Troubleshooting DNS over HTTPS

DNS is one of the most critical protocols for the Internet. Almost everything you do online starts first with a DNS request. The problem with DNS is that it is a clear-text protocol and anyone that is monitoring the traffic between you and your DNS resolver can see (and some times modify) the requests you are doing. It is actually common for ISPs and Hotels to hijack DNS requests to their own servers.


That's where DNS over HTTPS comes into play. This relatively new protocol wraps all your DNS requests over HTTPS, encrypting them in transit, so they can't be inspected or modified by a third party.

That's great, but since this is all relatively new, there is very little client support for it. If you enabled DNS over HTTPS on Firefox, for example, and something fails, how can you test what is going on?

If you make a mistake on the DNS over HTTPS URL (network.trr.ui on Firefox about:config), all you would see on your browser would be:

Image for post
Image for post
DNS error — when using DNS over HTTPS

In this article, we will show some tools to help you troubleshoot DNS over HTTPS more easily.

DNS over HTTPS (DoH) Providers

DoH is still pretty new, but there are 4 public available and free resolvers you can use:

Troubleshooting DNS over HTTPS

The beauty of DNS over HTTPS is that it is the same DNS protocol, just wrapped around the HTTPS layer. That makes it relatively easy to debug and troubleshoot. Some providers also offer a JSON endpoint, which helps as well. Let's do some troubleshooting now.

1- Using CURL

Using curl, you can easily test if the URL is up and responding. For example, to test if the CloudFlare DoH endpoint is up, you can just run:

$ curl -D -
HTTP/1.1 400 Bad Request
Date: Tue, 02 Apr 2019 05:19:38 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare

And see what is going on. If you get a "connection timed out" or 404 error, it means you are using the wrong DoH URL.

If you get a 400 HTTP error, like the above, it shows us that the HTTPS endpoint is up and running, but since we didn't provide the proper DNS packet, it failed. So a good sign…

2- Using CURL with a real request

Next, you can use CURL and provide the DNS packet encoded via base64* via the GET "dns" parameter. DNS over HTTPS support both POST and GET methods, but using GET is easier to test:

$ curl -D — “"
HTTP/1.1 200 OK
Content-Type: application/dns-message


The result will be a binary DNS response, but that's easy to parse to see if you are getting anything back. In this case, again, we can see the response and the "200" HTTP return code. To test against Google, you do the same thing:

$ curl -D — “" | strings

3- Using a DNS over HTTPS php client

Another good way to troubleshoot DNS over HTTPS is by using the easy to use doh-php-client tool:

$ git clone
Cloning into ‘doh-php-client’…
remote: Enumerating objects: 29, done.
remote: Total 29 (delta 0), reused 0 (delta 0), pack-reused 29
Unpacking objects: 100% (29/29), done.

Once the repository is cloned, you will see the doh-php-client.php file:

$ cd doh-php-client/; php doh-php-client.php
Usage: doh-php-client.php [server:cloudflare,google,cleanbrowsing,cloudflare-post,experimental-post] [] <type: A, AAAA or CNAME>

It supports CloudFlare's, Google and CleanBrowsing DNS over HTTPS by default. So if you want to test against CloudFlare's, you would do:

$ php doh-php-client.php cloudflare has address

And get the proper results. And if you try an adult site with CleanBrowsing, you get the proper NXDOMAIN:

$ php doh-php-client.php cleanbrowsing
Host not found: 3(NXDOMAIN)

And that’s pretty much it for troubleshooting. With CURL and the doh-php-client, you can easily find what is going on at the DoH level.


Written by

Always Learning.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store