DoT test returns false & How to test properly

[ex0nuss]

Hi,

thanks for your work. Your image is super easy to set up!

I wanted to to test if DoT works properly. Therefore I used this website: https://tenta.com/test/?utm_source=blog (Section ADVANCED DNS LEAK TEST). Unfortunately it says that "TLS Enabled" is false. Now I am concerned if DoT works properly... I tried it both with v1 and v2 resulting in the same error.

Is there any way that I can test DoT?

Thanks in advance :) Regards, Max

[qdm12]

Hi Max,

I checked the website and it gives the right Upstream DNS servers I'm using, and says DoT is off for me as well. It also says DNSSEC is enabled, although I didn't implement it in the v2 beta yet. My guess is, because your device is not directly using DoT (you use plaintext DNS to your DNS container which handles the encryption), it's not detected.

For the v1, I'm 99% sure DoT works and I'm 100% sure it works for the v2.0.0-beta since I coded it myself 😄 You could also try DoH on the v2.0.0-beta to see what happens.

Also maybe have a look at https://github.com/qdm12/dns#verify-dns-connection

[ex0nuss]

Hi,

thx for the super quick reply, wow!

Okay, so I don't need to worry :) Your link for verifying the connections was successful. Just wanted to make some extra checks.

Does DoH has any downsides compared to DoT?

[qdm12]

Well...

In my implementation, DoH uses DoT from time to time (once every 3 minutes usually) to resolve the DoH domain name. And the http protocol adds some overhead (only noticeable for huuge workloads though). The main/only advantage of DoH is that it goes over port 443 which goes unnoticed (except the periodic DoT requests). I dislike when my router tells me I have DoT traffic going through on port 853.

Basically, if you don't want your ISP to know you use encrypted DNS, use DoH. If you don't care and you're here for saving half a millisecond, use DoT 😄