Skip to content
DNS toolkit

DNS over HTTPS tester (DoH query)

DNS resolution via DNS over HTTPS against the public cloudflare-dns.com/dns-query endpoint (Cloudflare 1.1.1.1). Resolve A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, PTR. Output: parsed Answer section in a table, full raw JSON for debugging and RFC 8484 status code. The query leaves the browser straight to Cloudflare: useful to verify DNS propagation, debug SPF/DKIM/DMARC and troubleshoot MX records remotely, even from mobile or restricted networks.

How to make a DoH query

  1. 1

    Enter the domain

    Without schema (no https://), no trailing slash, no path. E.g. www.mauriziofonte.it, mail.google.com. For reverse PTR: enter 1.0.0.127.in-addr.arpa (IPv4) or ARPA reverse (IPv6).

  2. 2

    Pick the record type

    A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail server), TXT (SPF/DKIM/DMARC/verifications), NS (nameservers), SOA (zone authority), CAA (cert authority), PTR (reverse). ANY not guaranteed (modern resolvers refuse it for anti-amplification).

  3. 3

    'Query' button

    Fetch to https://cloudflare-dns.com/dns-query?name=X&type=Y with header Accept: application/dns-json. Response: JSON parse + render Answer section in a table (name, type, TTL, data).

  4. 4

    Read the raw JSON

    Below the table, full raw JSON for debugging. Relevant fields: Status (0 = OK, 2 = SERVFAIL, 3 = NXDOMAIN), TC (truncation), RD (recursion desired), RA (recursion available), AD (DNSSEC validated), CD (DNSSEC checking disabled).

DNS over HTTPS, in practice

DoH vs classic DNS. DNS over HTTPS (RFC 8484) is DNS encapsulated in HTTPS on port 443, indistinguishable from regular web traffic in transit. Pros: privacy (plain-text DNS over UDP/53 is inspectable by the provider and by network intermediaries), bypass of DNS hijacking typical on public WiFi, bypass of DNS-based censorship (the inspection requires more expensive DPI). Costs: 10-30 ms extra latency compared to UDP/53, and a concentration of traffic toward a few public endpoints (1.1.1.1, 8.8.8.8, 9.9.9.9).

Cloudflare JSON endpoint. The tool queries cloudflare-dns.com/dns-query with Accept: application/dns-json, the public REST format from Cloudflare. The response is a structured JSON with Status, Answer, Authority, Additional, readable without decoding the binary wire format from RFC 1035.

Operational use cases. Verify DNS propagation after a change (TTL expire monitoring), debug TXT records for SPF/DKIM/DMARC before enabling email auth, check MX records for email delivery troubleshooting, inspect DNSSEC via the AD flag. Works from the browser without installing CLI tools: useful for quick debugging from mobile or networks where dig isn't available.

RFC 8484 status codes

Status 0 - NoError
Query OK, valid response. Answer populated if the record exists. Empty Answer if the requested type isn't present in the domain (e.g. AAAA on an IPv4-only domain).
Status 1 - FormErr
Format error in the query. Rare with DoH (the API builds the query Cloudflare-side).
Status 2 - ServFail
Resolver failed (e.g. authoritative server unreachable, DNSSEC validation failed). Retry after 30s; if it persists, the domain has DNS issues on the authoritative side.
Status 3 - NXDomain
Domain doesn't exist. Distinct from Status 0 with empty Answer: the domain is unregistered or has zone delegation errors.
Status 5 - Refused
Server refuses to answer. Typically policy-based (e.g. ANY queries refused for anti-amplification).
Status 9 - NotAuth
Server is not authoritative for the zone. Delegation error.

Glossary

Technical terms used on this page, briefly explained.

DoH #
DNS over HTTPS, RFC 8484. DNS encapsulated in HTTPS port 443. Public endpoints: Cloudflare cloudflare-dns.com/dns-query, Google dns.google/dns-query, Quad9 dns.quad9.net/dns-query.
DoT #
DNS over TLS, RFC 7858. DNS in TLS port 853. Alternative to DoH, more efficient (no HTTP overhead) but identifiable by firewalls (dedicated port). Implemented by systemd-resolved, Android 9+, AdGuard, Pi-hole.
TTL #
Time To Live in seconds. How long a DNS record stays cached by downstream resolvers. Typical: 300 (5 min) for dynamic records, 3600 (1h) for stable ones, 86400 (24h) for authoritative zones.
DNSSEC #
DNS Security Extensions: cryptographic signing of DNS records to prevent spoofing. Cloudflare validates DNSSEC by default (the AD field is true if the zone is DNSSEC-signed and validated).
Authoritative server #
DNS server that holds the original copy (zone file) for a domain. Distinct from caching resolvers (1.1.1.1, 8.8.8.8) that ask the authoritative and cache. Authoritatives are declared in NS records.
ANY query #
DNS query asking all record types for a domain. Deprecated (RFC 8482) for anti-amplification (ANY response can be 100x query size, abused in DDoS). Cloudflare answers with an HINFO placeholder.

Frequently asked questions

Can I use a different endpoint than Cloudflare?
Not from the UI. The tool targets cloudflare-dns.com for output uniformity (JSON). Equivalent endpoints supported by the same protocol: Google on dns.google/dns-query and AliDNS on dns.alidns.com/resolve. To compare answers from multiple resolvers in parallel, the 6-way multi-resolver compare in the email DNS toolkit is the right tool.
Is there a rate limit?
Cloudflare's public endpoint has an indicative rate limit on the order of 1000 requests/hour per IP. For occasional debugging (dozens of queries) it's more than enough. For continuous monitoring, the right approach is a self-hosted resolver (CoreDNS, Pi-hole, Unbound) with backoff and cache, not hammering a public endpoint.
Are the data private?
The query goes through Cloudflare (privacy policy: 24h query log, no permanent IP storage, no sale to third parties, declared in 2018 blog post). The browser sends HTTPS, the hosting site (mauriziofonte.it) does NOT see the query (it's a cross-origin fetch directly from the browser to Cloudflare).
Difference vs <code>dig @1.1.1.1 example.com</code>?
Equivalent. dig uses UDP port 53 plain-text, this tool uses HTTPS port 443 encrypted. Identical output (Answer section). Tool advantage: works from the browser without installing anything, convenient on mobile.
Can I do reverse PTR queries?
Yes, use the 1.0.0.127.in-addr.arpa format (IPv4 reverse) or nibble-ARPA for IPv6, type PTR. E.g. for IP 8.8.8.8: 8.8.8.8.in-addr.arpa (4 reversed octets + suffix).
Does it handle CAA records?
Yes. CAA (RFC 8659) controls which CAs can issue certificates for a domain. Example: letsencrypt.org has CAA that admits only Let's Encrypt. If you switch CA, remember to update the CAA before the new issuance.
Is wire-format response (classic DNS) supported?
No, JSON only. For wire format (RFC 1035 binary) change Accept to application/dns-message and the response becomes binary application/dns-message, which you parse manually. Tools like dnscrypt-proxy do that; this tester sticks to the JSON-friendly subset.

Who builds these tools?

Maurizio Fonte, senior IT consultant with 20+ years in PHP, Laravel, unmanaged Linux infrastructure, applied cybersecurity and AI/LLM integration. Production backends, legacy code modernization, security audits, custom AI agents and MCP servers: the work behind every tool published here.

About Maurizio Fonte