This checks, from your browser, whether you can reach the major encrypted DNS-over-HTTPS resolvers and how fast each one responds.
How to use the dns-over-https (doh) test
Open this page — the test queries each public DoH resolver automatically.
Read which resolvers responded and their latency.
A blocked resolver means this network is filtering encrypted DNS.
What this tells you
This runs from your browser and tries to reach the major public DNS-over-HTTPS resolvers. A green latency means your network lets you reach that encrypted resolver and how fast it answered; "unreachable" means a firewall, captive portal, or DNS filter on this connection is blocking it. DoH encrypts your lookups so the network between you and the resolver can't read them — but it isn't a VPN: your IP and the rest of your traffic stay visible, and a browser sending DoH straight to a public resolver can even bypass a VPN's tunneled DNS. On vpn.golf, DNS is resolved inside the tunnel, so let the VPN handle it. To see whether your real resolver is leaking, use the DNS leak test.
DoH wraps your DNS lookups inside an encrypted HTTPS connection to a resolver, so the names you look up can't be read or altered by anyone on the network between you and that resolver.
It runs in your browser and tries to reach major public DoH resolvers — Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) — then reports whether each responds and how fast, so you can see which encrypted resolvers you can use.
Both encrypt DNS. DoT (DNS-over-TLS) uses its own dedicated port 853, which network operators can spot and block; DoH rides over normal HTTPS on port 443, blending in with web traffic and harder to single out.
Check the browser's privacy or security settings for a 'secure DNS' option. This test confirms you can reach DoH resolvers, but your browser only uses one if you've enabled it there or it ships on by default.
It hides the DNS lookups themselves, so your ISP no longer sees the domain names you resolve. But it can still infer sites from the destination IP and the unencrypted server name in older TLS handshakes.
No. DoH only encrypts DNS queries; the rest of your traffic and your real IP stay visible. A VPN like vpn.golf tunnels all traffic, hides your IP, and resolves DNS inside the tunnel — DoH protects one piece, a VPN protects the connection.
It depends on your location and network — the closest resolver with a nearby point of presence usually wins. Run this test to compare the measured latency of Cloudflare, Google, and Quad9 from where you are.
Quad9 and Cloudflare both publish no-logging and short-retention policies, and Quad9 also blocks known malicious domains. The most private choice is one whose policy you trust; no resolver is anonymous since it sees your queries.
Not necessarily. If your browser sends DoH directly to a public resolver, it can bypass your VPN's tunneled DNS — a different kind of leak. On vpn.golf, DNS is resolved inside the tunnel, so let the VPN handle it rather than forcing browser DoH.
In Firefox, Settings > Privacy & Security > Enable secure DNS. In Chrome or Edge, Settings > Privacy and security > Security > Use secure DNS. Pick a provider, then re-run this test to confirm it works.
It can bypass local network filters like parental controls or corporate policy, centralizes your queries with one big resolver, and a hardcoded browser DoH setting can override the resolver you actually wanted to use.
A network firewall, captive portal, or DNS-based content filter may block the resolver, or your current connection may already route it differently. A failure here means your browser can't reach that encrypted resolver from this network.