Cloudflare DNS (1.1.1.1) in "DUS" region not reliable on Android and Ubuntu

Hello,

I’ve been using Cloudflare’s wonderful free DNS service via the following IPs and hostnames:

IPv4: 1.1.1.1, 1.0.0.1
IPv6: 2606:4700:4700::1111, 2606:4700:4700::1001
Hostnames: 1dot1dot1dot1.cloudflare-dns.com, one.one.one.one

I have set these up in my router, a FRITZ!Box (version 7.28), which is also listed in Cloudflare’s official documentation. There, all IP addresses and hostnames are used. Then, in a second layer, I have set up the first hostname in Android 11 for “Private DNS”. And on Ubuntu 20.04, I have set up the four IP addresses for DNS lookups.

Still, the results as per Cloudflare’s official diagnostic site https://1.1.1.1/help are extremely flaky. The two values for “Using 1.1.1.1” and “Using DoT” are constantly varying between “Yes” and “No”, mostly at “No”.

In addition, I have regular but inconsistent problems loading images in the Twitter app for Android. As soon as I use a network and device without Cloudflare DNS, it works again.

The diagnostics results:

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiWWVzIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiRFVTIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

The same happens when I set up Cloudflare DNS in my router only, or in my devices only.

Any ideas why? Thank you!

Ticket number 2236740 @MoreHelp

Have problems with 1.1.1.1? Read Me First - DNS & Network / 1.1.1.1 - Cloudflare Community

1 Like

Thank you!

The problems are much worse on my Android 11 device, where various hosts intermittently cannot be reached, but I cannot run all those commands there.

So I’m sharing the output from my desktop machine here, where your diagnostic page also regularly shows that the connection to Cloudflare DNS is not active:

Country: Germany
ISP: NetAachen (NetCologne)
Router model: AVM FRITZ!Box 7530
OS: Ubuntu 20.04

##################################################
$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.178.1)  3.766 ms  4.664 ms  4.641 ms
 2  cgn-sto2-ve41.netcologne.de (87.79.16.178)  5.666 ms  6.729 ms  6.722 ms
 3  ip-core-sto1-ae44-41.netcologne.de (87.79.16.177)  7.903 ms  7.814 ms  7.805 ms
 4  ip-core-net2-et2-2-1.netcologne.de (89.1.86.9)  8.993 ms ip-core-net1-et2-2-1.netcologne.de (89.1.86.1)  7.769 ms ip-core-net2-et2-2-1.netcologne.de (89.1.86.9)  8.940 ms
 5  bdr-net1-ae1.netcologne.de (81.173.192.2)  8.940 ms bdr-net1-ae2.netcologne.de (81.173.192.6)  8.916 ms  8.887 ms
 6  as13335.dusseldorf.megaport.com (194.146.118.139)  10.206 ms  74.549 ms *
 7  one.one.one.one (1.1.1.1)  35.912 ms  35.926 ms  35.916 ms
##################################################
$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.178.1)  2.702 ms  2.673 ms  2.659 ms
 2  cgn-sto2-ve42.netcologne.de (87.79.16.182)  5.666 ms  5.641 ms  5.635 ms
 3  ip-core-sto2-ae44-42.netcologne.de (87.79.16.181)  7.893 ms  5.606 ms  7.852 ms
 4  ip-core-net2-et9-2-1.netcologne.de (89.1.86.13)  7.816 ms ip-core-net1-et9-2-1.netcologne.de (89.1.86.5)  6.725 ms  6.692 ms
 5  bdr-net1-ae1.netcologne.de (81.173.192.2)  7.786 ms bdr-net1-ae2.netcologne.de (81.173.192.6)  9.126 ms  9.090 ms
 6  as13335.dusseldorf.megaport.com (194.146.118.139)  9.093 ms  6.592 ms  6.555 ms
 7  one.one.one.one (1.0.0.1)  5.757 ms  5.790 ms  7.998 ms
##################################################
$ dig +short CHAOS TXT id.server @1.1.1.1
"DUS"
##################################################
$ dig +short CHAOS TXT id.server @1.0.0.1
"DUS"
##################################################
$ dig +tcp @1.1.1.1 id.server CH TXT
; <<>> DiG 9.16.1-Ubuntu <<>> +tcp @1.1.1.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"DUS"

