Troubleshooting

This guide helps you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, verify your connection to automatically gather relevant information.

If a domain name is not resolving correctly, test DNS resolution against 1.1.1.1 and compare the result to another resolver (such as 8.8.8.8). The CHAOS TXT queries (id.server) identify which Cloudflare server handled your request, which is useful when reporting issues.

# Test DNS resolution
dig example.com @1.1.1.1
dig example.com @1.0.0.1
dig example.com @8.8.8.8

# Check connected nameserver
dig +short CHAOS TXT id.server @1.1.1.1
dig +short CHAOS TXT id.server @1.0.0.1

# Optional: Network information
dig @ns3.cloudflare.com whoami.cloudflare.com txt +short

# Test DNS resolution
nslookup example.com 1.1.1.1
nslookup example.com 1.0.0.1
nslookup example.com 8.8.8.8

# Check connected nameserver
nslookup -class=chaos -type=txt id.server 1.1.1.1
nslookup -class=chaos -type=txt id.server 1.0.0.1

# Optional: Network information
nslookup -type=txt whoami.cloudflare.com ns3.cloudflare.com

For additional analysis, you can generate a DNSViz ↗ report for the domain in question.

If DNS queries time out or you cannot reach 1.1.1.1 at all, the problem may be a network routing issue between your device and Cloudflare. Run traceroutes to both resolver addresses to identify where packets are being dropped.

Before reporting connectivity issues:

1. Search for existing reports from your country and ISP.
2. Run traceroutes to both Cloudflare DNS resolvers.

# Basic connectivity tests
traceroute 1.1.1.1
traceroute 1.0.0.1

# If reachable, check nameserver identity
dig +short CHAOS TXT id.server @1.1.1.1
dig +short CHAOS TXT id.server @1.0.0.1

# TCP connection tests
dig +tcp @1.1.1.1 id.server CH TXT
dig +tcp @1.0.0.1 id.server CH TXT

# Basic connectivity tests
tracert 1.1.1.1
tracert 1.0.0.1

# If reachable, check nameserver identity
nslookup -class=chaos -type=txt id.server 1.1.1.1
nslookup -class=chaos -type=txt id.server 1.0.0.1

# TCP connection tests
nslookup -vc -class=chaos -type=txt id.server 1.1.1.1
nslookup -vc -class=chaos -type=txt id.server 1.0.0.1

DNS over TLS encrypts DNS queries using TLS on port 853. If your DoT connection is not working, test TLS connectivity and then DNS resolution over TLS.

# Test TLS connectivity
openssl s_client -connect 1.1.1.1:853
openssl s_client -connect 1.0.0.1:853

# Test DNS resolution over TLS
kdig +tls @1.1.1.1 id.server CH TXT
kdig +tls @1.0.0.1 id.server CH TXT

Windows does not include a standalone DoT client. You can test TLS connectivity using OpenSSL after installing it manually.

DNS over HTTPS sends DNS queries as HTTPS requests. If your DoH connection is not working, test it by querying the Cloudflare DNS endpoint directly.

curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA'

(Invoke-WebRequest -Uri 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA').RawContent

If your traceroute fails at the first hop (the first network device after your computer, usually your router), the issue is likely hardware-related. Your router may have a hardcoded route for 1.1.1.1 that conflicts with using it as a DNS resolver. When reporting this issue, include:

• Router make and model
• ISP name
• Any relevant router configuration details

• 1.1.1.1 DNS Resolver homepage ↗
• DNS over TLS documentation
• Diagnostic tool ↗