DNS over TLS Logging?

I use IPFire 2.25 update 142 on a stand alone PC to front end all of my Linux and Windows PCs. I have setup DNS over TLS on IPFire without any problems. It works just fine !!!

My Linux & Windows PC’s run Perfect-Privacy-VPN which has its on secure DNS servers in many countries. Their web site also offers various tests to check IP & DNS leaks.

I have set Mozilla Firefox to NOT use Firefox DNS over TLS as I do not wish to use Google or Cloudfare as they track and profit from DNS queries.

So is there a way on IPFire to log which DNS IP address are being sent out on the RED interface ? Looking at the “Connections” list on the WUI tool leaves me confused.

I know that the VPN’s DNS Servers are being used as when I select only one of their many servers, and search for “www.bloomberg.com”, I get a TCPIP address for that servers location (ie US, France, Netherlands, etc).

Which makes me wonder when does the IPFire DNS over TLS get used ?
Clearly whenever the VPN DNS server is not active.
So it sure would be nice to have a log on IPFire that tracks only DNS server IP addresses on the RED interface. Is this possible ?

Out of the box I think no and I don’t understand the need for it. If you do not allow any client to talk DNS or DoT directly to the internet (firewall/iptables) and configure them to talk DNS/DoT with ipfire it’s clear that all DNS requests will ne done by ipfire. Since you have to set up the DNS servers you want ipfire to communicate to you know the possible targets.

I prefer to use the secure DNS Servers provided by the VPN provider as they are automatically selected based on the World Wide City Selection List and can easily
be changed by selecting a different City Server. So I would like to have a means to
know for sure that what DNS request go out on the RED Lan are what I expect
them to be. Thus the need to Log TCP IP DNS numbers. Hopefully someone can
engineer a way to do this ?