Device DNS over TLS and DNS over HTTPS don't work when connected to my network.

[WaveSense]

Hello!

So I have DNS over TLS setup in OPNsense and it's working fine when connecting to the network (Primarily over Wifi), as long as:
1. In Chromium on my laptop, the DNS provider setting is set to "OS default (when available)"
2. In Android, the Private DNS setting is set to "Automatic"

However, if I attempt to add a DNS over TLS or DNS over HTTPS domain to those devices to override the DNS of the network, it just doesn't work. For instance:
1. In Chromium on my laptop, if I add "https://security.cloudflare-dns.com/dns-query
" to the DNS provider setting, it tells me "Please verify that this is a valid provider or try again later".
2. in Android, if I add "security.cloudflare-dns.com" to the Private DNS settings, it disconnects me from Wifi with the following error: "Private DNS server cannot be accessed".

The problem is, I want to set the DNS locally on these devices so that when I'm traveling around and connecting to mobile networks or public Wifi I'm still using the private DNS (It's actually to the same DNS provider that I have configured on the router).

This was working fine about a week ago (I've been away from my network for a bit, but I've reset it a few times just to make sure it wasn't a quirk), but suddenly has stopped functioning. I'm not sure if there's some setting that would block devices on the network from contacting DNS resolvers directly? Thought it would be best to come here and see if anyone had an idea of what might be going wrong.

It's probably worth noting that even if I turn Unbound off and use the "System: Settings: General" DNS Servers, it still does this. So my suspicion is the Firewall, I just can't imagine why.

[WaveSense]

Welp I figured it out, it doesn't look like I can delete my post so I'll just use this to let people know what it was in case anyone else runs into this issue. :)

So, I had the following block list in my Firewall:
https://github.com/hagezi/dns-blocklists/blob/main/ips/doh.txt

Which contains numerous bootstrap IPs for various DNS over TLS/HTTPS services. I had totally forgotten about it, but the reason that it hadn't effected me before this is that I was on a home network that supported IPv6 - so I think the IPv6 bootstrap was being used instead. However I'm on a new network now that doesn't support IPv6, and so the only option it has to connect is via IPv4 - and thus it's now hitting this block list.

Anyway the fix was simple, I just made it so the specific IP for the DNS boostrap I'm using is allowed before this block list is hit on the priority list.