Cloudflare family protection for Android Private DNS

Hi all! :slight_smile:

Spoiler: I replaced dots in URLs with (dot) intentionally here, as i am a new user and there is a forum limit.

Recently i opened a ticket with Cloudflare support about 1dot1dot1dot3(dot)cloudflare-dns(dot)com not resolving to 1.1.1.3. This in my opinion is needed for Android 9 Pie to be able to connect via DNS over TLS to 1.1.1.3. In the screenshot below, if i enter 1.1.1.3 it is not accepted. It accepts only domain names, without any paths after the top level domain (eg. .com). It does not accept 1.1.1.3 or even 1.1.1.1. Only 1dot1dot1dot1(dot)cloudflare-dns(dot)com is accepted.

With the above in mind, what i really wanted to do is to contact Cloudflare and tell them that on 1st April this year, when they added Family protection via 1.1.1.3 in addition to 1.1.1.1, they have forgotten to add 1dot1dot1dot3(dot)cloudflare-dns(dot)com to resolve to 1.1.1.3 in their DNS zone file. Just like 1dot1dot1dot1(dot)cloudflare-dns(dot)com currently resolves to 1.1.1.1.

My Android 9 Pie DOES NOT accept neither domains with following paths, nor plain ip addresses.

After 3 replies back and forth, i finally managed to explain that my issue needs escalation to engineering team. Their reply stunned me (cite):

"You can’t troubleshoot 1.1.1.3 same as you do for .1
Remember one dot for families is primarily meant for home networks so we can’t have public docs for every single mobile device out there.

If the customer wants to use this for Android, there are helpful guides on the Internet on how to change your DNS resolver.
e.g.
devilbox(dot)readthedocs(dot)io/en/latest/howto/dns/add-custom-dns-server-on-android.html
www(dot)howtogeek(dot)com/167533/the-ultimate-guide-to-changing-your-dns-server/"

Mind-blowingly disturbing incompetence. Not from support, from programmers!!

1st of all, i did not want to troubleshoot 1.1.1.3, i know that it works if it can be resolved to!
2nd, why they sent me completely irrelevant links to Android Private DNS feature? In every single Android 9 Pie device on this planet, the place to set Private DNS is only in one place, and it is definitely not in the settings of each single Wi-Fi connection. (Bonus tip for you Cloudflare folks - this was the OLD way before Android 9 came out to set not private unencrypted DNS for just a single connection).
3rd, if i have found the info i need in the docs, i would not have contacted the support
4th, even after the unbelievable response from engineering, i reopened the ticket to ask one single question:
"Okay, so then only one question is left for me:

Please tell me if you support Cloudflare Family Protection, then what URL should i enter into the input field from the attached screenshot? Sorry to interrupt you, but i cannot find it in the documentation. Please note that what i am searching for is not the regular Cloudflare, but the one that blocks access to adult sites (a.k.a. 1.1.1.1 for families). Thank you very much again for the support."

Straight to the point. Response is copy-pasted:
"You can try infor here:
https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/router/
If it does not work, we cannot find any other doc unfortunately

Search the Cloudflare Community for advice and insight."
I tried my best.
So here i am to search the community for insight:

  1. Where exactly is the management in Cloudflare (Program Manager/Tech Lead of support)
  2. Does he know of a Motorola One device with Android 9 that runs as a router?
  3. If answer to 2. is no, why i am sent a link to router documentation?
  4. Could you please just add a simple hostname to resolve to 1.1.1.3 so we can use Private DNS for family protection on Android
  5. Don’t fire the people/personell, EDUCATE them.
  6. Make this a pinned topic, so everyone can learn from it.

Actually I also has same question but what I found so far they still working on it for DNS over TLS for 1.1.1.2 & 1.1.1.3 and the only ready to use is DNS over HTTPS. So I will keep waiting after they done completely solve DNS over TLS, plus the situation covid 19 happen around the globe maybe slowing down the progress. But you can try install 1.1.1.1 apps for android & already has option chose dns for 1.1.1.2 & 1.1.1.3 inside apps dns setting option.

If you try nslookup in Command Prompt, you can find 1.1.1.2 & 1.1.1.3 don’t have hostname yet if compare 1.1.1.1 (hostname one.one.one.one) that already has own hostname. That’s mean they will not provide new hostname for 1.1.1.2 & 1.1.1.3 until they finish DNS over TLS and fully testing for 1.1.1.1 for Families.

For Private DNS Mode in android, they already provide the name for 1.1.1.2 & 1.1.1.3 but I try this, is not working on Android 9 or above, because they not done solved DNS over TLS yet. Here the private dns list below:

1.1.1.2:
security.cloudflare-dns.com

1.1.1.3:
family.cloudflare-dns.com

Read the 1.1.1.1 for Familes FAQ here:
https://community.cloudflare.com/t/community-tip-best-practices-for-1-1-1-1-for-families/160496