DNS over TLS Does not work?


It used to work before and I get no love :frowning:

I used pfsense router latest version



How did you configure it?


Enabled in the resolver Forwarding Mode and Use SSL/TLS for outgoing DNS Queries to Forwarding Servers and defined DNS servers as and


What would the following command return?

nslookup -class=chaos -type=txt id.server

It might an issue with your router though. I’d contact the manufacturer in this case.


I’m using DNS over TLS on iOS and it’s working.

@sandro, what should show from that command? On my Mac which uses over Port 53 (no HTTPS or TLS), here’s what I get:

iRetina:~ scott$ nslookup -class=chaos -type=txt id.server
Non-authoritative answer:
id.server text = “LAX”
Authoritative answers can be found from:


nslookup -class=chaos -type=txt id.server

** server can’t find id.server: REFUSED


Why do you suspect h/w issue ?


The location of the datacentre. It is the DNS equivalent of /cdn-cgi/trace.

I dont. I suspect it to be either a proper software issue or a misconfiguration. My primary advice was to contact the manufacturer (or a related community) as they will be better able to tell what the issue might be than the Cloudflare community.

1 Like

I don’t understand if this not the right place for issues? and test page ?


It is the right place, but the issue does not appear to be with the DNS service in this case but rather your setup/router.


what do you see wrong with my setup ? and how do you troubleshoot that it’s not DNS service ?


Well, your setup does not appear to contact Cloudflare in the first place.


how about this log https://snag.gy/zh3Lqd.jpg


I am not sure what that log is saying but it would appear as if there was one successful request to Cloudflare and one failed.

Maybe if you can post screenshots of your settings someone familiar with your software might be able to help.



#16 Is your Computer itself. Do you have some windows program set up thats supposed to do DoH?

Either way, your computer is not contacting your router’s DNS. This may be caused by some antivirus software.


All clients on my network asking for unbound on port 53 going thru localhost, here is NAT rule (if you watch pfsense setup steps that’s what is recommended):

DNS is defensively resolving and contacting servers. the question is why does not show it?


To prove the point:



Non-authoritative answer:
Name: cludflare.com


unfortunately can’t keep using until all issues resolved :frowning:

closed #20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.