JSON API for DNS over HTTPS (DoH)
Stay organized with collections
Save and categorize content based on your preferences.
Previously, web-based applications required browser extensions to use advanced
DNS features such as DANE, DNS-SD service discovery, or even to resolve
anything other than IP addresses – like MX records.
To use DNSSEC-dependent features like SSHFP records, any such extensions
would have to validate DNSSEC themselves, as the browser or OS might not do so.
Since 2016, Google Public DNS has offered a web-friendly API for DoH with DNSSEC
validation that does not require browser or OS configuration or extensions.
Simple GET query parameters and JSON responses allow clients to parse the
results using common web APIs and avoid complex DNS message format details like
pointer compression for domain names.
See the general DoH documentation page for information about DoH
generally, such as HTTP headers, redirect handling, privacy best practices, and
HTTP status codes.
The Secure Transports page has
curl command line examples for DoH, and information common to DoH and DNS over
TLS (DoT), such as TLS support and DNS truncation.
JSON API Specification
All API calls are HTTP GET requests.
In the case of duplicate parameters, only the first value is used.
Supported parameters
- name
string, required
The only required parameter. RFC 4343 backslash escapes are accepted.
- The length (after replacing backslash escapes) must be between 1 and
253
(ignoring an optional trailing dot if present).
- All labels (parts of the name betweendots) must be 1 to 63 bytes long.
- Invalid names like
.example.com, example..com or empty string get
400 Bad Request.
- Non-ASCII characters should be punycoded (
xn--qxam, not ελ).
- type
string, default: 1
RR type can be represented as a number in [1, 65535] or a canonical string
(case-insensitive, such as A or aaaa).
You can use 255 for 'ANY' queries but be aware that this is not a
replacement for sending queries for both A and AAAA or MX records.
Authoritative name servers need not return all records for such queries;
some do not respond, and others (such as cloudflare.com) return only HINFO.
- cd
boolean, default: false
The CD (Checking Disabled) flag.
Use cd=1, or cd=true to disable DNSSEC validation;
use cd=0, cd=false, or no cd parameter to enable DNSSEC validation.
- ct
string, default: empty
Desired content type option.
Use ct=application/dns-message to receive a binary DNS message in the
response HTTP body instead of JSON text.
Use ct=application/x-javascript to explicitly request JSON text.
Other content type values are ignored and default JSON content is returned.
- do
boolean, default: false
The DO (DNSSEC OK) flag.
Use do=1, or do=true to include DNSSEC records (RRSIG, NSEC, NSEC3);
use do=0, do=false, or no do parameter to omit DNSSEC records.
Applications should always handle (and ignore, if necessary) any DNSSEC
records in JSON responses as other implementations may always include them,
and we may change the default behavior for JSON responses in the future.
(Binary DNS message responses always respect the value of the DO flag.)
- edns_client_subnet
string, default: empty
The edns0-client-subnet option. Format is an IP address with a subnet mask.
Examples: 1.2.3.4/24, 2001:700:300::/48.
If you are using DNS-over-HTTPS because of privacy concerns, and do not want
any part of your IP address to be sent to authoritative name servers
for geographic location accuracy, use edns_client_subnet=0.0.0.0/0.
Google Public DNS normally sends approximate network information
(usually zeroing out the last part of your IPv4 address).
- random_padding
string, ignored
The value of this parameter is ignored. Example: XmkMw~o_mgP2pf.gpw-Oi5dK.
API clients concerned about possible side-channel privacy attacks using the
packet sizes of HTTPS GET requests can use this to make all requests exactly
the same size by padding requests with random data.
To prevent misinterpretation of the URL, restrict the padding characters
to the unreserved URL characters:
upper- and lower-case letters, digits, hyphen, period, underscore and tilde.
DNS response in JSON
A successful response (comments added here are not present in actual responses):
{
"Status": 0, // NOERROR - Standard DNS response code (32 bit integer).
"TC": false, // Whether the response is truncated
"RD": true, // Always true for Google Public DNS
"RA": true, // Always true for Google Public DNS
"AD": false, // Whether all response data was validated with DNSSEC
"CD": false, // Whether the client asked to disable DNSSEC
"Question":
[
{
"name": "apple.com.", // FQDN with trailing dot
"type": 1 // A - Standard DNS RR type
}
],
"Answer":
[
{
"name": "apple.com.", // Always matches name in the Question section
"type": 1, // A - Standard DNS RR type
"TTL": 3599, // Record's time-to-live in seconds
"data": "17.178.96.59" // Data for A - IP address as text
},
{
"name": "apple.com.",
"type": 1,
"TTL": 3599,
"data": "17.172.224.47"
},
{
"name": "apple.com.",
"type": 1,
"TTL": 3599,
"data": "17.142.160.59"
}
],
"edns_client_subnet": "12.34.56.78/0" // IP address / scope prefix-length
}
See RFC 7871 (EDNS Client Subnet) for
details about “scope prefix-length” and how it affects caching.
