Setting up pfSense for DNS over TLS

Here is my pfSense configuration:

Here are the results:
https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IllVTCIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

I’m unsure what’s wrong with my config. I can see with packet capture that the DNS requests do use port 853 and go over 1.1.1.1 correctly. Also, using dnsleaktest I only see Cloudflare DNS servers around my area (Montreal).

I’m adding the openssl commands suggested from the “Read Me First” post:
https://pastebin.com/x2BZXzUa

I don’t se any reason why it shouldn’t work. Did you check your client config?

What do you mean by client? Like the laptop I’m testing with? According to ipconfig, the DNS is server by the pfSense box. I did flush the local DNS cache just to be sure and I also disabled the local cache on pfSense just in case. I ran the dig/openssl commands from the pfSense box directly however since openssl isn’t installed on my Windows laptop.

I do see the requests going to 1.1.1.1:853 through packet capture. I was running the test on Google Chrome, decided to give Firefox a shot after reading something weird about Chrome proxying their DNS requests but the issue is also present with Firefox (the webpage just doesn’t work at all with IE11 for some reasons).

I also posted on Reddit (r/pfsense) and others mentionned that everything seems to be working fine on their network with DNS requests going to 1.1.1.1:853 even though that same test says otherwise.

Just installed OpenSSL on Windows, I do get an error:

C:\Program Files (x86)\GnuWin32\bin>openssl.exe s_client -connect 1.1.1.1:853
Loading 'screen' into random state - done
CONNECTED(000001D0)
4224:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:./ssl/s23_clnt.c:580: