Android App Diagnostics Guide

The CleanBrowsing Android app includes a built-in diagnostic tool that runs a full set of DNS connectivity and filtering tests and produces a structured report. This guide explains what each test checks, how to read the output, and how to share it with support.

How to Run the Diagnostic

The diagnostic tool is built into the app. You do not need to enable anything or install a separate app.

  1. Open the CleanBrowsing app
  2. On the status screen, tap the Diagnostics button
  3. If prompted, confirm your account code (it should already be pre-filled)
  4. The test runs automatically — it takes approximately 10–20 seconds to complete all sections

The app tests your connectivity in order from the top of the report down. Each section builds on the previous one, so a failure early in the report (for example, at Account Lookup) will cause all later DNS tests to be skipped.

Sending the Report to Support

Once the diagnostic finishes, tap the Copy button at the top of the results screen. This copies the entire report to your clipboard as plain text.

You can then paste it directly into:

  • A support ticket via our contact form
  • An email to support@cleanbrowsing.org
  • A Help Scout conversation if your account has one open

The report includes your app version, Android version, device model, network type, and all test results — our support team can usually identify the issue immediately from a single pasted report without asking follow-up questions.

Device Info

--- Device Info ---
Android: 13 (API 33)
Device: samsung SM-N986U
App Version: 9.8

This section captures the baseline environment. It tells support:

  • Android version and API level — API 33 = Android 13. Important because behavior of Private DNS, accessibility permissions, and restricted settings differs across Android versions.
  • Device manufacturer and model — Samsung, Pixel, Xiaomi, and OnePlus devices all have different Private DNS settings paths and different accessibility service behavior. The model number helps identify known OEM-specific issues.
  • App version — Confirms whether the device is running the latest release or an older build that may have a known bug.

Network State

--- Network State ---
Connected: YES
Type: Mobile/Cellular

Confirms the device has an active network connection and identifies the transport type (WiFi, Mobile/Cellular, or Ethernet). This matters because:

  • Mobile/Cellular — Some carriers intercept or block DNS-over-TLS (port 853). If DoT fails on cellular but works on WiFi, the carrier is likely blocking it.
  • WiFi — If DoT fails on WiFi but works on cellular, the router or ISP is blocking port 853. The VPN fallback (DoH on port 443) will handle this automatically.

If Connected: NO appears, the device has no network connection and all subsequent tests will fail.

Private DNS Settings

--- Private DNS Settings ---
Mode: hostname
Hostname: custom9dac8d0eabe09ccd.dot.cleanbrowsing.org

Reads Android's current Private DNS configuration directly from system settings. What to look for:

  • Mode: hostname — Private DNS is active and configured to a specific hostname (DoT mode). This is correct when the app is running with a paid account.
  • Mode: opportunistic — Android will use DoT if available but fall back to plain DNS. This usually means the app has not yet configured Private DNS or it was reset.
  • Mode: off — Private DNS is disabled. If the app is supposed to be running, this indicates the DNS configuration did not apply correctly.
  • Hostname — Should match the DoT hostname returned by the Account Lookup step below. If the hostname is wrong or belongs to a different filter, the app is enforcing the wrong filter.
Free filters use shared hostnames like family.dns.cleanbrowsing.org. Paid accounts use a unique hostname like custom{hex}.dot.cleanbrowsing.org that identifies your specific account.

Account Lookup

--- Account Lookup ---
GET https://my.cleanbrowsing.org/apis/devices/get-dot?apikey=xxxxxxxx
  HTTP 200  (312ms)
  DoT Hostname: custom9dac8d0eabe09ccd.dot.cleanbrowsing.org

Calls the CleanBrowsing API with your account code and returns the DoT hostname assigned to your account. This is the foundation of all subsequent DoT and DoH tests.

  • HTTP 200 + DoT Hostname — Account code is valid. All DoT/DoH tests will use this hostname.
  • HTTP 401 or "Invalid account code" — The activation code stored in the app is wrong or the account has been deactivated. Recheck the code in the dashboard at my.cleanbrowsing.org.
  • FAIL: Network error — The device cannot reach the CleanBrowsing API. If the HTTP Test below also fails, this is a broader connectivity issue. If HTTP Test passes but Account Lookup fails, the my.cleanbrowsing.org API endpoint may be unreachable from this network.

If Account Lookup fails, the diagnostic aborts — there is nothing to test without a valid DoT hostname.

