Using 1.1.1.1 ENCRYPTED from a zyxel Firewall

Hi,
is there a way to use an vpn tunnel or any other encrypted way from a zyxel firewall to 1.1.1.1 in order to secure the dns queries?
A simple use of the 1.1.1.1 is working perfectly, but the queries are not encrypted.

Many thanks for your help

You’d need to check if your device supports DoH or DoT.

I will check this, but in case it does not - the ios app is establishing a vpn in order to query the dns - is there a way to do this from a firewall? I did not find any documentation about a manual vpn setup to Cloudflare dns

The iOS application does not establish a VPN but poses as VPN on your phone in order to capture traffic and re-route DNS queries. Internally it will also use either DoH or DoT.

The Warp+ part of the application is a different subject but not strictly DNS related.

I use dnscrypt-proxy to do this on my router (not a Zyxel) although you can also use the Cloudflared binary to get to the same goal. If you’re not able to run custom bins on your router, then the easiest way to get secure lookups via 1.1.1.1 would be to maybe put a pi-hole on your network and set up forwarding requests over DoH on that. The latter also gives you great ad-blocking features (which you can also handcrank with dnscrypt-proxy if you go that route instead).

Hi saul,

many thanks.
I opened a request at zyxel, as the local distributor couldn’t answer the question.
I will look into the pi-hole solution, this is looking promising.