1.1.1.3 does not filter content if queries are made via DoT (DNS over TLS)

Zero Trust 1.1.1.1
1

Hi,
based on my test the Cloudflare DNS 1.1.1.3 (No Malware or Adult Content) does not make Adult Content filter if the DNS query is made in DoT (DNS-over-TLS).
So, if I query 1.1.1.3 via UDP port 53 (normal DNS) the Adult Content filter works (I tried www.youporn.com and the answer was 0.0.0.0).
But if I query 1.1.1.3 via TCP port 853 using DoT (DNS-over-TLS) and I lookup for www.youporn.com I have the correct IP of www.youporn.com.

Is it normal?
If yes, when 1.1.1.3 will works with No Malware or Adult Content also for DoT (DNS-over-TLS)?
Thank you.

2

DoT is not currently supported for Cloudflare for Families.

1 Like
3

Thank you.
Any plan for implementation?
I hope also 1.1.1.2 and 1.1.1.3 will soon supports DoT and DoH also to benefit of “Android Private DNS” feature.

Thanks.

1 Like
4

If you’re looking to block adult content while adding security, such as 1.1.1.3 & secure DNS, take a look at Clouldflare for Teams. I’m using a similar setup as listed in the blog post below.

It’s been good so far though it’s still pretty new.

1 Like
5

Thank you for your suggestion but for now I prefer to wait that Cloudflare will implement DoT also for 1.1.1.2 and 1.1.1.3.

6

1.1.1.3 needs to stop answering dot queries until this is implemented so Android automatic private DNS stops automatically disabling filtering.

7

+1 Is this going to be impemented? Like, ever?

1 Like
8

1.1.1.3 filtering over DoT would be awesome +1

1 Like
9

Any news to support DNS over TLS (DoT) for Cloudflare DNS for Families (1.1.1.2 and 1.0.0.2, and 1.1.1.3 and 1.0.0.3) ?

10

Hi, we’re actively working on implementing this over the next month or so. Expect this to ship in Q4.

6 Likes
11

That’s good news. Are CloudFlare planning on changing the DNS-over-TLS URLs to something more sensible at the same time?

“1dot1dot1dot1.cloudflare-dns.com” is pretty horrendous. It’s terrible to read, too long and prone to typing errors when manually typing it in to a phone.

“one.one.one.one” also isn’t particularly great; it isn’t going to scale well with “1.1.1.1 for Families”, as .two and .three aren’t TLDs.

I think it’s something that CloudFlare need to sit down and think hard about now – before DNS-over-TLS and DNS-over-HTTPS become more mainstream and changing it later will be a PITA. Even the following is more readable than what’s currently being used:

1111.cloudflare-dns.com
1112.cloudflare-dns.com
1113.cloudflare-dns.com

Or are you possibly planning on using the same format for DNS-over-TLS that you use for DNS-over-HTTPS? I.E.

cloudflare-dns.com
security.cloudflare-dns.com
family.cloudflare-dns.com
12

Bingo–same format for DoT that we use for DoH. Looking forward to getting this supported this quarter.

2 Likes
13

This is great news. Can’t wait for this!

14

+1
I’m very interested in this feature too!

15

Please keep us posted! :pray:

16

Hello @pzimmerman
Any news? Q4 is going to terminate soon :smile:
Thanks.

17

DoT was released

18

Hmm, 1dot1dot1dot3.cloudflare-dns.com refuses to connect on my Android?

19

The updated page DNS over TLS · Cloudflare 1.1.1.1 docs doesn’t mention 1.1.1.2 or 1.1.1.3

Or you could create a new page for DoT/families similar to Set up Cloudflare 1.1.1.1 resolver · Cloudflare 1.1.1.1 docs (DoH/families).

Also, Set up 1.1.1.1 on Android · Cloudflare 1.1.1.1 docs should be updated.

20

Yes, I confirm, DNS for Families works also with DoT.
Tested queries to 1.1.1.3 (on port 853) with unbound DNS Server.
Thanks Cloudflare!!