MobileConfig Encrypted DNS Profiles - DNS-over-TLS as fallback to DNS-over-HTTPS?

[OpenSource Ghost]

I am seeing some strange traffic when I use official signed AdGuard DNS MobileConfig profile - https://cdn.adtidy.org/public/dns/adguard-dns.mobileconfig . The profile itself specifies DNS-over-HTTPS, not DNS-over-TLS, but when using that profile, I see Apple TV:
1. Sending only 0-length packets to AdGuard DNS address over TCP port 853 (DNS-over-TLS)
2. Sending non-0-length packets to AdGuard DNS address over TCP port 443 (DNS-over-HTTPS)

I assume that 0-length packets over TCP port 853 indicate that DNS-over-TLS is actually not active because 0-length packets do not carry any payload and as such cannot contain any domain queries.

Can someone wth AdGuard DNS-over-HTTPS profile and/or NextDNS DNS-over-HTTPS profile see if either profile makes Apple TV send 0-length packets over TCP port 853 (DNS-over-TLS)?

 

[satcomer]

It AdGaurd working! It's sending pings to see if port is open and awake! As network tech I've seen my share of network adgaurds, ee went many different vendors! Of course we doing it at the router levels and saw traffic like this almost every day1

 

[OpenSource Ghost]

That is my guess, but it makes no sense for DoH-only profile to ping DoT port. I have to know for sure because I manage a large dirty network and wired Ethernet connections have to be physically inspected in narrow tunnels in walls...

 

[OpenSource Ghost]

That profile was out-dated. The correct one was the one from here - https://adguard-dns.io/en/public-dns.html and it didn't try to use DNS-over-TLS ports and didn't require plaintext UDP port 53 bootstrapping either.