What does this tool actually check?

It queries the HTTPS resource record (DNS type 65) for the domain, looks for an ech= SvcParam, base64-decodes it, then parses the binary ECHConfigList per RFC 9849. You get one block per ECHConfig in the list with version, HPKE KEM, public key, cipher suites, public_name, and any extensions.

I see HTTPS RR but no ech= parameter. What does that mean?

The domain advertises HTTPS service binding (alpn, ipv4hint, ipv6hint) but has not published an ECHConfigList. SNI is still visible in plaintext on this host. On Cloudflare-proxied zones the ech= value is added automatically once the ECH toggle is on. On self-hosted nginx you need OpenSSL 3.5+ ECH support plus an ECHConfigList generator and the public_name aligned to a real cover hostname.

Why does Cloudflare show public_name = cloudflare-ech.com?

Cloudflare publishes a shared cover so every ECH-enabled customer points the unencrypted SNI to cloudflare-ech.com. Observers on the path see a generic name that does not identify which Cloudflare customer the client is actually connecting to. The real destination only exists inside the encrypted inner Client Hello.

Which browser versions actually use ECH?

Firefox 119+ ships ECH on by default with DoH enabled. Chrome supports ECH behind chrome://flags/#encrypted-client-hello on recent stable builds. Safari and Edge have not enabled ECH on by default as of mid-2026. ECH only triggers when the client also resolves DNS over HTTPS or DoT, because plaintext DNS already leaks the hostname and ECH becomes pointless.

Is this private to the domain I check?

The lookup is a public DNS query for the HTTPS RR. We resolve against 1.1.1.1 over UDP. We log the request for rate limiting only and do not retain the looked-up domain or response.

Free, no signup, rate-limited per IP. Lookup timeout 8 seconds. Private IPs and reserved names refused for security.

WEB

ECH Checker

Inspect Encrypted Client Hello deployment

Input

Check whether a domain publishes an ECHConfigList in its HTTPS resource record. Decodes the binary ECH configuration (version, KEM, cipher suites, public key, public_name) so you can audit TLS Client Hello encryption deployment on any host.

Terminal

Console ready. Execute a command to see output...

About ECH Checker

Verify SNI Encryption on the Wire

Encrypted Client Hello (ECH) hides the Server Name Indication during the TLS handshake. Without ECH every TLS 1.3 connection leaks the destination hostname in plaintext, regardless of HTTPS or DoH. ECH wraps the inner Client Hello with HPKE so on-path observers see only the cover (public_name) of the host.

What we read

This tool runs a DNS HTTPS resource record lookup (RFC 9460) for the input domain, extracts the ech= SvcParam, then parses the ECHConfigList per RFC 9849 / draft-13.

For each ECHConfig in the list the tool surfaces:

Version — currently 0xfe0d (draft-13, the version every shipping browser implements)
config_id — short identifier the client echoes during the handshake
KEM — HPKE Key Encapsulation Mechanism (DHKEM X25519 by default on Cloudflare)
Public key — server's HPKE public key, as raw hex
Cipher suites — KDF and AEAD combinations the server accepts
maximum_name_length — padding hint for inner Client Hello length leakage
public_name — cover hostname that appears unencrypted on the wire
Extensions — any future ECHConfig extensions present

How to use ECH Checker

Enter the domain
Just example.com. No protocol prefix, no port. The tool resolves the apex or subdomain you give it.
Hit Check ECH Deployment
A DNS HTTPS RR (TYPE65) query runs from our server against 1.1.1.1. The raw resource record is returned alongside the parsed ECHConfigList.
Read the report
Status pill tells you deployed, RR present without ECH, or no RR at all. Each ECHConfig block shows the HPKE parameters and public_name (the cover hostname that observers actually see).
Cross-check the wire
Open Firefox 119+ with DoH on, visit the domain, and inspect the TLS handshake in DevTools or Wireshark. Inner Client Hello fields should be encrypted. Cross-reference with SSL Checker for the certificate that ECH protects and DNS Lookup to confirm the HTTPS RR.

Frequently Asked Questions

: It queries the HTTPS resource record (DNS type 65) for the domain, looks for an ech= SvcParam, base64-decodes it, then parses the binary ECHConfigList per RFC 9849. You get one block per ECHConfig in the list with version, HPKE KEM, public key, cipher suites, public_name, and any extensions.