Simple questions: CloudFlare DNS-over-TLS

I have seen this in other discussions, but I really don’t know what could cause that issue… @cs-cf help!

This seems strange as well, are you sure that Simple DNSCrypt is not running? Cloudflare’s DNS should reply here.

I tested in a clean computer, no SimpleDNSCrypt (DNSCrypt) at all.

Are there additional DNS servers set in network settings? If the second query fails due to the SSL error, it should not answer even in the first case.

Windows IPV4 by default was set to “automatically obtain DNS”. I manually changed to 127.0.0.1, and nothing more. No additional DNS.
Also as I mentioned, I tested with dnsleaktest.com, and Cloudflare is the unique DNS that appears.

It seems really strange, probably someone from the engineering team that worked on Cloudflared should work with you and take a look. Any help with that @ryan and @cs-cf (sorry for the double mention)?

1 Like

My guess is you can’t actually connect to 1.1.1.1. Taking everything out of the equation and using a machine which doesn’t have Simple DNSCrypt configured can you visit http://1.1.1.1 ?

You might check the normal troubleshooting steps here:

And also try both

nslookup -class=chaos -type=txt id.server 1.0.0.1
nslookup -class=chaos -type=txt id.server 1.1.1.1

1 Like

Incredibly in all this replies we never actually verified that… But if he was connection to Cloudflare’s DNS via DNS-over-TLS, shouldn’t the be the same IPs?

You mean DoH right? I think it actually uses a different IP address. We were piloting that service months before we announced 1.1.1.1. So unless we updated something post release my guess is it points to another Cloudflare IP.

Hi @cs-cf !

Visiting https://1.0.0.1/, it works perfectly going to Cloudflare webpage.

But visiting http://1.1.1.1, it opens the VIVO (Telefonica Brazil) getaway GUI (Modem/Router MitraStar GPT-2541GNAC-N1).

Here are the two nslookup you asked:

PS C:\WINDOWS\system32> nslookup -class=chaos -type=txt id.server 1.0.0.1
Server: 1dot1dot1dot1.Cloudflare-dns.com
Address: 1.0.0.1

Non-authoritative answer:
id.server text =

    "gru02"

PS C:\WINDOWS\system32>

PS C:\WINDOWS\system32> nslookup -class=chaos -type=txt id.server 1.1.1.1
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 1.1.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
PS C:\WINDOWS\system32>

Based on that you should remove 1.1.1.1 from your list of servers in the DNScrypt app. Your router is incorrectly hijacking the 1.1.1.1 address and so your are unable to resolve against Cloudflare. Using just the 1.0.0.1 address you can test and see if it works without error.

You may also be able to use the IPv6 addresses of Cloudflare’s resolver…

1 Like

I am not using DNSCrypt.
I am following @matteo ’ tutorial, in order to use Cloudflare DoH.

Same issue I would assume. One of the default resolvers you can’t reach, so removing it and leaving the 1.0.0.1 is still probably the way to go.

You need to remove the line with 1.1.1.1 in the config (following my tutorial)

1 Like

OK, understood. Tomorrow I will redo the test, removing 1.1.1.1 (using just 1.0.0.1).
Tomorrow I will be back with the results.
Thank you again @matteo and @cs-cf

1 Like

Choosing “Cloudflare” in the list of resolvers displayed in Simple DNSCrypt doesn’t use 1.1.1.1; only 1.0.0.1.

Understood, I would see why they did that…

Hi @jedisct1 , I would like to stress that SimpleDNSCrypt works perfectly, never was a problem here, zero problems, a fantastic elegant solution. Also it works perfectly with Cloudflare.

However what I am doing now, is using @matteo ’ tutorial, in order to test Cloudflare DoH pure (without SimpleDNSCrypt). I want to compare performance (RAM, CPU, internet speed etc) between DNSCrypt and Cloudflare DoH pure (without SimpleDNSCrypt).

It will be great if Cloudflare’ staff gets in touch with you, in order to add SimpleDNSCrypt info in Cloudflare’ tutorials, specially the fact you mentioned yesterday, that SimpleDNSCrypt works with Cloudflare DoH (without needing to install Cloudflare’ executables).

The only issue here is that on your network 1.1.1.1 doesn’t work. Simple DNSCrypt isn’t affected because it doesn’t use it. If you remove that line from the config everything will most likely work.

1 Like

Yes @matteo, tomorrow I will redo the test with your tutorial. Your help and attention have been incredibly useful. Thanks!

However, you already agreed with me that Cloudflare’ tutorials for Windows are messy.

Also, the 1.1.1.1 is not a problem with my network. It is an international Cloudflare’ issue, all over the world, involving several countries, several internet companies and several modem/routers. And it seems that is going to take a long time to Cloudflare solve it.

I am not complaining.
In fact, I am very happy with Cloudflare. And that is the reason I am here struggling trying to learn how to take advantage from the best Cloudflare can offer.
But is not easy, it is confusing, several Cloudflare issues etc. By admitting problems, Cloudflare will solve them quicker. I believe this is what we are doing here, finding Cloudflare’ problems, solving them, and making Cloudflare better and better.

1 Like

No worries!

That I agree, somebody should be on that though.

Yeah, but it’s not really Cloudflare’s fault though… It’s everybody else that announced IPs that are not theirs!

They admit it though:

1 Like