;; Query time: 4 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; MSG SIZE  rcvd: 43
##################################################
$ dig +tcp @1.0.0.1 id.server CH TXT
; <<>> DiG 9.16.1-Ubuntu <<>> +tcp @1.0.0.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8909
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"DUS"

;; Query time: 4 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; MSG SIZE  rcvd: 43
##################################################
$ openssl s_client -connect 1.1.1.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhjCCBQ2gAwIBAgIQBQdvZtEbaSJWzKzVRv/sUzAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjEwMTExMDAw
MDAwWhcNMjIwMTE4MjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRm
bGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEF60f6DWvcNONnJ5k/UceW5cMCtEQqCYyETZmTRKZ
w+Exu/UhY3PdpcHBoPBtpMRe4cLb2vkNNIAa97ngOvLVdKOCA58wggObMB8GA1Ud
IwQYMBaAFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBThtvwG+bmLBfTB
4kibArkLwbU9eTCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5jb22CFCou
Y2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEBAQGHBAEAAAGH
BKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAERGHECYGRwBHAAAAAAAAAAAAEAGH
ECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwDgYDVR0PAQH/BAQD
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBlwYDVR0fBIGPMIGM
MESgQqBAhj5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJy
aWRFQ0NTSEEzODQyMDIwQ0ExLmNybDBEoEKgQIY+aHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAyMENBMS5jcmwwSwYD
VR0gBEQwQjA2BglghkgBhv1sAQEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NI
QTM4NDIwMjBDQTEuY3J0MAwGA1UdEwEB/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1
BIHyAPAAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXby6BKo
AAAEAwBHMEUCIQDRsvaM+FOVneTUUwY0ggKKCuqKp7wnHvtWHtEUZB+uZwIgJbGG
3Rsq548BxED2wxZ4q2G/9jo0/EeIEwdl9GC7NEIAdgAiRUUHWVUkVpY/oS/x922G
4CMmY63AS39dxoNcbuIPAgAAAXby6BMPAAAEAwBHMEUCIQCV3RpnSizsrJ1vi/48
/qT1PoclZYI3N51mveRdD2gkWQIgdWX+MLuAa8ziuKGIlqjoAiaOvs/4IfqthaAN
h6HW8TQwCgYIKoZIzj0EAwMDZwAwZAIwJMLPbL32rtHJ1R9KdC48PdHAPtzXG9OU
cVv+pYYWJoIBItMKbvyYtdLiueUHaXeWAjBFe2+Cpn22YsMxhdW1NV1PTISIrBoA
PQyEQNywp8ocEycVHjf5RsOu2f35uSOLfyo=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2824 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6EE23861B633F9D041ADEA478339247BE83B65693D9E1D15D6AD9AEB6BBA993F
    Session-ID-ctx: 
    Resumption PSK: 56E5F8122C6C4D38A722BB8D9FC175AE56FE639975979306F700D52580DB65B51680E1C4F51A873FF593ACC946DBEB61
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 84 a6 34 78 a4 0c ee ce-87 74 32 28 4e 99 ba b9   ..4x.....t2(N...
    0010 - b1 78 a5 07 6e 16 24 f8-b7 f0 b2 15 ea 2e 5b 44   .x..n.$.......[D
    0020 - 6c 30 82 29 a3 00 0c ef-d5 09 4b 78 03 9d 78 03   l0.)......Kx..x.
    0030 - 50 dd ab cf 43 12 f3 d5-33 81 15 67 b9 36 5a e8   P...C...3..g.6Z.
    0040 - 02 7e 68 9d 21 c4 a2 e8-67 b2 a8 21 fa a0 d3 f3   .~h.!...g..!....
    0050 - f1 ab ea 2d cb 9b cb 24-c4 a7 8a 39 ce 10 26 65   ...-...$...9..&e
    0060 - ac 53 d3 84 d4 cd d1 02-67 86 49 0d 8c 39 f5 2c   .S......g.I..9.,
    0070 - 73 4b 24 7f c4 fb 6f 23-c2 60 0f 52 db 97 81 77   sK$...o#.`.R...w
    0080 - 05 ec 32 66 c2 23 af fc-9c e6 63 2c 1d cc 7d f1   ..2f.#....c,..}.
    0090 - fb d6 e7 5b 86 81 33 23-68 e6 5d 79 fc 79 d9 1d   ...[..3#h.]y.y..
    00a0 - 37 fa c5 2f fa 3c 04 85-66 7e 9f 40 1e 93 95 99   7../.<[email protected]
    00b0 - 03 6d 88 64 e0 bb 8f 27-60 8a d1 df 2b 12 78 07   .m.d...'`...+.x.

    Start Time: 1631315027
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B09B326D3518B415D71BDF74FEFADFAF1CAACCE7709A2D73A41C28B36837E999
    Session-ID-ctx: 
    Resumption PSK: 4F7B78CD883188B9A4AA556D268EECB1A3651E220D8042D4FDCB0F2F3D1382177B518A11B7536A03697DE5329FD20F1F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 84 a6 34 78 a4 0c ee ce-87 74 32 28 4e 99 ba b9   ..4x.....t2(N...
    0010 - f2 5d e8 da e4 73 6d 23-b5 75 5a c1 d4 50 e4 e3   .]...sm#.uZ..P..
    0020 - 24 4a 87 32 f6 f4 da d5-1e ad 39 21 01 9c e8 e3   $J.2......9!....
    0030 - 76 66 82 97 e8 17 68 c8-06 17 3c 57 89 48 2d 15   vf....h...<W.H-.
    0040 - 07 c7 75 27 6e 10 bb 24-1d 3c ed d1 9f cf de c6   ..u'n..$.<......
    0050 - a7 75 4c 57 72 90 23 9f-02 de ce 78 8e 0b 05 ad   .uLWr.#....x....
    0060 - 1d 96 a6 99 76 6d 72 ae-90 8c ac 65 e5 29 66 5a   ....vmr....e.)fZ
    0070 - ad 62 a6 72 41 b1 4d 9f-9b 1f 00 ee 9f aa 5f 1e   .b.rA.M......._.
    0080 - bc 06 67 92 02 29 04 62-07 01 85 8d 7f 5f 40 5a   ..g..)[email protected]
    0090 - ff a9 56 fd a0 55 3a d9-3a de de 27 c9 79 de f1   ..V..U:.:..'.y..
    00a0 - 04 81 b1 45 1f 4f e3 fd-19 4d ea 19 94 6c 3b 1a   ...E.O...M...l;.
    00b0 - b6 ce 7b 60 50 24 f2 25-a3 2f ba 44 ae 4e a7 1c   ..{`P$.%./.D.N..

