DNS Server Setup - All Devices on Quad9 except one on Cloudflare - Why?

[Gizmo]

Hi all,

Recently I've notice one device, my iPhone on my home private network uses cloudflare DNS servers, even though my Opnsense setup is set to use Quad9 DoT. Everything on my network successfully uses Quad9 DoT, except my phone, bizarre.

Testing methods
On my phone when carrying out DNSleak tests, cloudflare servers show up. When using other devices such as my laptop, dns leak tests and the "Am I on quad9" page show I'm using quad9.

General setup notes
Opnsense Firewall /gateway > Omada Switch > Omada EAPs
System DNS set to 9.9.9.9 and 149.112.112.112 Quad9 servers

Unchecked for allow DNS to be overridden
Unchecked "Do not use local DNS..."
Unchecked allow default gateway switching

Unbound enabled
DNS over TLS enabled for both IPV4 and IPV6 Quad9 servers

VLANs and DNS Setups
Omada -  - DNS for DHCP set to quad9
IOT - DNS for DHCP set to quad9
Private  - DNS for DHCP set to quad9
Guest  - DNS for DHCP set to google
Smart TV  - DNS for DHCP set to NordVPN

Any advice welcomed.

[cookiemonster]

simple. The device is not respecting what dns server the dhcp server gives it to use. it's hardcoded to use something else.
What to do? Create a firewall rule to force it. A quite old resource https://labzilla.io/blog/force-dns-pihole but a search for "hardcoded dns" will give you plenty of links.
As per that link, needs a rdr rule to your dns "server", Unbound.

[Gizmo]

Hi there,

Thanks for sharing, turns out it's a Safari advanced setting, which when turned off fixes the issue, for iPhone users.

To fix (n case anyone else encounters this): Go to settings > Safari > Advanced > Advanced Tracking and Finger printing protection - Change to private browsing only. This way it provides the option if one wants to have that protection available.

I'll try this built in option on the firewall as well.

Cheers