Download PDF

DNS and DNS-over-HTTPS resolution

Supported clients: Whiteboxes, Routers

This test measures the time taken to resolve a DNS query against a target DNS server, over UDP or DNS-over-HTTPS. The test can be configured with the following:

  • The hostname to resolve
  • The query type (A, AAAA, TXT, MX, etc)
  • An optional query class (typically 'IN')
  • An optional IP transport to use (IPv4, IPv6 or automatic)
  • An optional DNS server to use (can be specified manually, otherwise the DNS server supplied by DHCP will be used)
  • An optional DNS-over-HTTPS endpoint to make the query against
  • An optional timeout in seconds (defaults to 3 seconds)

The test will place a recursive DNS query (with the RD bit set) to the DNS server specified. The typical deployment configuration for this test involves querying one or more common hostnames, such as and, which increases the likelihood of the DNS server having these items in their caches already.

Whilst the test can be forced to target specific DNS servers, the most common deployment model is to let the DNS client determine its recursive resolver automatically from DHCP. This can lead to issues when users have configured custom DNS servers, overriding the ISP-provided defaults, but this is typically only seen on a very small fraction of users. Moreover, the DNS server that was used for the query is captured in the results, so such cases can be filtered out afterwards if desired.

The DNS test also supports carrying out measurements using the DNS-over-HTTPS standard (commonly abbreviated to "DOH"). This has been validated against the public DOH resolvers from Google and Cloudflare. When carrying out a measurement over DOH, the DNS resolution time recorded is taken from the point that the HTTP request is sent to the DOH to the point the reply is received (i.e. the DOH connection is established first, and this is not recorded as a part of the DNS resolution time, but it is recorded separately).

A timeout of 3 seconds is applied to the DNS queries. Any tests that do not receive a response within this time, or receive a failed response (such as NXDOMAIN or SERVFAIL response codes) will be marked as failed. Additionally, if DOH is in use and the client cannot connect to the DOH resolver for any reason, then the test will also be marked as a failure.

The DNS resolution test records the following values:

  • A success/failure status, and a failure reason if applicable.
  • The DNS resolution time (if successful). Note that this excludes DOH setup time, if the query is made over DOH.
  • The resolved record (e.g. an IPv4 address if the query was for an A record).
  • The DOH server hostname resolution time, TCP connection time and SSL handshake time.