sfw/fix
DoH SECURE_DNS_FAILED high

Secure DNS (DoH) resolution failure

The browser's encrypted DNS-over-HTTPS resolver is unreachable or blocked, so name lookups fail even when plain DNS works fine.

What you see

DNS_PROBE_FINISHED_NO_INTERNET

Secure DNS lookup failed — SECURE_DNS_FAILED

What’s actually happening

Sites fail to load with a DNS error, but the connection itself looks fine — other apps work, and the same sites resolve on a phone using cellular. The break correlates with a network change: a corporate VPN, a hotel or airport captive portal, or a school/office firewall. Toggling Secure DNS off in the browser makes everything resolve again, which points straight at the DoH layer rather than the site.

Common causes

  • A firewall or content filter blocks the DoH endpoint (port 443 to the resolver host, e.g. cloudflare-dns.com or dns.google)
  • A captive portal hasn't been passed yet — DoH can't bootstrap because the portal intercepts HTTPS
  • The browser is pinned to a custom DoH provider that is down or misconfigured
  • Enterprise/VPN policy mandates an internal resolver and silently drops external DoH
  • System-level DoH (Windows) or the OS resolver conflicts with the browser's own Secure DNS setting

How to fix it

  1. Turn off Secure DNS to confirm the causeIn Chrome: Settings → Privacy and security → Security → Use secure DNS, toggle off. In Firefox: Settings → Privacy & Security → DNS over HTTPS → Off. If pages load immediately, DoH was the problem.
  2. Clear the captive portal firstOn hotel/airport Wi-Fi, open http://neverssl.com (plain HTTP) to force the portal login page, complete it, then re-enable Secure DNS. DoH frequently can't trigger the portal on its own.
  3. Switch DoH providers instead of disabling itIf a custom resolver is down, set Secure DNS to a known-good provider (Cloudflare 1.1.1.1 or Google 8.8.8.8) rather than turning encryption off entirely. Use 'With your current service provider' on managed/VPN networks that block third-party DoH.
  4. Flush the browser's DNS cacheVisit chrome://net-internals/#dns and click Clear host cache, then chrome://net-internals/#sockets → Flush socket pools. This drops stale failed-lookup entries so the next attempt starts clean.
  5. Reconcile OS-level Secure DNSOn Windows 11, check Settings → Network & internet → your adapter → DNS server assignment for an Encrypted (DoH) setting that conflicts with the browser. Align them or let the OS handle DoH and set the browser to 'use system'.

Stop it recurring

On networks you don't control (corporate, captive portals), set Secure DNS to 'with your current service provider' so the browser falls back to the network's resolver instead of failing.

Related errors

EPP status clientHold / serverHold (domain suspended)

critical

An EPP hold status removes the domain from the registry zone, so DNS stops resolving and the entire site goes dark.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.

SERVFAIL DNS Response Code

high

The resolver tried to answer but couldn't get a valid response, usually from broken authoritative DNS or DNSSEC.