HTTP Test

--- HTTP Test ---
GET https://cleanbrowsing.org
  HTTP 200  (233ms)
  Content-Type: text/html; charset=UTF-8
  Server: noc.org/cdn

--- HTTP Test ---
GET https://my.cleanbrowsing.org
  HTTP 200  (155ms)
  Content-Type: text/html; charset=UTF-8
  Server: noc.org/cdn

Tests basic HTTPS connectivity to CleanBrowsing's website and API server. If both return HTTP 200, the device can reach CleanBrowsing's infrastructure over standard HTTPS (port 443). The Server: noc.org/cdn header confirms the request is going through our CDN.

If these tests fail with a connection error (not an HTTP error code), the device likely cannot reach the internet at all, or a network firewall is blocking all outbound traffic.

DoT Connectivity

--- DoT Connectivity: IP 1 (185.228.168.9) ---
TCP :853: PASS (19ms)
TLS: PASS (56ms)
  Subject: CN=*.cleanbrowsing.org
  Expires: Tue Jul 14 13:27:44 CDT 2026
DNS Query (cleanbrowsing.org/A): PASS | rcode=0 answers=2 (63ms)

--- DoT Connectivity: IP 2 (185.228.168.199) ---
TCP :853: PASS (35ms)
TLS: PASS (44ms)
  Subject: CN=*.dot.cleanbrowsing.org
  Expires: Mon Nov 30 08:20:16 CST 2026
DNS Query (cleanbrowsing.org/A): PASS | rcode=0 answers=2 (54ms)

--- DoT Hostname: custom9dac8d0eabe09ccd.dot.cleanbrowsing.org ---
Resolve: PASS - 185.228.168.199
TCP :853: PASS
TLS: PASS (52ms)
  Subject: CN=*.dot.cleanbrowsing.org
  Expires: Mon Nov 30 08:20:16 CST 2026
DNS Query (cleanbrowsing.org/A): PASS | rcode=0 answers=2 (59ms)

Three separate DoT tests run against both hardcoded resolver IPs and then against your account's custom DoT hostname. Each test has three stages:

  1. TCP :853 — Can the device open a TCP connection to port 853? If this fails, port 853 is blocked on the network. The app's VPN fallback (DoH on port 443) will handle this automatically.
  2. TLS handshake — Can the device complete a TLS handshake with the correct certificate? Shows the certificate subject and expiry date. A TLS failure here typically means a firewall is intercepting the connection or the certificate has expired.
  3. DNS Query — After establishing the TLS connection, can the device send a DNS query and receive a valid response? This confirms the full DoT pipeline is functional end to end.
CleanBrowsing operates two resolver IPs: 185.228.168.9 and 185.228.168.199. Testing both individually lets support identify if a single resolver IP is experiencing an outage or if one PoP is degraded.

DNS Resolution Test (DoT)

--- DNS Resolution Test (DoT) ---
Resolver: custom9dac8d0eabe09ccd.dot.cleanbrowsing.org
  google.com → 192.178.52.206 [NOERROR] (54ms)
  pornhub.com → BLOCKED (redirect → 104.207.152.255) (133ms)

This is the most important section for confirming your filter is actually working. It opens a DoT connection to your account's custom hostname and runs two queries over the same TLS session:

  • google.com — A domain that should always resolve normally. If this fails, the resolver is not responding to queries at all.
  • pornhub.com — A domain that should be blocked by every CleanBrowsing filter. This confirms that filtering is actually enforced, not just that DNS queries are being forwarded.

Block results vary by filter type:

  • BLOCKED (NXDOMAIN) — The resolver returned "domain not found." Used by free filters (Family, Adult, Security).
  • BLOCKED (redirect → IP) — The resolver returned a block page IP address. Used by paid/custom filters — the IP serves the block page.
  • [not blocked?] — The domain returned NOERROR with no A records. This may indicate a misconfigured filter or an unusual block response from the server.

If google.com resolves but pornhub.com is not blocked, your custom filter's block list may not include adult content. Check your filter configuration at my.cleanbrowsing.org.

Edge Location

--- Edge Location (DoT) ---
Resolver: custom9dac8d0eabe09ccd.dot.cleanbrowsing.org
  Edge: CleanBrowsing: dns-edge-usa-central-dallas8, 185.228.168.199 (147ms)

Queries a special CleanBrowsing TXT record over both DoT and DoH (in the DoH section). The response identifies which specific datacenter and server is handling your DNS requests.

This is useful for diagnosing latency and routing issues. If your device is in Europe but the edge location shows a US datacenter, there may be an anycast routing problem with your ISP or carrier — your DNS packets are being sent to the wrong PoP. Share this with support along with your location.

You will also see edge location results within each DoH test section, allowing direct comparison of which PoP is serving DoT vs. DoH requests from your device.

