.com
ipv6b.cloudflare-dns.com has IPv6 address 2606:4700:4700::1111

.

 

[netware5]

After few days using Quad9 (9.9.9.9) I can say they are reliable, but unfortunately they filter "malicious domains" according to their "understanding". Some domains I believe they are not malicious were not resolved. They also offer so called "unsecure" server (9.9.9.10), which is claimed to be fully unrestrictive, but this server does not support DNSSEC. So now I am in difficult position to trade off DNSSEC against unfiltered DNS service....

 

[Quoc Huynh]

After few days using Quad9 (9.9.9.9) I can say they are reliable, but unfortunately they filter "malicious domains" according to their "understanding". Some domains I believe they are not malicious were not resolved. They also offer so called "unsecure" server (9.9.9.10), which is claimed to be fully unrestrictive, but this server does not support DNSSEC. So now I am in difficult position to trade off DNSSEC against unfiltered DNS service....

I have the same issue as yours. When changing to Quad9, the ipleak.net website failed to load, but was back to normal while using Cloudflare or Google DNS resolver. Thus, I am using Google DNS for DoT, together with Skynet and Diversion for malware and ads protection.

 

[intr0]

https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/lastBuild/consoleFull

I see from the logs the reason

dns.cmrg.net

- A Canadian based DoT service (a plain text file is served at that address with IP & static pin info. (v4/v6). Supports :443 but also :53053 which is what I chose to initially try out and it functions as it should so I've not yet tested :443. I'm about to, though.

Also as can be seen from the Jenkins logs that most DoT servers have at least 2-3 major issues, or at least what I consider issues. Perhaps others may agree after reviewing the latest logs.

In addition to the above Canadian DoT server, I've also configured a Switzerland based server - dns1.digitale-gesellschaft.ch & dns2.digitale-gesellschaft.ch IP info at https://digitale-gesellschaft.ch - supports :443. No Static Pins.

I have a server in Luxembourg set up. It's not ideal, but it's a country I'd prefer having the limited info collected from my using their service over the U.S. any day. Switzerland is my number one choice for privacy simply due to a) the extremely strict process necessary if for some reason the servers were seized, which is extremely unlikely (the future is unkown so always pay attention to changing Legal Landscapes) and b) Switzerland is not under U.S. legal control or E.U. legal control. If either wants something they have to go through the Swiss courts, and the Swiss courts have strict regulators in place for proof of due cause. It's one reason I use ProtonMail Enterprise.

Lastly, I realize Canada is one of the (n)EYES Nations, but just like Luxembourg, I trust my queries going to a Canadian sever over any U.S. servers as it's far too easy for the U.S. to seize anything they feel like at any time they want without reason within U.S. borders. And the Canadian server works for me.