DoH problem in bsnl adsl.

[supukabi]

So I have an iPad 6th gen recently I switched to next dns to take the benefits of doh supported by latest IPad os 14. I have downloaded their config profile and installed but in the WiFi section under my WiFi connection it shows privacy warning when I opened that it is showing “this network is blocking encrypted DNS traffic”. I am so confused I am using D-Link 2730u can any one of you help me on this also how to know that my DoH is working fine any test.
here is the image
Source

 

[JB701]

This is normal

Reddit - Dive into anything

www.reddit.com

 

[supukabi]

@JB701 so it’s perfectly fine also can you recommend a good dns for bsnl adsl broadband or what dns do you use.

 

[JB701]

yep.

you could use Google DNS. It works well on almost every ISP.

I'm myself running AdGuard Home on my router for local DNS Blocking,

 

[Sushubh]

i am confused. the warning should appear if a pi-hole type device/service is in the middle blocking encrypted dns so that it could block some domains.

if he is not using a pi-hole, why would the error come for him?

 

[JB701]

He said he is using NextDNS (unencrypted possibly?)

That said encrypted DNS can't be blocked simply by domain name. For example, tls://1.1.1.1 will still work even with DNS Blocking as it's using IP instead of domain name.

I Reddit post says "The warning disappeared after enabling DoT settings in unbound". So that means it only shows up when DoT/DoH isn't enabled. I don't have an Apple device so I can't test it myself sadge.

 

---

[pillaicha]

I can’t understand why he is facing the issue. Is his ISP blocking DoT itself? It’s possible if you just block the default DoT port to all domains/IPs. DoT is designed to fall back to classic DNS over port 53 if it is blocked. So the Internet still works and none is any wiser, till such a warning shows up. He has simply said he got the NextDNS profile installed and I am assuming it is a VPN profile for his iPadOS.

 

[JB701]

hmm one way to find that out would be with wireshark with tcp.port==853 || udp.port==853 || tcp.port==53 || udp.port==53 filter.

i don't know how likely that Dot blocking is with BSNL.

With a local AdguardTeam/dnsproxy on my PC with three DoT upstreams and Port 853 blocked on my router, I got timeouts. I guess other implementation will be different though.

On Android, when I block DoT Port 853 and enable "Private DNS" in settings. It gives me a notification "Private DNS Server cannot be accessed" and the internet doesn't work at all.