Why are DNS queries using CloudFlare's 1.1.1.1 server timing out?

Answer

The answer in my case is that the telco equipment commonly used in older installations by CenturyLink treats 1.1.1.1 as a "special address" that is not forwarded – it is used as a captive portal address.

To solve the problem: use the alternate address for the service 1.0.0.1 instead. This also applies if you also want use Cloudflare's DNS over HTTPs solution with 1.1.1.1. This assumes that you can't update the router firmware to address this issue.

Further Information

The router provided by the telco to me is a Technicolor C2100T.

This presentation from CloudFlare pages 14-16 identifies this model and others as exhibiting this behavior:

• Pace (Arris) 5268
• D-Link DMG-6661
• Technicolor C2100T
• Calix GigaCenter – fixed 2018/Jun/12 thanks to a USER
• Nomadix (model(s) unknown)
• Xerox Phaser MFP

Although the OP has answered their own question for their particular situation, I would like to point out another possible answer in the event that others may have a similar and related issue-- one which I have had.

If using Suricata, such as with pfSense, there is a rule (with similar and related consequences):

#ET POLICY Connection to previously unallocated address space 1.1.1.0/24 suppress gen_id 1, sig_id 2017000

If the rule is disabled or configured to alert only (and not drop), the problem is solved.