DoH Query Packet Crafter
Craft online DNS-over-HTTPS query packets with wireformat hex, EDNS options, GET or POST replay commands, and live resolver response checks.{{ summaryTitle }}
Packet Summary
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
Packet Notes
- {{ note }}
Wire Hex
{{ packetHexPretty }}
Base64url GET Payload
{{ packetBase64Url }}
Header Flags
| Flag | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
EDNS Options
| Code | Option | Value | Bytes | Copy |
|---|---|---|---|---|
| {{ row.code }} | {{ row.option }} | {{ row.value }} | {{ row.bytes }} |
Request Envelope
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
GET URL
{{ getUrl }}
cURL GET
{{ curlGetCommand }}
cURL POST
{{ curlPostCommand }}
Response Summary
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
HTTP Headers
| Header | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
Section Ledger
| Section | Name | Type | TTL | Data | Copy |
|---|---|---|---|---|---|
| {{ row.section }} | {{ row.name }} | {{ row.type }} | {{ row.ttl }} | {{ row.data }} |
Response Flags
| Flag | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
Response Hex
{{ responseHexPretty }}
1. The web tool provided is for general informational purposes only and should not be considered as professional advice.
2. We do not guarantee the accuracy, completeness, or reliability of the tool.
3. The use of this tool is at your own risk, and we are not liable for any damages or losses resulting from its use.
4. We reserve the right to modify or discontinue the tool without prior notice.
5. By embedding the tool, you agree to indemnify us from any claims arising from its use.
6. We may use Google Analytics or similar tools for data collection and analysis.
7. Please review this disclaimer periodically, as we may update it without notice.
If you do not agree with any part of this disclaimer, please refrain from embedding the tool on your website.
Introduction:
DNS-over-HTTPS carries normal DNS wire-format messages inside HTTPS. The DNS question, header flags, EDNS options, and response code still follow DNS rules; HTTPS changes the transport and privacy properties, not the meaning of the packet.
Packet crafting is useful when resolver behavior depends on details hidden by a simple lookup command. The recursion desired bit, checking disabled bit, DNSSEC OK bit, EDNS Client Subnet, padding, and transport method can all change what a resolver returns or what evidence appears in the answer, authority, and additional sections.
A crafted packet is evidence for one resolver path and one set of flags. Browser CORS policy, resolver support, cache state, and DNSSEC validation can all affect live replay, so preserve both the built request and the decoded response when comparing runs.
Technical Details:
The DNS request is encoded as a standard query with one question. GET requests carry the base64url-encoded DNS message in the dns query parameter. POST requests send the raw wire message with application/dns-message. Both paths use accept: application/dns-message.
| Control | Wire effect | Result field |
|---|---|---|
| Record type and class | Sets the question type and class | Question |
| Message ID | Random 16-bit ID or fixed hex ID | Message ID and response ID match |
| RD and CD flags | Set recursion desired and checking disabled bits | DNS Flag Ledger |
| EDNS and DO | Adds OPT record and DNSSEC OK flag | EDNS attached and DNSSEC DO |
| ECS, padding, keepalive, key tags | Adds EDNS option codes 8, 12, 11, and 14 | EDNS option rows |
The builder validates query names, clamps UDP payload size from 512 to 4096 bytes, clamps padding from 0 to 512 bytes, and clamps live timeout from 1000 to 30000 ms. Live replay decodes the returned DNS message when possible and reports HTTP status, content type, body bytes, DNS response code, section counts, and echoed flags.
Everyday Use & Decision Guide:
Use DNSSEC trace when you want DNSSEC records or AD/DO behavior visible. Use Validation bypass when comparing a normal validating query with one that sets the CD bit. Use Lean GET lookup when you need a compact URL that can be shared or replayed easily.
- Prefer POST for larger EDNS packets or when URL length matters.
- Use fixed message IDs only when matching request and response bytes in repeatable tests.
- Keep ECS hints to documentation ranges unless you intentionally test resolver geolocation behavior.
- Read
ID match,DNS response code, and section counts before drawing conclusions from the answer rows.
A successful HTTP response can still contain NXDOMAIN, SERVFAIL, or another DNS error. Treat HTTP status and DNS response code as separate signals.
Step-by-Step Guide:
- Enter the query name, record type, resolver, and GET or POST transport.
- Apply a packet preset or set query class, ID mode, RD, CD, EDNS, DO, and EDNS option fields manually.
- Click
Build Packetand reviewDNS Wire Packetfor bytes, base64url, and request headers. - Open
DNS Flag Ledgerto confirm flags and EDNS options match the intended test. - Use
DoH HTTP Replayfor GET and POST cURL commands. - Send a live query when browser access is allowed, then inspect
Resolver Response Ledger.
Interpreting Results:
The built packet rows describe what was sent. The response rows describe what the selected resolver returned. Do not mix them: a request can ask for DNSSEC data, while the response can still omit signatures or return a validation failure.
If live replay fails, the packet may still be valid. Browser CORS rejection, timeout, or resolver HTTP behavior can block the fetch even when the copied cURL command works from a terminal.
Worked Examples:
DNSSEC trace. Query example.com for DNSKEY with EDNS and DO enabled. The flag ledger should show DNSSEC DO on, and the response ledger should be checked for AD, answer count, and authority records.
Validation bypass. Query a suspect signed zone with CD enabled. If the CD response returns data while the normal validating query fails, the issue is likely validation rather than absence.
GET replay. Build an A query with lean GET mode. The base64url payload becomes the dns parameter, and the copied cURL GET command can be used outside the browser.
FAQ:
Does DoH use JSON here?
The packet path uses DNS wire format with application/dns-message, not the resolver JSON API.
Why did HTTP succeed but DNS fail?
HTTPS only delivered the DNS message. The DNS response code still reports resolver outcomes such as NXDOMAIN or SERVFAIL.
Why include EDNS padding?
Padding can make request sizes less revealing, but it also increases packet size. The tool shows the resulting byte count.
Glossary:
- DoH
- DNS-over-HTTPS, DNS wire messages carried over HTTPS.
- RD
- Recursion desired flag.
- CD
- Checking disabled flag for DNSSEC validation bypass tests.
- EDNS
- Extension mechanism carried in an OPT pseudo-record.