Dns over https not working and queries still go unencrypted over UDP 53

I have set my preferred DNS servers to Cloudflare’s but using Wireshark I can see that the DNS requests are still being issued in plaintext and over UDP 53 to 1.1.1.1.

How do you get your system to initiate these requests over HTTPS?

Switching to 1.1.1.1 wont encrypt it as it will be still a regular non-encrypted DNS request.

As you mentioned, you’d need to switch to DoH for that. This will set up a local nameserver which responds to normal DNS lookups and forwards everything via HTTPS, hence encrypted.

Check out https://developers.cloudflare.com/1.1.1.1/dns-over-https/ for more details.

You need browser with support of Encrypted SNI (ESNI) to completely anonymize your DNS requests. Currently only browser supports this is Firefox Nightly. If you use latest Firefox Nightly and 1.1.1.1, you won’t be able to see requested domain names in Wireshark.

so currently the only way to secure your DNS traffic with Cloudflare is to install their client or use Dnscrypt-proxy?

It doesnt have to be their proxy, but you still have to use a local proxy the encryption came with a change of protocol (UDP to HTTPS) which is basically not supported by (almost) anyone at this point.

If you are looking into this only for a browsing related use case you could - as pointed out by Nikolo - also use Firefox Nightly, which does come with its own DoH support, overriding the system resolver. And, yes, dont forget to enable encrypted SNI in that case as well.

@sandro Do you know of a local proxy that can be setup to do DOH reliably with Cloudfare’s DNS servers?

I tried using Simple DNSCrypt but I was unable to browse to any domain after turning it on. it seems DOH is still really buggy at this time?

I am afraid I have close to zero experience in this field. Simply not using it myself.

Maybe this could point you in the right direction - DNS over HTTPS · curl/curl Wiki · GitHub

Wouldnt be too surprised, the entire thing is still somewhat newish.