Verifying Router is using 1.1.1.1


#1

I have (I think!) properly setup my router to use 1.1.1.1. But how do I verify I am actually using 1.1.1.1?

When I look in my Modem (Arris/Motorola SB6141), there is nothing on any of the status pages to show any DNS information. So that is no help.

When I look in my Router (Linksys EA 7500), the page is confusing (for me, anyway). For starters, the DNS information is entered and shown on the “Local Network” tab, not under Internet Settings. There is no place to enter the IPv6 address. And while it does show 1.1.1.1 and 1.0.0.1 for my Static DNS 1 and 2, I cannot verify that is what I am really using.

ipconfig /all shows 192.168.1.1 for my DNS Server which, of course, is my router.

So while I am assuming I am using the 1.1.1.1 resolver, I sure would like to conclusively verify it somehow.

Please note I am not asking about Verifying router settings are working. I know they are working. I just want to verify I am using your resolver and not my ISP’s (Cox).


#2

If you are on macOS:

scutil --dns


#3

Sorry, I meant to put that in my opening post.

No, Windows 10 on all computers, plus an Android phone and tablet.


#4

Do a lookup for ANY towards google.com, it should not reply with anything since they do not support it. Otherwise it should reply with something.

nslookup -type=any google.com

#5

That won’t show what I want. It does not show anything to suggest I am using 1.1.1.1 or 1.0.0.1.


#6

nslookup -type=TXT resolver.dnscrypt.info

This will print the IP address of the resolver you are using.

Check that this is a Cloudflare IP address here: https://iptoasn.com/


#7

Okay, I think we are getting somewhere. That shows my Resolver IP is 172.69.67.54 which does indeed resolved to Cloudflare. :slight_smile: That works for me. Thanks!


#8

Yes it does. Cloudflare is the only DNS (both authoritative and public) that “rejects” ANY queries, so an empty response to an ANY query towards a domain not “hosted” by Cloudflare indicates that the resolver is CF.


#9

I do wish CF would develop and post on their site a little verification link for users of 1.1.1.1 to quickly check to make sure everything is working. I am NOT a newbie to computers or networking. And I’ve used other DNS services like OpenDNS. But I found this confusing, though in fairness to CF, that was due in part because my Linksys admin menu was not clear - I still don’t understand why the manual DNS settings page is shown under the “Local Network” tab. Pretty sure with my previous router, a NetGear, it was under WAN, which makes sense to me.

I note OpenDNS has a nice little test here that makes it reassuring all is working as expected. I would like to see something similar here.

Anyway, thanks again to all.


#10

I have a question I think is possible related to this.
Ive setted my sys dns to CF 1.1.1.1 and 1.0.0.1 but when I thest using namebench, It says I sholud use 1.0.0.1 and 208.67.220.220 as best DNS from my location instead of 200.49.130.51

I made a search for that IP that namebench says Im using as DNS and is of my ISP DNS dncache01-slo1.fibertel.com.ar

Is it possible that my ISP is forcing my connection to use their DNS? and is any way of check this?

I try with nslookup -type=TXT resolver.dnscrypt.info and it gives me “Resolver IP: 198.41.229.204” wich is CF, but that namebench warning make me doubt.


#11

Unforunately, the OpenDNS system is not a reliable way to check that you are actually using the correct resolvers. Quite a lot of open resolvers just forward their queries to Google, OpenDNS, Baidu, Quad9, etc.

So you will see “yes! you’re using OpenDNS!” while you are absolutely not; there is an intermediary here. I know of servers that return their test IP addresses for fun, even though they even don’t forward their traffic to them.

Since Cloudflare requires a client proxy to use DNS-over-HTTP/2, this can be leveraged to perform reliable verification using a simple cryptographic protocol.


#12

Do you have only 1.1.1.1 / 1.0.0.1 configured, both on your device and on your router?

Your ISP can force you to use their DNS, but what is way more common is that router intercept all DNS queries in order to cache them, and resolver local names. But the router then uses the ISP DNS to actually resolve new names.

Using DNS-over-HTTP/2 instead of plain DNS is a way to avoid this.


#13

Then once again I ask CF for a simple way “normal” (non-techie) users can verify conclusively they really are using CF DNS.


#14

I believe at the moment the best way is the one I proposed (which someone from the team actually confirmed in other thread).


#15

I agree.


#16

Hi Jedisct1. I just changed my DNS settings to that of CF’s and my MacBook was still resolving to my ISP. After restarting my MacBook it resolved fine. Can a similar approach be done on an iPhone to check the resolver IP?


#17

If you are using AdGuard or DNSCloak on the iPhone, you should see the “VPN” icon on top of the screen when secure DNS is enabled.

The “VPN” logo is a bit confusing as this is technically not a VPN, but Apple didn’t implement different logos for different type of tunnels.

You may notice that the VPN logo goes away after some period of inactivity. If you want to always keep the encrypted DNS proxy on, check the “Connect on demand” option in the preferences.


#18

This topic was automatically closed after 14 days. New replies are no longer allowed.