1.1.1.1 doesn't pass DNSSEC check on Android 9

joost1 · October 21, 2018, 7:22pm

I have 1.1.1.1 installed on my Android 9.0 enabled mobile device. When I visit the Encrypted SNI-site of Cloudflare, it confirms that I use 1.1.1.1, but the DNSSEC-check fails. The test at Connection test also indicates that DNSSEC validation is not working. At my desktop, everything works well, although my desktop doesn’t use DoT/DoH.

How is this possible? My first assumption is that Android does a fallback to the DHCP acquired DNS-server on a SERVFAIL from 1.1.1.1?

Diagnostics: https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJZZXMiLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBTVMiLCJpc3BOYW1lIjoiWmlnZ28iLCJpc3BBc24iOiI5MTQzIn0=

joost1 · November 13, 2018, 7:03am

In the meantime something has been changed. The check passes now.

Withheld · November 13, 2018, 8:03am

Not sure if the app does this by default but resetting the WiFi on an Android device should flush your DNS cache.

menzo2003 · November 14, 2018, 9:52am

I get the same message on firefox using 1.1.1.1 with DoH and ESNI

Topic		Replies	Views
DNS hostname not working on android DNS & Network	16	6223	May 13, 2023
Does 1.1.1.1 really run DNSSEC? 1.1.1.1 dns	13	20743	June 18, 2021
DNSSEC Validation 1.1.1.1	3	2483	June 18, 2021
ECH not working over DoH3 on Android? 1.1.1.1	2	1000	October 20, 2023
HTTPS (DoH) TLS (DoT) 1.1.1.1 dns , dns-resolver , dash-getting-started	1	3641	June 18, 2021

1.1.1.1 doesn't pass DNSSEC check on Android 9

Related topics