DNS Checker Blog
Expert insights, tutorials, and news about DNS, domain management, and web infrastructure.
65
Technical articles on DNS, security, and infrastructure
10
Topic areas including email auth, DNSSEC, and abuse reporting
20+
Years of hands-on networking and infrastructure experience
A+ N+ S+
CompTIA certified author — A+, Network+, Security+
The DNS Checker Blog is a technical resource covering DNS infrastructure, email authentication, domain security, and network troubleshooting. Published by Ishan Karunaratne, a CompTIA A+, Network+, and Security+ certified engineer with over 20 years of hands-on networking experience, the blog contains 65 articles organized into 10 topic areas. Coverage spans DNS record types (A, AAAA, MX, CNAME, TXT), propagation mechanics and TTL behavior, email authentication protocols (SPF, DKIM, DMARC), DNSSEC deployment, and common DNS attacks including cache poisoning, amplification, tunneling, and zone transfer exploits. Step-by-step tutorials cover building DNS resolvers in Node.js, Python, and PHP, using the dig command, and verifying DNS changes after hosting migrations. The abuse reporting series documents how to report DDoS attacks, phishing, spam, brute-force attempts, and other IP-based abuse to ISPs, hosting providers, and law enforcement.
Security
Articles on DNS security including DNSSEC, email authentication, and threat protection.
11 min read
145,061 Domains Delegated to a Misspelled Name Server — Here's How the Attack Works
A single typo in a name server hostname gives an attacker full DNS authority over your domain. I built a detection pipeline that scans 260 million domains daily and found that one missing character in ResellerClub's NS hostname has left 145,061 domains exposed to silent DNS hijacking.
12 min read
What Happens When One DNS Provider Goes Down: The Hidden Fragility of TLD Ecosystems
The Dyn attack took down Twitter and Netflix because they shared a DNS provider. I analyzed 240 million domains and found 112 TLDs where a single provider controls over half the domains. The next Dyn-scale event isn't a question of if, but which TLD.
11 min read
How Expired Name Servers Become Domain Hijacking Vectors
When a name server domain expires, every domain that still delegates to it becomes vulnerable to hijacking. I found 503,000 domains pointing to expired NS domains — and a single re-registration could compromise hundreds of thousands of them.
12 min read
Why DNSSEC Is Still Failing: Lessons from 240 Million Domains
After 20 years, only 4.27% of domains have DNSSEC. I analyzed 240 million domains to understand why — the answer isn't technical, it's structural. Registrar defaults, invisible benefits, and operational fear are holding back the one protocol that could fix DNS authentication.
8 min read
Phantom Domain Attack: How Unresponsive Domains Exhaust DNS Resolvers
Phantom domain attacks overwhelm DNS resolvers by forcing them to wait for responses from domains that never answer. Learn how this resource exhaustion attack works and how to defend your resolver infrastructure.
9 min read
DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
A DNSSEC downgrade attack tricks resolvers into accepting unsigned DNS responses for domains that should be DNSSEC-signed. Learn how stripping attacks work, how misconfigured resolvers enable them, and how to verify your DNSSEC validation.
9 min read
Fast Flux DNS: How Botnets Hide Behind Rapidly Rotating IP Addresses
Fast flux DNS rapidly rotates the IP addresses behind a domain to hide malicious infrastructure from takedowns. Learn how single and double flux networks work, how to detect them, and how threat intelligence teams track them.
10 min read
DNS Rebinding Attack: How Browsers Are Tricked Into Bypassing Same-Origin Policy
DNS rebinding manipulates DNS responses to trick a browser into treating an attacker's server and an internal network resource as the same origin. Learn how the attack works, why it bypasses firewalls, and how to defend against it.
10 min read
DNS Over HTTPS Abuse: How Encrypted DNS Creates Security Blind Spots
DNS over HTTPS encrypts DNS queries inside HTTPS traffic, providing privacy but also enabling attackers to bypass DNS monitoring, content filters, and security controls. Learn how DoH is abused and how to maintain visibility.
