Troubleshooting
This guide will help you diagnose and resolve common issues with Cloudflare's DNS Resolver. Before proceeding with manual troubleshooting steps, you can verify your connection to automatically gather relevant information.
# Test DNS resolutiondig example.com @1.1.1.1dig example.com @1.0.0.1dig example.com @8.8.8.8
# Check connected nameserverdig +short CHAOS TXT id.server @1.1.1.1dig +short CHAOS TXT id.server @1.0.0.1
# Optional: Network informationdig @ns3.cloudflare.com whoami.cloudflare.com txt +short
# Test DNS resolutionnslookup example.com 1.1.1.1nslookup example.com 1.0.0.1nslookup example.com 8.8.8.8
# Check connected nameservernslookup -class=chaos -type=txt id.server 1.1.1.1nslookup -class=chaos -type=txt id.server 1.0.0.1
# Optional: Network informationnslookup -type=txt whoami.cloudflare.com ns3.cloudflare.com
Note: The network information command reveals your IP address. Only include this in reports to Cloudflare if you are comfortable sharing this information.
For additional analysis, you can generate a DNSViz ↗ report for the domain in question.
Before reporting connectivity issues:
- Search for existing reports from your country and ISP.
- Run traceroutes to both Cloudflare DNS resolvers.
# Basic connectivity teststraceroute 1.1.1.1traceroute 1.0.0.1
# If reachable, check nameserver identitydig +short CHAOS TXT id.server @1.1.1.1dig +short CHAOS TXT id.server @1.0.0.1
# TCP connection testsdig +tcp @1.1.1.1 id.server CH TXTdig +tcp @1.0.0.1 id.server CH TXT
# Basic connectivity teststracert 1.1.1.1tracert 1.0.0.1
# If reachable, check nameserver identitynslookup -class=chaos -type=txt id.server 1.1.1.1nslookup -class=chaos -type=txt id.server 1.0.0.1
# TCP connection testsnslookup -vc -class=chaos -type=txt id.server 1.1.1.1nslookup -vc -class=chaos -type=txt id.server 1.0.0.1
# Test TLS connectivityopenssl s_client -connect 1.1.1.1:853openssl s_client -connect 1.0.0.1:853
# Test DNS resolution over TLSkdig +tls @1.1.1.1 id.server CH TXTkdig +tls @1.0.0.1 id.server CH TXT
Windows does not include a standalone DoT client. You can test TLS connectivity using OpenSSL after installing it manually.
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA'
(Invoke-WebRequest -Uri 'https://cloudflare-dns.com/dns-query?name=cloudflare.com&type=AAAA').RawContent
If your traceroute fails at the first hop, the issue is likely hardware-related. Your router may have a hardcoded route for 1.1.1.1. When reporting this issue, include:
- Router make and model
- ISP name
- Any relevant router configuration details