Hi, I’ve noticed that Windows 11 doesn’t allow me to set “encrypted” for Cloudflare dns family server settings (18.104.22.168 / 22.214.171.124 and the IPv6 equivalents). So what’s more secure? Use 126.96.36.199. with Encrypted only (DNS over HTTPS) or 188.8.131.52 with malware blocking?
Also, should I disable Avast Premium Security’s “Real Site” feature that prevents DNS hacking by apparatenly forcing the use of Avast DNS servers? Which Cloudflare server settings would be most comparable to that, 184.108.40.206 encrypted or 220.127.116.11? Any thoughts one which is more secure between Avast and Cloudflare? Can they co-exist?
You can use DoH with 18.104.22.168 for Families too. Have a look at Set up Cloudflare 22.214.171.124 resolver · Cloudflare 126.96.36.199 docs.
Adult Content and Malware Blocking:
Pick one, Avast or Cloudflare, and use that. I’ve not used Avast DNS, but have used Cloudflare’s Malware (i.e. security) one though. Nowadays, I still use Cloudflare for DNS resolution, but do it through their Zero Trust Gateway though.
Thanks for the reply but I still have some questions. First, I don’t have a DoH compliant router (it’s an Asus RT-AC88U) but it has DoT feature. I’ve set my DNS servers to 188.8.131.52 / 184.108.40.206 (no IPv6 settings available) and enabled Dot in the router. I’ve been able to add 4 Cloudflare servers (2 IPv4 and 2 IPv6) with TLS Hostname “security.cloudflare-dns.com” to my “DNS-over-TLS” list with IP addresses 220.127.116.11, 18.104.22.168 and their IPv6 counterparts.
When I go to test on https://22.214.171.124/help it appears the TLS is working, but the Connectivity to Resolver IP Addresses lists 126.96.36.199, 188.8.131.52, etc. (not 184.108.40.206, i.e. 220.127.116.11 for Families). See: https://18.104.22.168/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJZZXMiLCJkYXRhY2VudGVyTG9jYXRpb24iOiJCT1MiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==
A FAQ at Community Tip - Best Practices for 22.214.171.124 for Families from 4/1/20 says “We support DoH, we’re working DoT.” Is DoT working for 126.96.36.199 (i.e. 188.8.131.52 for Families) now? I’ve tested a site that should be blocked and it is.
Have I set this up correctly, is it really working and secure? I need to know before turning off Avast “Real Site” which supposedly forces use of their secure DNS resolvers in the background…
Btw, I’ve set my DNS settings to Auto in Windows 11 so they pull from the router because when I manually enter 184.108.40.206, 220.127.116.11 or their IPv6 equivalents the pull downs to select encryped are greyed out to “unencrypted”. So it appears Windows 11 doesn’t think encrypted DoH is available for those dns servers…
These are the various DoT hostnames for 18.104.22.168…
Set up Cloudflare 22.214.171.124 resolver · Cloudflare 126.96.36.199 docs
188.8.131.52 for Families — Adult Content and Malware Blocking:
184.108.40.206 for Families — Malware Blocking:
The 220.127.116.11 debug information you provided shows that you’re connected using DoT.
Previously I had set 18.104.22.168/22.214.171.124 as my dns servers in my router and had set the DoT hostname just “cloudflare-dns.com” at IP 126.96.36.199., etc. per the Asus preset servers. When I changed to the family dns servers in the router (188.8.131.52, etc.) I changed the DoT hostname to security.cloudflare-dns.com (as you listed above) but set the associated IP for those hostnames to 184.108.40.206, etc. My remaining question is, are those DoT servers set up correctly using those 220.127.116.11 for Familiest IP addresses (e.g. 18.104.22.168, etc)
The security hostnames look all right, but you should remove the first 22.214.171.124 entry in your server list though. I assume you don’t inadvertently want some of your DNS queries going to the regular 126.96.36.199 resolver and want them all to go to the security one.