I have 188.8.131.52 installed on my Android 9.0 enabled mobile device. When I visit the Encrypted SNI-site of Cloudflare, it confirms that I use 184.108.40.206, but the DNSSEC-check fails. The test at http://en.conn.internet.nl/connection also indicates that DNSSEC validation is not working. At my desktop, everything works well, although my desktop doesn’t use DoT/DoH.
How is this possible? My first assumption is that Android does a fallback to the DHCP acquired DNS-server on a SERVFAIL from 220.127.116.11?