How to test if DoT is working?

So i configured my router (R7800) to use DNS over TLS (Cloudfare) according to this guide ( I also decided to eliminate DNSmasq in favor of odhcp.
My router seems to work, like it's handing out ip addresses and i can surf the internet. But i'm not to shure if DoT is working.
In the guide 2 sites are presented ( and to perform a DNS leak test and to check if DNSSec is working. Both seems to work OK.
Other testing sites i visted ( and also seem to test OK.
So far so good.

But if i'm testing against to I get doubts. According to the results DoT is not active/working.

What should I believe? How can i test if DoT is working correctly?

I am unsure how exactly Cloudflare reconciles your DNS query with a HTTP connection, so I can only guess at the failure modes. A few things can be happening: (1) Cloudflare DoT response is being manipulated, stript, or sanitized by Unbound. You browser would not echo a non-standard RR Cloudflare intended for breadcrumbs. (2) Your router permits port 53/853 requests to go passed it to global addresses. You need to add a firewall rule to block or redirect these two ports TCP/UDP IP4/IP6. (3) Your browser is only connecting with IP4 but Unbound TLS connection is IP6. Cloudflare is unable to reconcile IP addresses from the same computer or residence. (4) Cloudflares helper tool is dumb and uses your browser internal data only, so your unencrypted connection to your local DNS which performs DoT upstream but not downstream fails.

1 Like