How we test DNS

Why testing DNS from a browser is hard

A browser does not get to see which DNS server resolved a name. It only gets to see whether a name resolved, what it resolved to, and how fast. Everything else has to be inferred from fingerprints: known IP addresses that block-page hosts answer on, known patterns of which names get answered and which return 0.0.0.0, and known reachability of resolver "are you using me" pages such as 1.1.1.1/help, welcome.opendns.com and on.quad9.net. None of this is perfect. We say so.

What our probe does (five steps)

1. Identify the live resolver, where possible. We make a small set of parallel requests to known resolver self-identification endpoints (the cdn-cgi/trace endpoint on Cloudflare, welcome.opendns.com for OpenDNS, on.quad9.net for Quad9) and read the responses to infer which resolver, if any, is in the path.
2. Differential DoH lookups. We query the same test name against the standard Cloudflare DNS over HTTPS endpoint (cloudflare-dns.com) and the family-filtered endpoint (family.cloudflare-dns.com). A specific pattern of agreement and disagreement is a strong signal that a family resolver is in use upstream.
3. Sentinel category probes. We attempt a tiny image fetch against a small set of category-test domains covering adult, malware, gambling, social and AI categories. A clean failure for one and a clean success for the control is informative; we never load any actual content.
4. UK ISP block-page reflection (informational only). We probe the documented block-page hostnames used by the major UK ISPs (broadbandshield.sky.com for Sky, websafe.virginmedia.com for Virgin Media, block.ee.co.uk for EE, blocked.plus.net for Plusnet, the contentcontrolpage path on vodafone.co.uk for Vodafone). These hostnames are real websites reachable from any UK connection, so reachability alone does not prove the ISP's filter is active on your network. We report these signals for transparency but do not claim positive ISP-filter detection from the browser. Reliable ISP-filter detection requires manual verification at your router or via your ISP account.
5. Cross-check. We re-resolve one sentinel via dns.google/resolve and compare the answer to what the browser actually loaded. Disagreement is itself a signal.

How accurate is this, honestly?

In its current form (v9.1) the experimental browser-side probe can reliably identify two named family-DNS configurations: Cloudflare for Families (both strict and malware-only variants) and OpenDNS FamilyShield. We chose a conservative scope deliberately: a tool measuring child safety has to be honest about what it can and cannot see, and reassuring parents falsely is worse than admitting we couldn't tell. We are actively developing additional detection methods, including reliable UK ISP filter detection and Quad9, which will roll into v9.2 and v10 as we can corroborate the signals with sufficient confidence. For absolute certainty about your network today, the five manual checks below take two minutes and give you ground truth.

What we cannot detect

• UK ISP family filters reliably (BT, Sky, TalkTalk, Virgin Media, EE, Plusnet, Vodafone). We can see signals that suggest these filters but we cannot yet corroborate them with enough confidence to claim a positive identification. Use the manual checks below or your ISP account area to confirm.
• Pi-hole, AdGuard Home and NextDNS on your LAN. These look like any other DNS server from the browser's point of view.
• Operating-system level DNS over HTTPS. Windows 11, macOS, iOS and Android can each route DNS queries over an encrypted channel that bypasses the router entirely. The browser sees the result, not the route.
• Route-level or carrier-level blocks. Some mobile carriers and corporate networks apply blocks higher up the stack than DNS.
• Mobile carrier filters. A phone on 5G or 4G is not using your home network; if you want to check what your child sees on mobile data, run this test on the device with Wi-Fi off.
• Isle of Man. Sure's residential broadband product runs no network-level content filter that this probe can see. Manx Telecom's parental controls, announced with their new fibre product on 26 March 2026, run inside the Nokia Corteca-powered router and are administered through the Manx Telecom mobile app under the "Family profiles" feature; they are not visible to a browser-side probe. We say so plainly because the Isle of Man is part of the conversation about UK-style protections and parents there deserve a straight answer.

Five manual checks you can run in two minutes

1. Visit 1.1.1.1/help. The page tells you whether the resolver answering for your device is Cloudflare and, if so, on which variant (standard, malware-blocking, or family).
2. Visit welcome.opendns.com. If you see "Welcome to OpenDNS!" you are using OpenDNS or FamilyShield. Otherwise you are not.
3. Visit on.quad9.net. Plain "Yes" or "No" answer for Quad9.
4. Visit an adult-category test domain such as nudity.testcategory.com. Cloudflare's own 1.1.1.1 setup guide recommends this exact domain for verifying that 1.1.1.3 and 1.0.0.3 is blocking adult content. If you see the page, your DNS is not filtering adult content; if the connection fails, it is.
5. Open your router admin page. Look at the DNS settings tab. If the primary and secondary DNS servers are blank, your router is using whatever your ISP set. If they are 1.1.1.3 and 1.0.0.3, you have set Cloudflare for Families. If they are 208.67.222.123 and 208.67.220.123, you have set OpenDNS FamilyShield. If they are 9.9.9.9 and 149.112.112.112, you have set Quad9. If you do not recognise them, that is worth knowing too.

Why we publish this transparently

If we overclaim what a browser-based probe can detect, two things happen. Parents who score 100/100 stop layering further protection because they think they are done; they are not. And schools, regulators and commissioners lose trust in the result the moment they find one of the blind spots we listed above. Honest scope is the only durable position. If you find a case where this page is wrong or out of date, please tell us.