    Start Time: 1631315027
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
##################################################
$ openssl s_client -connect 1.0.0.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhjCCBQ2gAwIBAgIQBQdvZtEbaSJWzKzVRv/sUzAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjEwMTExMDAw
MDAwWhcNMjIwMTE4MjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRm
bGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEF60f6DWvcNONnJ5k/UceW5cMCtEQqCYyETZmTRKZ
w+Exu/UhY3PdpcHBoPBtpMRe4cLb2vkNNIAa97ngOvLVdKOCA58wggObMB8GA1Ud
IwQYMBaAFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBThtvwG+bmLBfTB
4kibArkLwbU9eTCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5jb22CFCou
Y2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEBAQGHBAEAAAGH
BKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAERGHECYGRwBHAAAAAAAAAAAAEAGH
ECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwDgYDVR0PAQH/BAQD
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBlwYDVR0fBIGPMIGM
MESgQqBAhj5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJy
aWRFQ0NTSEEzODQyMDIwQ0ExLmNybDBEoEKgQIY+aHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0VExTSHlicmlkRUNDU0hBMzg0MjAyMENBMS5jcmwwSwYD
VR0gBEQwQjA2BglghkgBhv1sAQEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NI
QTM4NDIwMjBDQTEuY3J0MAwGA1UdEwEB/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1
BIHyAPAAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXby6BKo
AAAEAwBHMEUCIQDRsvaM+FOVneTUUwY0ggKKCuqKp7wnHvtWHtEUZB+uZwIgJbGG
3Rsq548BxED2wxZ4q2G/9jo0/EeIEwdl9GC7NEIAdgAiRUUHWVUkVpY/oS/x922G
4CMmY63AS39dxoNcbuIPAgAAAXby6BMPAAAEAwBHMEUCIQCV3RpnSizsrJ1vi/48
/qT1PoclZYI3N51mveRdD2gkWQIgdWX+MLuAa8ziuKGIlqjoAiaOvs/4IfqthaAN
h6HW8TQwCgYIKoZIzj0EAwMDZwAwZAIwJMLPbL32rtHJ1R9KdC48PdHAPtzXG9OU
cVv+pYYWJoIBItMKbvyYtdLiueUHaXeWAjBFe2+Cpn22YsMxhdW1NV1PTISIrBoA
PQyEQNywp8ocEycVHjf5RsOu2f35uSOLfyo=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2823 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4FB61A685BC302ABBBE4656CF06BB627C5C6F83B664E1BE6A0FED6C576B14F5D
    Session-ID-ctx: 
    Resumption PSK: 6CFF03F2BE607730F90663EF243EA68251BC21D63D7FDC68C9F74873D3F2E9546D9A6386B8993E753E88DD5B785F2695
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 84 a6 34 78 a4 0c ee ce-87 74 32 28 4e 99 ba b9   ..4x.....t2(N...
    0010 - 79 3f ce 4e 6a 68 c7 59-80 9c c1 4c 5c 59 b3 4f   y?.Njh.Y...L\Y.O
    0020 - 81 73 ca 3d 88 d7 24 24-26 9c 74 fd 71 11 15 6c   .s.=..$$&.t.q..l
    0030 - a1 3e c3 ce 3f 53 60 33-61 81 c0 58 8f 8e 60 c3   .>..?S`3a..X..`.
    0040 - b2 d9 0d 33 43 17 67 d2-f5 76 7e be 11 4e 73 d6   ...3C.g..v~..Ns.
    0050 - 88 23 96 31 70 72 d3 aa-3b 65 7e 15 c8 c4 ba b7   .#.1pr..;e~.....
    0060 - 05 2e 58 7e 91 0c e2 13-96 91 19 c0 e5 8c 58 c3   ..X~..........X.
    0070 - df 23 fc 48 59 46 d6 8d-a5 e1 06 bb 81 61 03 10   .#.HYF.......a..
    0080 - 1c 1c 25 62 52 2a f3 4b-bd 2d 2e 91 fa 5f a7 05   ..%bR*.K.-..._..
    0090 - 48 a5 9d 30 88 87 bd b0-c0 02 59 87 61 d2 ea fa   H..0......Y.a...
    00a0 - 4e 43 1d cc 36 06 58 89-cb a9 41 76 d7 04 ad 00   NC..6.X...Av....
    00b0 - cb 36 91 f7 8e 90 42 02-5b b9 6e de 4d 0b 44 e5   .6....B.[.n.M.D.