11 min read
DNS Tunneling Attack: How Data Is Smuggled Through Port 53
DNS tunneling hides data inside DNS queries to bypass firewalls and exfiltrate information through port 53. Learn how encoded subdomain queries work, how to detect tunneling, and how to lock down your DNS infrastructure.
8 min read
NXDOMAIN Attack: How Nonexistent Domain Floods Exhaust DNS Resolvers
NXDOMAIN attacks flood DNS resolvers with queries for domains that do not exist, exhausting resolver resources and degrading performance for legitimate users. Learn how the attack differs from water torture and how to defend your resolvers.
9 min read
DNS Water Torture Attack: How Random Subdomain Floods Overwhelm Nameservers
The DNS water torture attack floods authoritative nameservers with queries for random, nonexistent subdomains that cannot be cached. Learn how the attack bypasses traditional defenses and how to protect your DNS infrastructure.
10 min read
DNS Amplification Attack Explained: How Open Resolvers Enable Massive DDoS
DNS amplification attacks exploit open resolvers to generate massive DDoS floods with up to 70x traffic amplification. Learn how reflection works, the Spamhaus case study, and how to prevent your servers from being weaponized.
10 min read
Subdomain Takeover: How Dangling DNS Records Let Attackers Hijack Your Domain
A subdomain takeover happens when a CNAME points to a decommissioned cloud service that an attacker can reclaim. Learn how to find dangling DNS records, which providers are vulnerable, and how to prevent takeovers.
11 min read
DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution
DNS hijacking redirects your domain's traffic by compromising registrar accounts, nameservers, or network infrastructure. Learn the four types of hijacking, real-world incidents like the Sea Turtle campaign, and how to protect your domains.
12 min read
What Is DNS Cache Poisoning? How It Works and How to Prevent It
DNS cache poisoning injects forged records into a resolver's cache, silently redirecting users to malicious servers. Learn how the Kaminsky attack works, how to test your resolver, and how DNSSEC prevents it.
9 min read
DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains
DNSSEC's NSEC records create a chain that reveals every subdomain in a zone. Learn how zone walking works for subdomain discovery, why NSEC3 is only a deterrent, and how to audit your own DNSSEC configuration.
10 min read
DNS Zone Walking at the TLD Level: How Attackers Discover Every Domain in a TLD
TLD zones signed with DNSSEC can be walked to discover every registered domain. Learn how NSEC chains expose entire registries, why NSEC3 is only a deterrent that can be cracked, and what this means for domain privacy.
9 min read
DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain
An unrestricted DNS zone transfer hands an attacker your complete zone file — every subdomain, IP address, and service record. Learn how AXFR works, how to test your own nameservers, and how to lock down zone transfers.
8 min read
What Is an Open DNS Resolver? Why It's Dangerous and How to Fix It
An open DNS resolver accepts recursive queries from anyone on the internet, making it a weapon for DDoS amplification attacks. Learn how to check if your server is an open resolver and how to lock it down.
15 min read
How to Identify and Manage Web Crawlers: A Sysadmin's Guide to robots.txt, AI Bots, and SEO Crawlers
Before you file an abuse report against that IP hammering your server, check the User-Agent. This guide covers how to identify web crawlers, manage them with robots.txt and server-level controls, and decide when to block, allow, or report.
8 min read
How to Report Usenet Abuse: Spam, Piracy, and Illegal Content on Newsgroup Servers
Usenet remains active and so does its abuse. This guide covers how to report spam, copyright infringement, and illegal content on newsgroup servers, including how to trace posts to source IPs and file complaints with Usenet providers.
11 min read
How to Report Network Security Incidents to a CERT Team: Templates for Vulnerability Exploitation and Intrusions
CERT teams coordinate responses to security incidents across organizations and borders. This guide explains when to contact a CERT, how to write incident reports they can act on, and provides templates for common scenarios like vulnerability exploitation and network intrusions.
11 min read
How to Contact Law Enforcement About Cybercrime: Filing Reports With FBI IC3, Europol, and National CERTs
Sometimes ISP abuse reports aren't enough — you need law enforcement involved. This guide covers when to escalate to authorities, how to file reports with FBI IC3, Europol, and national CERTs, and what evidence to prepare for a criminal investigation.
