What is DNS-over-HTTPS (DoH)?

DoH sends DNS queries inside an encrypted HTTPS request instead of plain UDP port 53. This stops on-path observers from seeing or tampering with which domains you look up, improving privacy on shared and untrusted networks.

Why query both Cloudflare and Google?

Comparing two independent public resolvers lets you spot inconsistencies. If both return the same A record you can be confident the answer is authoritative; a mismatch can indicate caching, geo-DNS, or local interception.

Does this need an API key?

No. Cloudflare (cloudflare-dns.com) and Google (dns.google) both expose free, keyless DoH JSON endpoints that accept cross-origin requests, so the lookup runs entirely from your browser with fetch().

What does the Status code mean?

It is the DNS RCODE. 0 (NOERROR) means success, 3 (NXDOMAIN) means the name does not exist, and 2 (SERVFAIL) means the resolver could not complete the query. The tool labels these for you.

Why do I sometimes get different IPs from each resolver?

Large sites use geo-aware and load-balanced DNS, so different resolvers (or the same resolver at different times) can hand back different but equally valid IPs. A short TTL also means answers rotate frequently.

DNS-over-HTTPS Privacy Query Tester

This tester resolves a domain through two major DNS-over-HTTPS providers — Cloudflare and Google — straight from your browser, so you can confirm that encrypted DoH resolution works and that both resolvers agree on the answer.

How it works

Both Cloudflare and Google publish a JSON DoH API following the same query shape. A request looks like:

GET https://cloudflare-dns.com/dns-query?name=example.com&type=A
Accept: application/dns-json

The tool issues that request (and the Google equivalent at https://dns.google/resolve) with fetch(). The JSON response includes:

Status — the DNS RCODE (0 = NOERROR, 3 = NXDOMAIN, 2 = SERVFAIL).
Answer — an array of records, each with a name, numeric type, TTL, and data (the IP for A/AAAA records).

The tool parses both responses, lists the resolved addresses with their TTLs, and flags whether the two resolvers returned the same set of IPs.

Reading the results

A matching answer from both resolvers means your DoH path is clean and consistent. A mismatch is not automatically a problem — content delivery networks return geo- and load-based answers — but a consistent mismatch, or a NXDOMAIN from only one provider, is worth investigating. If one query fails entirely while the other succeeds, the failing provider may be blocked on your network.

Notes

The browser cannot read your operating system’s resolver directly, so this compares two encrypted public resolvers rather than DoH-vs-system. To compare against system DNS, run nslookup or dig locally and check the IPs against what you see here.
A short TTL (a few seconds to a minute) means the record rotates often; re-running the query may yield different but valid IPs.
All queries go directly from your browser to the public resolvers. No data passes through any Gera server.