A failure response with diagnostic information:
{
"Status": 2, // SERVFAIL - Standard DNS response code (32 bit integer).
"TC": false, // Whether the response is truncated
"RD": true, // Always true for Google Public DNS
"RA": true, // Always true for Google Public DNS
"AD": false, // Whether all response data was validated with DNSSEC
"CD": false, // Whether the client asked to disable DNSSEC
"Question":
[
{
"name": "dnssec-failed.org.", // FQDN with trailing dot
"type": 1 // A - Standard DNS RR type
}
],
"Comment": "DNSSEC validation failure. Please check http://dnsviz.net/d/dnssec-failed.org/dnssec/."
}
SPF and TXT records with embedded quotes and name server attribution:
{
"Status": 0, // NOERROR - Standard DNS response code (32 bit integer).
"TC": false, // Whether the response is truncated
"RD": true, // Always true for Google Public DNS
"RA": true, // Always true for Google Public DNS
"AD": false, // Whether all response data was validated with DNSSEC
"CD": false, // Whether the client asked to disable DNSSEC
"Question": [
{
"name": "*.dns-example.info.", // FQDN with trailing dot
"type": 99 // SPF - Standard DNS RR type
}
],
"Answer": [
{
"name": "*.dns-example.info.", // Always matches name in Question
"type": 99, // SPF - Standard DNS RR type
"TTL": 21599, // Record's time-to-live in seconds
"data": "\"v=spf1 -all\"" // Data for SPF - quoted string
}
],
"Comment": "Response from 216.239.38.110"
// Uncached responses are attributed to the authoritative name server
}
{
"Status": 0, // NOERROR - Standard DNS response code (32 bit integer).
"TC": false, // Whether the response is truncated
"RD": true, // Always true for Google Public DNS
"RA": true, // Always true for Google Public DNS
"AD": false, // Whether all response data was validated with DNSSEC
"CD": false, // Whether the client asked to disable DNSSEC
"Question": [
{
"name": "s1024._domainkey.yahoo.com.", // FQDN with trailing dot
"type": 16 // TXT - Standard DNS RR type
}
],
"Answer": [
{
"name": "s1024._domainkey.yahoo.com.", // Always matches Question name
"type": 16, // TXT - Standard DNS RR type
"data": "\"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm\"\"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB; n=A 1024 bit key;\""
// Data for TXT - multiple quoted strings
}
],
}
DNS strings
All TXT records are encoded as a single JSON string including uses of longer TXT
record formats such as
RFC 4408 (SPF) or
RFC 4871 (DKIM).
EDNS
The general EDNS extension mechanism is not supported.
The EDNS Client Subnet option (edns-client-subnet) is a parameter in the
GET request and a top level field in the JSON response.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-03 UTC."],[[["\u003cp\u003eGoogle Public DNS offers a web-friendly API for DNS-over-HTTPS (DoH) with DNSSEC validation, eliminating the need for browser extensions.\u003c/p\u003e\n"],["\u003cp\u003eThis API uses simple GET requests with parameters like \u003ccode\u003ename\u003c/code\u003e, \u003ccode\u003etype\u003c/code\u003e, \u003ccode\u003ecd\u003c/code\u003e, \u003ccode\u003ect\u003c/code\u003e, \u003ccode\u003edo\u003c/code\u003e, and \u003ccode\u003eedns_client_subnet\u003c/code\u003e to specify the DNS query.\u003c/p\u003e\n"],["\u003cp\u003eResponses are provided in JSON format, containing details like DNS status, answer records, and optional DNSSEC information.\u003c/p\u003e\n"],["\u003cp\u003eThe API supports various DNS record types and features such as EDNS Client Subnet for location-aware queries and DNSSEC validation for enhanced security.\u003c/p\u003e\n"],["\u003cp\u003eFor detailed information on DoH, secure transports, and privacy practices, refer to the provided documentation links.\u003c/p\u003e\n"]]],["Google Public DNS offers a web-friendly API for DNS-over-HTTPS (DoH) using simple HTTP GET requests and JSON responses. Key parameters include `name` (required domain), `type` (record type), `cd` (disable DNSSEC), `do` (include DNSSEC records), `ct` (content type), and `edns_client_subnet` (client IP). Responses include status, data, and DNSSEC validation information. The API allows clients to avoid complex DNS formatting and supports DNSSEC validation without browser extensions.\n"],null,["# JSON API for DNS over HTTPS (DoH)\n\nPreviously, web-based applications required browser extensions to use advanced\nDNS features such as [DANE](https://en.wikipedia.org/wiki/DANE), [DNS-SD service discovery](http://www.infoq.com/articles/rest-discovery-dns), or even to resolve\nanything other than IP addresses -- like MX records.