DNS optimisation

[Speedster]

1.1.1.1 is still there because it's probably what you've set as the bootstrap server, which is used to resolve the DoH and DoT records.

Just something to be aware of though, I noticed you are using Quad9, NextDNS and CleanBrowsing, which does malware blocking, but you still have the normal Cloudflare resolver and Google DNS in there, which doesn't do malware blocking.
I would maybe remove the Google DNS (or just use it as a failover) and replace the normal Cloudflare records with the following records which does do malware blocking:

https://security.cloudflare-dns.com/dns-query
tls://security.cloudflare-dns.com

As I indicated 1.1.1.1 is an apple thing.

If I understand correctly, malware blocking is handled by Adguard.

 

[ItherNiT]

You can probably also test:

tls://unfiltered.adguard-dns.com:853

I get 1ms response time from my adguard on oracle vm.

 

[Speedster]

You can probably also test:

tls://unfiltered.adguard-dns.com:853

I get 1ms response time from my adguard on oracle vm.
View attachment 1904426

Are you running this as a DNS for your devices? I had something similar a couple of years back, but Oracle terminated the account without warning due it being public. If you have set this up, would you mind sharing how you've "closed" it so that it's only for devices you allow?

 

[ItherNiT]

Are you running this as a DNS for your devices? I had something similar a couple of years back, but Oracle terminated the account without warning due it being public. If you have set this up, would you mind sharing how you've "closed" it so that it's only for devices you allow?

Mine is also open, but I'm on the pay as you go one (still free if you stay under the limits). I'm running mine on a small k3s cluster so I can inject the ssl certs. I only allow port 443 and 853, so no unencrypted dns.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: adguardhome
  namespace: default 
spec:
  selector:
    matchLabels:
      app: adguardhome
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 0
      maxSurge: 1
  template:
    metadata:
      labels:
        app: adguardhome
    spec:
      volumes:
        - name: adguard-tls
          secret:
            secretName: adguard-tls
        - name: adguard-config
          persistentVolumeClaim:
            claimName: adguard-config-pvc  # Adjust the PVC name as needed
        - name: adguard-logs
          persistentVolumeClaim:
            claimName: adguard-logs-pvc  # Adjust the PVC name as needed
      containers:
        - name: adguardhome
          image: adguard/adguardhome:v0.107.74
          resources:
            requests:
              memory: "1Gi"
              cpu: "0.5"
            limits:
              memory: "2Gi"
              cpu: "1"
          ports:
            # - containerPort: 3000
            #   protocol: TCP
            # - containerPort: 80
            #   protocol: TCP
            - containerPort: 853
              protocol: TCP
            - containerPort: 443
              protocol: TCP
          volumeMounts:
            - name: adguard-tls
              readOnly: true
              mountPath: "/certs"
            - name: adguard-config
              mountPath: /opt/adguardhome/conf
            - name: adguard-logs
              mountPath: /opt/adguardhome/work
      terminationGracePeriodSeconds: 20