DNS Integrity Check Explained
docLearn how to verify DNS answer consistency across resolvers, detect poisoning signals, and decide the next diagnostic step.
DNS Integrity Check Explained
Use this guide to understand resolver consistency, poisoning indicators, and how to turn test output into concrete remediation steps.
What this test validates
The tool resolves the same domain through multiple DoH resolvers and compares the returned records.
If trusted resolvers return the same answers, your DNS integrity is more likely stable. If they diverge, investigate interception, stale cache, or resolver policy differences.
Why resolver consistency matters
Many access issues and geo mismatches are not network outages but DNS path inconsistencies.
Resolver drift can cause a user to hit different infrastructure than expected, which affects latency, regional routing, and policy enforcement.
How to read resolver rows
Each row shows resolver id, returned answers, status code, and TTL. Compare rows before comparing one resolver against your expectation.
A single outlier resolver can indicate local filtering, captive portal behavior, or one stale cache tier.
What counts as a poisoning signal
Private addresses, synthetic sinkhole ranges, or zero answers where others return valid records can indicate tampering.
This is a diagnostic signal, not legal proof. Confirm with repeated tests across network exits.
DNS integrity vs DNS leak
Integrity asks whether resolvers return consistent answers. Leak asks whether your queries are sent to the resolver you intended.
Run both checks together: integrity tells you answer quality, leak tells you resolver path control.
DNS Proxy vs VPN: What Is the Difference?
A DNS proxy and a VPN serve different purposes, though they are often discussed together. A DNS proxy — including Smart DNS services — intercepts and redirects only your DNS queries. It does not encrypt the rest of your traffic or change your IP address. This makes DNS proxies useful for bypassing geographic content restrictions (such as streaming services) with minimal performance overhead, since only DNS traffic is rerouted.
A VPN, by contrast, encrypts all network traffic from your device and routes it through a VPN server, changing your visible IP address for all applications. This provides stronger privacy protection but typically adds latency compared to DNS-only redirection.
Key practical differences:
- Encryption: VPN encrypts all traffic; DNS proxy does not
- IP address: VPN changes your IP address; DNS proxy does not
- Streaming speed: DNS proxies often deliver faster streaming since they do not encrypt everything
- Privacy: VPN hides all browsing activity from your ISP; DNS proxy only changes DNS resolution path
- Use case: DNS proxy is optimized for geo-unblocking; VPN is optimized for privacy and security
Smart DNS services (such as Smart DNS Proxy and DNSFLEX) are specific implementations of DNS proxying that target regional content restrictions. They work by changing which DNS resolver handles your requests, making it appear you are in a different geographic region. Unlike full VPN services, they do not create an encrypted tunnel for all traffic.
Practical remediation workflow
First, retest on the same network to rule out temporary cache churn. Then switch VPN exit or network and compare again.
If inconsistency persists, lock DNS policy on client/router, disable conflicting DNS overrides, and retest until resolver rows converge.
Common false positives
CDN geo-balancing, split-horizon DNS, and very short TTL domains can produce expected differences.
Look for persistent mismatch patterns, not one-off variance from globally distributed infrastructure.
How integrity check and DNS leak test work together
Integrity checks answer "are the answers consistent". DNS leak tests answer "are requests going to the intended resolver".
If integrity is normal but leak is abnormal, prioritize fixing the resolver path. If the path is normal but integrity is abnormal, investigate resolver policy and cache layers.
Team deployment recommendations
Maintain an expected resolution baseline for critical business domains: record resolver, answer range, TTL range, and detection time window.
When login anomalies, region mismatches, or访问 jitter occur, you can directly compare against the baseline to quickly determine whether it is a network policy change or DNS data layer drift.
Emergency triage (5-minute version)
Step 1: Repeat the test twice on the same network to confirm it is not transient fluctuation. Step 2: Switch VPN or mobile hotspot and retest to confirm it is not a single network issue.
Step 3: Compare authoritative resolution results with local results. Step 4: Check whether the router and endpoints have DNS rewrite policies. Step 5: Keep result screenshots for traceability.
Result judgment boundaries
This tool is for technical diagnosis, not directly equivalent to security or compliance conclusions. Final judgment requires combining business reachability, link logs, and contextual policies.
For CDN, split-horizon DNS, and multi-region scheduling services, first define the "acceptable difference range" before determining whether there is an anomaly.
Further reading
Read What Is a DNS Leak for resolver path basics and How to Fix DNS Leaks for step-by-step mitigation. Pair with What Is My IP to validate network context.
Frequently Asked Questions
What does DNS 8.8.8.8 and 8.8.4.4 do?
8.8.8.8 and 8.8.4.4 are Google's public DNS resolver IP addresses. When you use them, your DNS queries are routed to Google's DNS servers instead of your ISP's default resolvers. This can improve response speed, block malicious domains (via Google's threat intelligence), and prevent ISP-level DNS censorship or hijacking.
What is a proxy DNS server?
A proxy DNS server acts as an intermediary between your device and the actual DNS resolvers. It can cache DNS responses for faster lookups, filter malicious domains, log query patterns, or relay DNS requests through a different network path. Some DNS proxies are used to bypass geographic restrictions or to monitor DNS traffic within a network.
Is 1.1.1.1 a proxy?
1.1.1.1 is a public DNS resolver service run by Cloudflare (and APNIC), not a proxy. It functions as a DNS resolver — it receives your DNS queries and resolves them — similar to 8.8.8.8. However, Cloudflare also offers a separate VPN-like service called WARP that routes your internet traffic through Cloudflare's network, which can act as a proxy for all traffic.
Is a proxy server illegal?
Using a proxy server is generally legal in most countries, provided it is not used for illegal activities. The legality depends on how the proxy is used and the jurisdiction. Proxies are widely used for legitimate purposes like privacy, bypassing geo-restrictions, and network security. However, using proxies to commit fraud, bypass paid access controls, or conduct illegal activities is prohibited.