DoH Tests

--- DoH: Family Filter ---
Endpoint: https://doh.cleanbrowsing.org/doh/family-filter/
  cleanbrowsing.org → 137.220.48.110, 149.28.121.105 [NOERROR] (237ms)
  pornhub.com → BLOCKED (NXDOMAIN) (37ms)
  Edge: CleanBrowsing: dns-edge-usa-central-dallas8, 185.228.168.168 (25ms)

--- DoH: Custom Filter (account) ---
Endpoint: https://doh.cleanbrowsing.org/doh/custom-filter/9dac:8d0e:abe0:9ccd/
  cleanbrowsing.org → 149.28.121.105, 137.220.48.110 [NOERROR] (29ms)
  pornhub.com → BLOCKED (redirect → 104.207.152.255) (27ms)
  Edge: CleanBrowsing: dns-edge-usa-central-dallas8, 2a0d:2a00:3:abab:9dac:8d0e:abe0:9ccd (40ms)

Tests DNS-over-HTTPS independently of DoT. DoH runs over port 443 (standard HTTPS) and is the primary fallback used by the app when port 853 is blocked. Two endpoints are tested:

  • Family Filter — The shared free family filter. Always tested as a known-good baseline. If this fails, DoH connectivity itself is broken.
  • Custom Filter (account) — Your account's specific DoH endpoint, derived from your DoT hostname. This confirms your custom filter rules are applied over the DoH path as well.

Each endpoint runs three sub-tests: a resolution test (cleanbrowsing.org), a block check (pornhub.com), and an edge location query. The edge location in the DoH section may differ from the DoT edge location — this is normal if DoT and DoH traffic routes differently from your network.

Plain DNS UDP (Port 53)

--- Plain DNS UDP (port 53): 185.228.168.168 ---
  cleanbrowsing.org → 149.28.121.105, 137.220.48.110 [NOERROR] (27ms)
  pornhub.com → BLOCKED (NXDOMAIN) (21ms)

Tests unencrypted DNS on the standard UDP port 53. This is the oldest and most basic DNS transport — it is almost never blocked by networks but also provides no encryption.

This test serves as a baseline: if DoT and DoH both fail but plain DNS works, the problem is specifically with encrypted DNS transports (port 853 or port 443 HTTPS DNS), not with reaching CleanBrowsing's servers at all.

Plain DNS is not used by the app for filtering — it uses DoT (Private DNS) or DoH (VPN fallback) — but confirming the resolvers respond to plain DNS is helpful for isolating network-level problems.

Ping

--- Ping 185.228.168.9 ---
PING 185.228.168.9 (185.228.168.9) 56(84) bytes of data.
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 23.911/25.642/27.967/1.718 ms

Sends 3 ICMP ping packets to each resolver IP. Reports:

  • Packet loss — 0% is ideal. Any loss suggests an unstable network path to that resolver.
  • RTT (round-trip time) — The avg latency for DNS queries to that resolver. Under 50ms is typically good. Over 150ms may cause noticeable delays on DNS-heavy browsing.

On some devices or networks, ping is blocked (ICMP is filtered). In that case you will see "Not available on this device" for traceroute, or no ping stats returned — this does not indicate a DNS problem.

Tip: Compare the ping RTT against the DNS query timings in the DoT and DoH sections. DNS query time should be roughly 2× the ping RTT — much higher may indicate TLS overhead issues or server-side slowness at a specific PoP.

Result Reference

Result What it means
PASS The test succeeded. TCP connected, TLS handshake completed, or DNS query returned a valid response.
FAIL The test failed. The error message after FAIL describes the specific failure (e.g., connection refused, timeout, handshake error).
BLOCKED (NXDOMAIN) The domain was blocked and the resolver returned "domain not found" (DNS NXDOMAIN / rcode 3). Used by free filters.
BLOCKED (redirect → IP) The domain was blocked and the resolver returned an IP address pointing to a block page. Used by custom/paid filters.
[not blocked?] The domain returned NOERROR with no A records. Unexpected — contact support if you see this on a domain that should be blocked.
NOERROR DNS query succeeded with a normal answer. Expected for domains that should not be blocked (e.g., google.com, cleanbrowsing.org).
SERVFAIL The resolver encountered an error processing the query. May indicate a temporary server issue.
REFUSED The resolver refused the query. This can happen if the request is malformed or the resolver does not serve queries from this IP.

Related Guides

Android App Features

Full overview of the CleanBrowsing Android app including diagnostics, VPN fallback, and lockdown.

View Guide
Android App Setup

Step-by-step guide to install and configure the CleanBrowsing app on Android 9+.

View Guide
Diagnose DNS Issues

General DNS troubleshooting guide for when content isn't loading or filtering isn't working.

View Guide

Still seeing issues?

Run the diagnostic, tap Copy, and paste the report when you contact support. We can usually identify the issue from a single report.

Contact Support