8 min read
How to Report Child Exploitation Material (CSAM) Online: Emergency Contacts and Reporting Steps
Reporting CSAM is a legal obligation in many jurisdictions. This guide provides the correct reporting channels, explains what information to include, and covers the emergency contacts you need to know. Do not attempt to investigate or preserve this material yourself — report immediately.
15 min read
DMCA Takedown Notice Template: How to Report Copyright Infringement to a Hosting Provider
When someone hosts your copyrighted content on their server, a properly formatted DMCA takedown notice is the fastest legal tool to get it removed. This guide includes a ready-to-use template, explains the legal requirements, and walks through finding the right abuse contact.
13 min read
How to Report Phishing Emails and Websites Hosted on an IP Address
Phishing sites can steal credentials in minutes, so speed matters when reporting them. This guide covers how to trace phishing emails and websites to their hosting IP, file takedown requests with hosting providers, and report to anti-phishing organizations.
12 min read
How to Report Spam From an IP Address: Abuse Reports for Unsolicited Email
Spam wastes bandwidth, clogs inboxes, and often carries malware. This guide shows you how to trace spam back to its source IP, extract the evidence from email headers, and file abuse reports that get spammers shut down.
14 min read
How to Report a Hacked Server: Filing Abuse Reports After a Compromise
A compromised server is often used to launch attacks on others. After containing the breach, reporting the compromise to your hosting provider and the attacker's ISP helps shut down the attack chain and protects other potential victims.
13 min read
How to Report Malware and Botnet Command-and-Control Traffic From an IP Address
When you detect command-and-control traffic reaching out to a malicious IP, reporting that C2 server can disrupt the entire botnet. This guide covers how to identify C2 indicators, collect network evidence, and file reports that get C2 infrastructure taken down.
10 min read
How to Report Port Scanning and Network Reconnaissance to an ISP
Port scanning is often the first step in a targeted attack. This guide explains how to detect network reconnaissance in your firewall logs, gather evidence, and report the scanning IP to its ISP before an actual attack follows.
12 min read
How to Report Brute Force SSH and RDP Attacks: Log Evidence and Abuse Report Templates
Brute force attacks against SSH and RDP are relentless and automated. This guide shows you how to extract the evidence from your auth logs, identify the attacking IP's abuse contact, and file reports that get malicious hosts shut down.
14 min read
How to Report a DDoS Attack to Your ISP: Evidence, Templates, and Escalation Steps
When a DDoS attack hits your infrastructure, the clock is ticking. This guide walks you through collecting the right evidence, finding your attacker's ISP abuse contact, and filing a report that actually gets the attack stopped.
25 min read
How to Report IP Address Abuse: The Complete Guide to Filing Reports That Get Results
Most abuse reports get ignored because they lack evidence or go to the wrong contact. This complete guide covers how to identify the right abuse contact, write reports that ISPs actually act on, and escalate when they don't respond.
8 min read
What Is DNSSEC and Why Should You Enable It?
DNSSEC protects your domain from cache poisoning and DNS spoofing by adding cryptographic verification to DNS responses. Learn how it works, why it matters, and how to enable it.
9 min read
SPF, DKIM, and DMARC: How DNS Protects Your Email From Spoofing
Learn how SPF, DKIM, and DMARC DNS records work together to authenticate your email, prevent spoofing, and protect your domain reputation. Includes example records and setup guidance.
11 min read
Dangling CNAMEs and Subdomain Takeover Risk Across the Global DNS
I scanned 201 million CNAME records from Project Sonar and found 13.9 million pointing to cloud services — with 3.27 million at high risk of subdomain takeover. Here's what the data reveals about the scale of this overlooked vulnerability.
11 min read
IPv6 Adoption: Which Countries and TLDs Are Leading the Transition?
I analyzed 7 snapshots of Project Sonar FDNS data from 2017 to 2020 and found that AAAA records grew 9.35x in just 2.5 years — from 23.5 million to 219.7 million. Germany's .de TLD claims 10.2% of all AAAA records, Cloudflare drove massive adoption from near-zero, and European ccTLDs consistently punch above their weight.
