How do I Confirm DNS-over-HTTPS is Working?

Background
I installed Pihole v5.0 and Cloudflared v2020.5.1 onto a Raspberry Pi 3B+. I am able to access the internet without issue. I’m new to this whole world of networking, but competent with coding.

Question
How can I confirm that the DNS-over-HTTPS is working and that my DNS queries are encrypted?

Have you tried https://1.1.1.1/help ?

I have visited https://1.1.1.1/help, and this is the output:

Debug Information

Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center DEN

Connectivity to Resolver IP Addresses

1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No

I would interpret this to mean it’s not working.
However, I wasn’t sure if the following two considerations would impact the result:

  1. I’m using Pihole in conjunction with Cloudflared
  2. I’m using Google Chrome

Update
I downloaded and learned how the basic of Wireshark (https://www.wireshark.org). I can now see which traffic is and isn’t encrypted.

The only way I can get encrypted traffic is by using Firefox, and changing the DoH setting to be Cloudflare.

That means Firefox is bypassing your PiHole. Where did you install Wireshark? Your devices are supposed to be using your PiHole’s IP address for DNS. I don’t know how to test a Raspberry for DoH without actually firing up a browser. Maybe another @MVP has gone through this.

Obvious point but when using wireshark make sure you’re checking the traffic between pihole and 1.1.1.1 and not between your local host and pihole (which will always be unencrypted unless you use DoH in Firefox, but that defeats the purpose of having pihole). The best way to do this is get a tcpdump on your pihole or router and pipe it back into wireshark for analysis.

Also, again obvious, make sure your client is using your pihole IP only for DNS and isn’t also set up with 1.1.1.1 as secondary. Purging the DNS cache (manually or just via a reboot) will also be necessary as you test between changes.

Personally I prefer to use the tool dnscrypt-proxy over cloudflared to provide the DoH ‘bridge’. If you continue to have trouble consider trying that. It’s awesome and there’s plenty of guides looking regarding integrating it into a pihole setup.

1 Like

Thank you both for the replies and help.
As I mentioned, I’m a little new to this…

So, by using either cloudflared or dnscrypt-proxy, the encryption is only between the pihole and the DNS resolver? There would be no encryption between by computer and the router/pihole, correct?

This topic was automatically closed after 14 days. New replies are no longer allowed.