Documentation

DoH/DoT Checks

About DoH/DoT Checks

DoH stands for "DNS over HTTPS" and DoT stands for "DNS over TLS". Both refer to the services that translate host and domain names (such as www.example.com or nodeping.com) into IP addresses but instead of using insecure UDP/TCP queries over port 53, DoH sends queries over SSL secured HTTPS (port 443) and DoT over TLS port 853.

The DoH/DoT check is intended to monitor your DoH/DoT services. If you need to verify a DNS record, our regular DNS check is likely a better fit.

DNS queries are sent in DNS wire format. For DoH checks, the URL is "https://<IP or FQDN>/dns-query" with an "accept" request header set to "application/dns-message". For GET, a URL query element of "dns" is set to the DNS query in wire format that is Base64 encoded.

When to use DoH/DoT Checks

Use NodePing's DoH/DoT check to ensure your DoH or DoT services are up and replying to queries. The optional abilities to verify the SSL certificates, send EDNS(0) OPT pseudo-records, and use TLS X.509 client certificates makes our DoH/DoT check extremely capable.

Using DoH/DoT Checks

To set up a DoH/DoT check,

  1. Select DoH/DoT from the Check type drop down.
  2. Give it a friendly label to identify this check in lists and notifications.
  3. Enable Automated Diagnostics if you'd like detailed technical info about the failure that may help you troubleshoot a failure.
  4. Set how often you want the check to run on the Check Frequency field.
  5. Set the IP address (IPv4 or IPv6) or fully qualified name (FQDN) of the DoH/DoT service (required).
  6. To force an IPv6 resolution for the target FQDN, change the dropdown from "(Default IP resolution)" to "Force IPv6 resolution". If you're unsure, the default is what you want.
  7. Choose 'DoH' or 'DoT' in the dropdown - defaults to DoH
  8. If you're monitoring a DoH service, choose 'GET' or 'POST' in the 'Method' dropdown - defaults to GET
  9. If you're monitoring a DoH service, optionally set the 'Expected Response HTTP Status Code'. A good DoH response should reply with a 200.
  10. If you're monitoring a DoH service, optionally set any headers you'd like to send with your HTTP request in the Request Headers fields. Example: 'User-Agent' in the Header field and 'Chrome' in the Value field. Add as many headers as you need by clicking on the 'add another header' link. More header fields will appear.
  11. Optionally choose to sign your HTTPS (DoH) or TLS (DoT) request with your own TLS X.509 client cert by choosing it from the 'Client Certificate Auth' drop down. You can upload your client certs and keys in the 'Account Settings' - 'Certs and Keys' tab.
  12. Optionally choose to verify the server's SSL/TLS certificate in the next dropdown field.
  13. Enter the type of query you want to perform, and FQDN you want the check to look up (required).
  14. Enter the information the check should look for in the DNS reply. This will depend on the query type. For example, for A records, this will be an IPv4 address. For other types, such as MX or NS records, this is likely to be a fully qualified domain name. For AAAA records, the full notation is required. Example: 2606:c700:4020:11::53:4a3b requires the 'missing' zero sections - 2606:c700:4020:11:0:0:53:4a3b - there should be 8 sections total.
  15. Optionally set EDNS(0) OPT pseudo-records to send with the query. The code must be a positive integer. Add additional OPT records by clicking on the 'Add another EDNS OPT' link.
  16. Set a timeout. The default 5 seconds works fine for most situations.
  17. Set the Sensitivity. High is usually appropriate.
  18. Set the notifications for this check. More information about notifications.

Common usage:

  • To verify that a DoH server is up and responding.
  • To verify that a DoT server is up and responding.

If you have any questions, get in touch at support@nodeping.com, or use our Contact form.