\nTo use DNSSEC-dependent features like [SSHFP records](https://cloud.google.com/dns/docs/dnssec-advanced#sshfp), any such extensions\nwould have to validate DNSSEC themselves, as the browser or OS might not do so.\n\nSince 2016, Google Public DNS has offered a web-friendly API for DoH with DNSSEC\nvalidation that does not require browser or OS configuration or extensions.\nSimple GET query parameters and JSON responses allow clients to parse the\nresults using common web APIs and avoid complex DNS message format details like\n[pointer compression for domain names](https://www.kb.cert.org/vuls/id/23495/).\n\nSee the general [DoH documentation page](/speed/public-dns/docs/doh) for information about DoH\ngenerally, such as HTTP headers, redirect handling, privacy best practices, and\nHTTP status codes.\n\nThe [Secure Transports](/speed/public-dns/docs/secure-transports#doh) page has\n`curl` command line examples for DoH, and information common to DoH and DNS over\nTLS (DoT), such as TLS support and DNS truncation.\n\nJSON API Specification\n----------------------\n\nAll API calls are HTTP GET requests.\nIn the case of duplicate parameters, only the first value is used.\n\n### Supported parameters\n\nname\n\n: string, required\n\n The only required parameter. RFC 4343 backslash escapes are accepted.\n\n - The length (after replacing backslash escapes) must be between 1 and [253](https://stackoverflow.com/a/28918017/18829) (ignoring an optional trailing dot if present).\n - All labels (parts of the name betweendots) must be 1 to 63 bytes long.\n - Invalid names like `.example.com`, `example..com` or empty string get 400 Bad Request.\n - Non-ASCII characters should be [punycoded](https://en.wikipedia.org/wiki/Punycode) (`xn--qxam`, not `ελ`).\n\ntype\n\n: string, default: `1`\n\n RR type can be represented as a number in \\[1, 65535\\] or a canonical string\n (case-insensitive, such as `A` or `aaaa`).\n You can use `255` for 'ANY' queries but be aware that this is *not* a\n replacement for sending queries for both A and AAAA or MX records.\n Authoritative name servers need not return all records for such queries;\n some do not respond, and others (such as cloudflare.com) return only HINFO.\n\ncd\n\n: boolean, default: `false`\n\n \u003cbr /\u003e\n\n The CD (Checking Disabled) flag.\n Use `cd=1`, or `cd=true` to disable DNSSEC validation;\n use `cd=0`, `cd=false`, or no `cd` parameter to enable DNSSEC validation.\n\nct\n\n: string, default: empty\n\n Desired content type option.\n\n Use `ct=application/dns-message` to receive a binary DNS message in the\n response HTTP body instead of JSON text.\n Use `ct=application/x-javascript` to explicitly request JSON text.\n Other content type values are ignored and default JSON content is returned.\n\ndo\n\n: boolean, default: `false`\n\n \u003cbr /\u003e\n\n The DO (DNSSEC OK) flag.\n Use `do=1`, or `do=true` to include DNSSEC records (RRSIG, NSEC, NSEC3);\n use `do=0`, `do=false`, or no `do` parameter to omit DNSSEC records.\n\n Applications should always handle (and ignore, if necessary) any DNSSEC\n records in JSON responses as other implementations may always include them,\n and we may change the default behavior for JSON responses in the future.\n (Binary DNS message responses always respect the value of the DO flag.)\n\n \u003cbr /\u003e\n\nedns_client_subnet\n\n: string, default: empty\n\n The edns0-client-subnet option. Format is an IP address with a subnet mask.\n Examples: `1.2.3.4/24`, `2001:700:300::/48`.\n\n If you are using DNS-over-HTTPS because of privacy concerns, and do not want\n *any* part of your IP address to be sent to authoritative name servers\n for geographic location accuracy, use `edns_client_subnet=0.0.0.0/0`.\n Google Public DNS normally sends approximate network information\n (usually zeroing out the last part of your IPv4 address).\n\nrandom_padding\n\n: string, ignored\n\n The value of this parameter is ignored. Example: `XmkMw~o_mgP2pf.gpw-Oi5dK`.\n\n API clients concerned about possible side-channel privacy attacks using the\n packet sizes of HTTPS GET requests can use this to make all requests exactly\n the same size by padding requests with random data.\n To prevent misinterpretation of the URL, restrict the padding characters\n to the [unreserved URL characters](http://stackoverflow.com/a/695469/18829):\n upper- and lower-case letters, digits, hyphen, period, underscore and tilde.