Check that DoH is used
118 views
Skip to first unread message
Jonathan Lester
Oct 4, 2019, 8:05:40 AM10/4/19
to public-dns-discuss
Hello All,
Does anyone know if there's a way to confirm my DNS request are resolved over DNS over HTTPS?
I've hopefully got a DNS proxy running in my network, this should proxy DNS requests over DoH, how can I check that this is working? Domains resolve perfectly fine and I have no issue browsing but I'd like to be sure that my requests aren't failing back to another DNS server or method.
Thanks.
Does anyone know if there's a way to confirm my DNS request are resolved over DNS over HTTPS?
I've hopefully got a DNS proxy running in my network, this should proxy DNS requests over DoH, how can I check that this is working? Domains resolve perfectly fine and I have no issue browsing but I'd like to be sure that my requests aren't failing back to another DNS server or method.
Thanks.
Alex Dupuy
Oct 9, 2019, 6:21:29 PM10/9/19
to public-dns-discuss
If your system configuration uses a different DNS resolver than your DoH proxy, you could use a DNS leak tester like https://www.dnsleaktest.com or any of the other similar ones.
But if your home WiFi router uses 8.8.8.8 for normal DNS queries and your DoH proxy is also using Google Public DNS, the results would be the same whether your queries went through DoH or not.
Jonathan Lester
Oct 10, 2019, 8:51:11 AM10/10/19
to public-dns-discuss
Hi Alex,
Thanks for your response.
That's what I thought and the DNS leak test shows no leaks.
I suppose, I was looking for something like a text record or domain I can look up that will only resolve when using DoH, just to confirm DoH is working.
But I get no DNS leaks and my network works fine.
Thanks for your response.
That's what I thought and the DNS leak test shows no leaks.
I suppose, I was looking for something like a text record or domain I can look up that will only resolve when using DoH, just to confirm DoH is working.
But I get no DNS leaks and my network works fine.
Alex Dupuy
Oct 10, 2019, 9:48:54 AM10/10/19
to public-dns-discuss
Jonathan Lester wrote:
I suppose, I was looking for something like a text record or domain I can look up that will only resolve when using DoH, just to confirm DoH is working.
It's only possible for a resolver to check the last in the chain of DNS forwarders to see if DoH transport is being used, so the reliability of such a check (like https://1.1.1.1/help) is limited and only the external IP address (which is not reported in the 1.1.1.1/help result) can be reported with any certainty (and with NAT, even an external IP address isn't enough to truly identify the client). If the DoH (or DNS over TLS) client uses a client certificate, showing that would be a more meaningful check, but it would be hard for DoH services where the TLS termination is handled separately from the DNS resolution to see the client certificate.
Jonathan Lester
Oct 10, 2019, 12:34:24 PM10/10/19
to public-dns-discuss
Ok cool,
Thank you for your help. I just wondered if it was possible or feasible.
You've already helped confirm I get no DNS leaks so thank you.
Reply all
Reply to author
Forward
0 new messages