How to ensure DoT is working correctly?

[Vexz]

Greetings!

I've been using DoT for a while now... or let's say: I think I've been using DoT for a while now.

Under...
Services > Unbound DNS > DNS over TLS
... I set up some DoT compatible DNS servers as you can see in the following image.


To test my settings I first blocked outgoing traffic with destination port 53 --> name resolution still works
Then I did the same for port 853 --> name resolution does not work anymore

So far so good. But does just that prove that it's working correctly? There are websites like this one that checks if DoT is working. For me it says that it does not work. Also there's Cloudflare's help site, that tells me it's working for all my upstream DNS servers except the Quad9 ones.
I can't tell how reliable those sites are. Is the use of destination port 853 for DNS queries enough to say that it's working correctly?

[I3iker]

Maybe you have Clients that have Hardcoded DNS Server i think google chromecast etc.
You can Portforward this clients to opnsense/port.
Why so much dns Upstreams?
You can make a Packet Capture to check if there is any traffic from clients that dont go to your sense.

[Vexz]

Maybe you have Clients that have Hardcoded DNS Server i think google chromecast etc.
You can Portforward this clients to opnsense/port.

All clients in my LAN use the Unbound DNS server on my OPNsense. But that's not the problem and not the point. I just want ensurance DoT is working as intended because some DoT test websites tell me it does not work.

Why so much dns Upstreams?

Why not? It can't hurt and those are all DNS server I trust.

[I3iker]

you said you block all traffic that gets outside that is not encrypted fine.
check it with wireshark. check the unbound logs. monitoring and thats my way i would do it

[Vexz]

you said you block all traffic that gets outside that is not encrypted fine.
check it with wireshark. check the unbound logs. monitoring and thats my way i would do it

You still don't get my point. Let me quote myself from the original post. Maybe that helps to make it more clear:

Is the use of destination port 853 for DNS queries enough to say that it's working correctly?

[I3iker]

yes when you checkd all traffic comes to your opnsense thats my point

https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/

[cookiemonster]

I went through this whilst setting up DoT in my network. You are correct, there are "test" websites and to this day they report to me that I'm not using DoT. I had to resort to empirical test that confirmed it was working as it was intended.
Anecdotally, I used quad9 and cloudflare, on 9.9.9.9 and 1.1.1.1. My setup had them in round-robin loadbalancing algorithm. That meant when I used a test page for one and the connection was via their resolver, it showed OK. Other times, not OK. If I changed my config to only go to them, it was OK always. That told me test pages were checking only for themselves, not that it was "any" connection over DoT. Also I recall there was a defect reported for one of them to this effect, I think it was solved.
So it left me that niggling thought. The next thing to do for certainty (for my own peace of mind) was to packet capture.
It was only then that I realised that indeed the traffic was DoT even when the test page said different.
You need to do your verification without trusting completely these test sites IMO.

[miroco]

This is from memory. I think I came across this from the forum some time ago, but I can't find it again. Give it a shot.

Go to - Interfaces -> Diagnostics -> Packet capture

Interface -> WAN

Set port to 853 and press "Start". Take your box for a spin and then press "Stop" and "View Capture" below.