Pihole DOH with Cloudflare

Hi,

I have followed all of the Pihole over DOH with Cloudflared steps on https://docs.pi-hole.net/guides/dns-over-https/ and it was super easy.

However, upon visiting 1.1.1.1/help it says I am not connected via DOH or TLS.

I am indeed able to resolve on both port 53 (Pi) and 5353 (Cloudflared) however the help page says:

Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center ORD
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No

How is it that I am resolving on 5353 (Cloudflared) but not utilizing DOH/DOT?

Here is the help URL:
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJPUkQiLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

I figured it out. Had to turn off DNSSEC in the PiHole settings.

You don’t need to turn DNSSEC off to use DoH.

(Unless Pi-holes have some weird issue I don’t know about.)

However, if you have local DNSSEC validation on, the 1.1.1.1 help page has trouble detecting whether you’re using DoH or not.

You might want to turn DNSSEC validation back on, and either hope DoH is working right, or confirm it by running tcpdump on your Pi-hole or something.

Can you kindly provide any steps for validating DOH with tcpdump? I will turn DNSSEC validation back on.

I don’t have any very specific ideas, sorry.

I would do something like tcpdump port 53 to make sure that unexpected DNS queries aren’t going out to the Internet over port 53, and port 443 or whatever port DoH uses in order to verify that there is some traffic.

This topic was automatically closed after 30 days. New replies are no longer allowed.