    Start Time: 1631315133
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 268D93EE46D2D60BC3063FE8FCA128EBB1D3D2813084167EBF5D9CB3B5109DC9
    Session-ID-ctx: 
    Resumption PSK: 4A702BB2DDE5D646158021DCF42B403CBD57F42C3EB0B642C60B8E71DAC422925264C621878CB6A8AE32A2D17ED8596D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 84 a6 34 78 a4 0c ee ce-87 74 32 28 4e 99 ba b9   ..4x.....t2(N...
    0010 - d0 1a 6f 14 f5 cc fe f7-64 a8 95 d1 3e 99 10 9b   ..o.....d...>...
    0020 - d5 32 0d 73 c7 60 65 64-ef ee 5f 0b 85 cc 2b 19   .2.s.`ed.._...+.
    0030 - 8f 99 c9 df 08 80 83 a2-1a 7d 94 df 5f 08 0b 05   .........}.._...
    0040 - 50 4b b6 c6 30 a3 b6 03-11 e5 22 74 f8 d3 e2 68   PK..0....."t...h
    0050 - 91 80 e4 4b 8f 57 f8 1b-cc 9f 32 48 74 b7 83 70   ...K.W....2Ht..p
    0060 - 0f 57 e0 d3 56 4b 29 ae-b7 f2 4d 2c ef c6 19 b9   .W..VK)...M,....
    0070 - f2 d0 66 04 fb 1d 7a a0-2e 0c 5c 36 e8 f8 18 e2   ..f...z...\6....
    0080 - 05 d8 26 b4 c1 a1 55 00-a6 a5 b3 1a f6 1a 30 20   ..&...U.......0 
    0090 - 24 72 c8 4b 97 51 c1 e9-6c f0 b6 5f df 22 61 ab   $r.K.Q..l.._."a.
    00a0 - 48 ca 73 aa 5b 2c 7d 56-94 90 cf 47 83 70 79 8b   H.s.[,}V...G.py.
    00b0 - 19 b9 2d 90 e5 74 9b 53-0b ac 37 01 88 d4 65 9e   ..-..t.S..7...e.

    Start Time: 1631315133
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
##################################################
$ kdig +tls @1.1.1.1 id.server CH TXT
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61692
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; id.server.          		CH	TXT

;; ANSWER SECTION:
id.server.          	0	CH	TXT	"DUS"

;; Received 43 B
;; From [email protected](TCP) in 11.7 ms
##################################################
$ kdig +tls @1.0.0.1 id.server CH TXT
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16479
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; id.server.          		CH	TXT

;; ANSWER SECTION:
id.server.          	0	CH	TXT	"DUS"

;; Received 43 B
;; From [email protected](TCP) in 38.0 ms
##################################################
$ curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"cloudflare.com","type":28}],"Answer":[{"name":"cloudflare.com","type":28,"TTL":235,"data":"2606:4700::6810:84e5"},{"name":"cloudflare.com","type":28,"TTL":235,"data":"2606:4700::6810:85e5"}]}
##################################################
$ dig example.com 1.4k @1.1.1.1
; <<>> DiG 9.16.1-Ubuntu <<>> example.com 1.4k @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62279
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		78254	IN	A	93.184.216.34

;; Query time: 12 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16293
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.4k.				IN	A

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021091001 1800 900 604800 86400

;; Query time: 72 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; MSG SIZE  rcvd: 108
##################################################
$ dig example.com 1.4k @1.0.0.1
; <<>> DiG 9.16.1-Ubuntu <<>> example.com 1.4k @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53702
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		7179	IN	A	93.184.216.34

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2527
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.4k.				IN	A

;; AUTHORITY SECTION:
.			86380	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021091001 1800 900 604800 86400

;; Query time: 8 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; MSG SIZE  rcvd: 108
##################################################
$ dig example.com 1.4k @8.8.8.8
; <<>> DiG 9.16.1-Ubuntu <<>> example.com 1.4k @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64751
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		7163	IN	A	93.184.216.34

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22604
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1.4k.				IN	A

;; AUTHORITY SECTION:
.			86334	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021091001 1800 900 604800 86400

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; MSG SIZE  rcvd: 108
##################################################

Ticket number 2236740 @MoreHelp