"DNS for Families" Compatibility with "Discovery of Designated Resolvers" (DDR)

When using the dig command against all Cloudflare DNS server IP addresses (as per the Cloudflare article HERE), the SVCB records return the same DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) templates, regardless of whether they’re “DNS for Families” IP addresses or not. I.E.

Cloudflare (Standard):

dig @1.1.1.1 _dns.resolver.arpa type64

;; ANSWER SECTION:
_dns.resolver.arpa.	300	IN	SVCB	1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.	300	IN	SVCB	2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001

Cloudflare (Block Malware):

dig @1.1.1.2 _dns.resolver.arpa type64

;; ANSWER SECTION:
_dns.resolver.arpa.	300	IN	SVCB	1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.	300	IN	SVCB	2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001

Cloudflare (Block Malware and Adult Content):

dig @1.1.1.3 _dns.resolver.arpa type64

;; ANSWER SECTION:
_dns.resolver.arpa.	300	IN	SVCB	1 one.one.one.one. alpn="h2,h3" port=443 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001 key7="/dns-query{?dns}"
_dns.resolver.arpa.	300	IN	SVCB	2 one.one.one.one. alpn="dot" port=853 ipv4hint=1.1.1.1,1.0.0.1 ipv6hint=2606:4700:4700::1111,2606:4700:4700::1001

The replies to the queries show that Cloudflare is using one.one.one.one for everything, instead of the SVCB records containing the correct host names for “DNS for Families” IP addresses (I.E. security.cloudflare-dns.com or family.cloudflare-dns.com).

Obviously, it would be preferable to manually configure the DNS server directly in the device settings itself, so that the device will always use that specified DNS server regardless of what network the device connects to. However, the problem comes when the device isn’t manually configured and relies on “Discovery of Designated Resolvers” (DDR) to get the DoH/DoT settings; for example, if it receives the DNS settings from a higher level such as a router via DHCP. In this scenario, if the router is set to use one of the Cloudflare “DNS for Families” services, then the DoH/DoT templates are going to be incorrect and will direct the device to use the default (non-filtered) Cloudflare DNS service instead. Like what Windows is doing HERE.

Instead of the SVCB records using one.one.one.one and https://one.one.one.one/dns-query for everything, I would expect the “Discovery of Designated Resolvers” (DDR) results for the Cloudflare “DNS for Families” services to return something like this:

Cloudflare (Block Malware):

dig @1.1.1.2 _dns.resolver.arpa type64

;; ANSWER SECTION:
_dns.resolver.arpa.	300	IN	SVCB	1 security.cloudflare-dns.com. alpn="h2,h3" port=443 ipv4hint=1.1.1.2,1.0.0.2 ipv6hint=2606:4700:4700::1112,2606:4700:4700::1002 key7="/dns-query{?dns}"
_dns.resolver.arpa.	300	IN	SVCB	2 security.cloudflare-dns.com. alpn="dot" port=853 ipv4hint=1.1.1.2,1.0.0.2 ipv6hint=2606:4700:4700::1112,2606:4700:4700::1002

Cloudflare (Block Malware and Adult Content):

dig @1.1.1.3 _dns.resolver.arpa type64

;; ANSWER SECTION:
_dns.resolver.arpa.	300	IN	SVCB	1 family.cloudflare-dns.com. alpn="h2,h3" port=443 ipv4hint=1.1.1.3,1.0.0.3 ipv6hint=2606:4700:4700::1113,2606:4700:4700::1003 key7="/dns-query{?dns}"
_dns.resolver.arpa.	300	IN	SVCB	2 family.cloudflare-dns.com. alpn="dot" port=853 ipv4hint=1.1.1.3,1.0.0.3 ipv6hint=2606:4700:4700::1113,2606:4700:4700::1003

Is there a reason why Cloudflare “DNS for Families” services aren’t configured to be used with “Discovery of Designated Resolvers” (DDR)?

3 Likes

@mvavrusa

1 Like

Hi @Amarosa,

I think this has been fixed. Thanks for the report!

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.