It’s not working for me, either. Neither is Dig @1.1.1.1
A response to my post on the blog was this:
Due to various reasons 1.1.1.1 does not work for fraction of the internet; We are working in fixing that. The issues involved include; Network filters; various devices that use 1.1.1.1 internally; etc. Stay tuned for followup blogs and for now use 1.0.0.1 or our IPv6 addresses 2606:4700:4700::1111, 2606:4700:4007::1001
It goes about two zones into Charter, ten miles away. 1.0.0.1 goes all the way through. L.A. to Minnesota to Virginia. That, uh, seems a long way away.
Yeah definitely some route optimizations still available. Getting it announced by some folks was fun… I’d recommend opening a ticket with Charter if they’re you ISP. I’m sure they will thank you for the heads up.
Do you have any mechanism that allows us to verify we set up DoH or DNS-over-TLS correctly?
Maybe something similar to nslookup -type=txt debug.opendns.com.
The response you get from such a query should be trusted just as you would trust an email with an attachment that says “open me, I’m totally not a virus”.
Anyway, you can run ./dnscrypt-proxy -resolve example.com. Among other things, it will return the “Resolver IP”. You can then check that this IP belongs to Cloudflare, for example on https://iptoasn.com
Another way, is to temporarily stop the proxy. It you can’t resolve anything any more, you were obviously using it, and your queries are not leaking through another path.