A check failure (❌) indicates that your browsing data could be vulnerable. An unwanted party could see sensitive information such as which sites or servers you are visiting, or the certificate you are using. If the DNS response is fraudulent, you could also end up visiting and/or providing data to an unintended party.
A pass ✅ indicates that your browser or DNS resolver supports that particular feature.
Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to.
To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).
The fast, free, privacy focused 126.96.36.199 resolver supports DNS over TLS (DoT), which you can configure by using a client that supports it. For a list of these take a look here. DNS over HTTPS can be configured in Firefox today using these instructions. Both will ensure your DNS queries remain private.
Return to top
DNSSEC allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be.
Put another way: DNSSEC proves authenticity and integrity (though not confidentiality) of a response from the authoritative name server. Doing so makes it much harder for a bad actor to inject malicious DNS records into the resolution path through BGP leaks and cache poisoning. This type of tampering can allow an attacker to divert all traffic to a server they control or stop the encryption of SNI, exposing the hostname you are connecting to.
Cloudflare provides free DNSSEC support to everyone. You can read more about DNSSEC and Cloudflare at https://www.cloudflare.com/dns/dnssec/
TLS 1.3 is the latest version of the TLS protocol and contains many improvements for performance & privacy.
If you're not using TLS 1.3, then the certificate of the server you are connecting to is not encrypted, allowing anyone listening on the Internet to discover which websites you are connecting to.
All websites on Cloudflare get TLS 1.3 support enabled as default - you can check your setting at any time by visiting the crypto section of the Cloudflare dashboard. To read more about TLS 1.3 visit https://www.cloudflare.com/learning-resources/tls-1-3/
As a website visitor you should ensure you are using a browser which supports TLS 1.3 today by visiting this page and choosing a compatible browser.
The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy.
Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.
All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default.
Cloudflare is working closely with interested browser vendors on implementing Encrypted SNI. Stay tuned to this page and our blog for further announcements.