\n\n### DNS response in JSON\n\nA successful response (comments added here are not present in actual responses): \n\n {\n \"Status\": 0, // NOERROR - Standard DNS response code (32 bit integer).\n \"TC\": false, // Whether the response is truncated\n \"RD\": true, // Always true for Google Public DNS\n \"RA\": true, // Always true for Google Public DNS\n \"AD\": false, // Whether all response data was validated with DNSSEC\n \"CD\": false, // Whether the client asked to disable DNSSEC\n \"Question\":\n [\n {\n \"name\": \"apple.com.\", // FQDN with trailing dot\n \"type\": 1 // A - Standard DNS RR type\n }\n ],\n \"Answer\":\n [\n {\n \"name\": \"apple.com.\", // Always matches name in the Question section\n \"type\": 1, // A - Standard DNS RR type\n \"TTL\": 3599, // Record's time-to-live in seconds\n \"data\": \"17.178.96.59\" // Data for A - IP address as text\n },\n {\n \"name\": \"apple.com.\",\n \"type\": 1,\n \"TTL\": 3599,\n \"data\": \"17.172.224.47\"\n },\n {\n \"name\": \"apple.com.\",\n \"type\": 1,\n \"TTL\": 3599,\n \"data\": \"17.142.160.59\"\n }\n ],\n \"edns_client_subnet\": \"12.34.56.78/0\" // IP address / scope prefix-length\n }\n\nSee [RFC 7871 (EDNS Client Subnet)](https://tools.ietf.org/html/rfc7871) for\ndetails about \"scope prefix-length\" and how it affects caching.\n\nA failure response with diagnostic information: \n\n {\n \"Status\": 2, // SERVFAIL - Standard DNS response code (32 bit integer).\n \"TC\": false, // Whether the response is truncated\n \"RD\": true, // Always true for Google Public DNS\n \"RA\": true, // Always true for Google Public DNS\n \"AD\": false, // Whether all response data was validated with DNSSEC\n \"CD\": false, // Whether the client asked to disable DNSSEC\n \"Question\":\n [\n {\n \"name\": \"dnssec-failed.org.\", // FQDN with trailing dot\n \"type\": 1 // A - Standard DNS RR type\n }\n ],\n \"Comment\": \"DNSSEC validation failure. Please check http://dnsviz.net/d/dnssec-failed.org/dnssec/.\"\n }\n\nSPF and TXT records with embedded quotes and name server attribution: \n\n {\n \"Status\": 0, // NOERROR - Standard DNS response code (32 bit integer).\n \"TC\": false, // Whether the response is truncated\n \"RD\": true, // Always true for Google Public DNS\n \"RA\": true, // Always true for Google Public DNS\n \"AD\": false, // Whether all response data was validated with DNSSEC\n \"CD\": false, // Whether the client asked to disable DNSSEC\n \"Question\": [\n {\n \"name\": \"*.dns-example.info.\", // FQDN with trailing dot\n \"type\": 99 // SPF - Standard DNS RR type\n }\n ],\n \"Answer\": [\n {\n \"name\": \"*.dns-example.info.\", // Always matches name in Question\n \"type\": 99, // SPF - Standard DNS RR type\n \"TTL\": 21599, // Record's time-to-live in seconds\n \"data\": \"\\\"v=spf1 -all\\\"\" // Data for SPF - quoted string\n }\n ],\n \"Comment\": \"Response from 216.239.38.110\"\n // Uncached responses are attributed to the authoritative name server\n }\n\n {\n \"Status\": 0, // NOERROR - Standard DNS response code (32 bit integer).\n \"TC\": false, // Whether the response is truncated\n \"RD\": true, // Always true for Google Public DNS\n \"RA\": true, // Always true for Google Public DNS\n \"AD\": false, // Whether all response data was validated with DNSSEC\n \"CD\": false, // Whether the client asked to disable DNSSEC\n \"Question\": [\n {\n \"name\": \"s1024._domainkey.yahoo.com.\", // FQDN with trailing dot\n \"type\": 16 // TXT - Standard DNS RR type\n }\n ],\n \"Answer\": [\n {\n \"name\": \"s1024._domainkey.yahoo.com.\", // Always matches Question name\n \"type\": 16, // TXT - Standard DNS RR type\n \"data\": \"\\\"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm\\\"\\\"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB; n=A 1024 bit key;\\\"\"\n // Data for TXT - multiple quoted strings\n }\n ],\n }\n\n### DNS strings\n\nAll TXT records are encoded as a single JSON string including uses of longer TXT\nrecord formats such as\n[RFC 4408 (SPF)](https://tools.ietf.org/html/rfc4408#section-3.1.3) or\n[RFC 4871 (DKIM)](https://tools.ietf.org/html/rfc4871#section-3.6.2.2).\n\n### EDNS\n\nThe general [EDNS extension mechanism](https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS) is not supported.\nThe EDNS Client Subnet option (edns-client-subnet) is a parameter in the\nGET request and a top level field in the JSON response."]]