DNS-over-HTTPS Tester — Cloudflare, Google, Quad9, OpenDNS

Traditional DNS uses UDP or TCP port 53 in cleartext. Local network observers see which names you query — a privacy and censorship concern on untrusted Wi-Fi. DoH wraps DNS wire format in HTTPS to port 443, sharing TLS infrastructure with the web and resisting trivial blocking distinct from port 53.

Browsers and operating systems increasingly offer DoH toggles. Before rolling policy, verify target domains resolve correctly on chosen providers and latency stays acceptable versus your ISP resolver.

Cloudflare (cloudflare-dns.com/dns-query), Google (dns.google/resolve), Quad9 (dns.quad9.net/dns-query), and OpenDNS (doh.opendns.com/dns-query) represent widely deployed anycast fleets. Each uses JSON wireformat compatible APIs though URL paths differ slightly.

We query all four in parallel from our infrastructure — results describe reachability from our network path, useful as a canary. Your browser DoH may use different regional POP with different latency.

success true when status indicates NOERROR with at least one answer path working. answers lists A record IPv4 strings. latencyMs is round-trip for the HTTPS request and JSON parse. null latency accompanies ERROR rows.

workingCount summarizes how many of four providers succeeded. 4/4 with matching answers is ideal consistency. 2/4 may mean filtering, blocking, or regional outage — inspect per-row error messages.

Legitimate causes include DNS propagation delay, GeoDNS returning region-specific A records, or NXDOMAIN on a domain only some resolvers have cached negatively. Malware-blocking resolvers like Quad9 may return REFUSED or empty for known bad domains while Cloudflare still returns historical answers briefly.

Do not panic on single-provider failure — investigate pattern across runs. Persistent Cloudflare failure with Google success may indicate SNI or HTTP/2 issues on one URL from your network.

DoH adds TLS handshake overhead — first query slower, subsequent queries benefit from HTTP keep-alive in browsers. Our single-shot latency is conservative versus warm browser sessions. Compare DoH latency to our DNS response time test on UDP Google path for rough encrypted versus cleartext picture.

Privacy gain may cost milliseconds — acceptable on laptops, worth evaluating on IoT with tight timeouts.

Corporate proxies terminating TLS sometimes break DoH unless allowlisted by provider hostname. If all four providers fail from office networks but succeed here, policy not DNS data is the blocker. Security teams may mandate DoH to specific internal forwarders instead of public providers.

Document approved DoH endpoints in employee acceptable-use policies to avoid shadow IT resolver choices.

DNS benchmark compares multiple traditional resolvers. This page isolates DoH endpoints explicitly. DNS lookup uses our server-side resolver path — different transport than DoH tested here.

Use all three when designing defense-in-depth DNS architecture for remote workforce.

This tester focuses on A records for simplicity and broad compatibility with JSON APIs. Mail troubleshooting needing MX or SPF still uses classic lookup tools. Future expansion may add types; today query MX separately after confirming A resolution works on DoH.

IPv6-only domains may show empty A answers while AAAA exists — not a DoH failure per se.

Latency, privacy policy, malware filtering, and logging practices differ per provider. Cloudflare and Google emphasize speed; Quad9 emphasizes threat blocking; OpenDNS offers Cisco umbrella integration paths for enterprises.

Run this test on representative internal and customer-facing domains before GPO deployment. Re-run after major DNS changes or provider incidents.

DoH queries from our service hit public providers for domains you submit. Provider privacy policies govern their logging — review vendor terms separately. Use tests for legitimate troubleshooting, not high-rate enumeration of third-party names.

We do not configure or persist DoH on your devices.