This script checks communication to 15 public dns servers. dos2unix and chmod 777 needed to run it.

Lab example:

[Expert@CP-GW:0]# chmod 777 *
[Expert@CP-GW:0]# dos2unix *
dos2unix: converting file dns_check.sh to Unix format ...
[Expert@CP-GW:0]# ./dns_check.sh
[2026-02-01 12:54:38] Starting DNS egress checks for 15 resolvers...

Google_8.8.8.8 8.8.8.8 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Google_8.8.4.4 8.8.4.4 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Cloudflare_1.1.1.1 1.1.1.1 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Cloudflare_1.0.0.1 1.0.0.1 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Quad9_9.9.9.9 9.9.9.9 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Quad9_149.112.112.112 149.112.112.112 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
OpenDNS_208.67.222.222 208.67.222.222 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
OpenDNS_208.67.220.220 208.67.220.220 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Level3_4.2.2.1 4.2.2.1 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL
Level3_4.2.2.2 4.2.2.2 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL
Level3_4.2.2.3 4.2.2.3 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL
Level3_4.2.2.4 4.2.2.4 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL
CleanBrowsing_185.228.168.9 185.228.168.9 : ICMP=OK UDP53=OK TCP53=OK DoT/853=OK DoH/443=OK
Neustar_156.154.70.1 156.154.70.1 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL
Neustar_156.154.71.1 156.154.71.1 : ICMP=OK UDP53=OK TCP53=OK DoT/853=FAIL DoH/443=FAIL

Finished. CSV written to: /var/log/dns-egress-check.csv
Tip: If you see UDP53=FAIL, run: fw ctl zdebug drop | grep -i 53 on the gateway to locate drops.
[Expert@CP-GW:0]#