12 min read
Misconfigured SPF Records: Too Many Includes, Missing -all, and Other Common Mistakes
An analysis of 12.7 million SPF records from Project Sonar data reveals 19,682 domains using +all, over 1 million with neutral qualifiers, and a troubling decline in strict enforcement.
11 min read
Email Authentication by the Numbers: SPF, DKIM, and DMARC Adoption from 262 Million DNS Records
I parsed 262 million TXT records from Project Sonar's FDNS data and found DMARC adoption grew 16.4x in just two years — but 69% of DMARC policies still do nothing. Meanwhile, nearly 20,000 domains publish SPF records that explicitly allow the entire internet to send email as them.
12 min read
Unsecured IoT Protocols: MQTT, Telnet, and CoAP Exposure Trends
Analysis of 7.8 million Telnet endpoints and 4.6 million unencrypted MQTT brokers found exposed on the public internet, based on Project Sonar TCP scan data from 2019.
12 min read
The Shrinking Perimeter: Common Service Exposure Across IPv4
I processed Rapid7 Project Sonar TCP scan data covering 16 services across the entire IPv4 address space. The findings: 24.3 million IPs responding to SSH, 4.4 million exposed Redis instances, and IoT telnet backdoors declining by 23%. Here's what the internet's attack surface actually looks like.
Tutorials
Step-by-step guides for configuring, verifying, and troubleshooting DNS settings.
12 min read
DNS Lookups in PHP: dns_get_record, gethostbyname, and Beyond
Everything you need for DNS lookups in PHP — from quick gethostbyname() calls to full dns_get_record() queries, checkdnsrr() validation, reverse DNS, and real-world email verification patterns.
13 min read
Build a DNS Resolver from Scratch in PHP
Implement the DNS protocol in PHP — construct binary query packets with pack(), send raw UDP over sockets to port 53, and parse responses with unpack(). Pure PHP, no extensions required beyond sockets.
13 min read
DNS Queries in Node.js: dns.lookup vs dns.resolve Explained
The critical difference between dns.lookup() and dns.resolve() that most Node.js tutorials miss — plus complete examples for every record type, custom resolvers, the Promises API, and TypeScript types.
13 min read
Build a DNS Resolver from Scratch in Node.js
Implement the DNS protocol in JavaScript — construct binary query packets with Buffer, send raw UDP to port 53 with dgram, and parse the responses. No dependencies, just Node.js built-ins.
14 min read
DNS Lookups in Python: Complete Guide with dnspython
Everything you need for DNS lookups in Python — from quick socket.getaddrinfo() calls to full-featured queries with dnspython. Covers all record types, custom nameservers, reverse DNS, async queries, and real-world patterns.
14 min read
Build a DNS Resolver from Scratch in Python
Learn the DNS protocol by implementing it — construct binary packets per RFC 1035, send raw UDP queries to port 53, and parse the responses. No libraries, just Python and sockets.
15 min read
The Complete dig Command Guide: Every Flag and Option Explained
Master the dig command with real examples of every useful flag — from basic lookups and +short to +trace, +dnssec, batch queries, and scripting. The only dig reference you need.
16 min read
How DNS Queries Work: A Developer's Guide to the DNS Protocol
Everything developers need to know about DNS queries — from recursive resolution to packet anatomy, query flags, and response codes. The foundation for building DNS tools or understanding existing ones.
14 min read
DNS Troubleshooting Tools: What the Pros Actually Use
A practical overview of every DNS diagnostic tool worth knowing — from dig and nslookup to packet captures and performance testing — with real examples of when and how to use each one.
10 min read
How to Set Up a Custom Domain for Your Email (Google Workspace, Microsoft 365)
Step-by-step guide to configuring custom domain email with Google Workspace and Microsoft 365. Learn how to set up MX records, SPF, DKIM, and DMARC for professional business email.
9 min read
Troubleshooting Common DNS Issues: A Step-by-Step Guide
Learn how to diagnose and fix the most common DNS problems, from websites not loading to NXDOMAIN errors, using practical command-line tools and DNS Checker.
7 min read
How to Verify DNS Changes After Switching Hosting Providers
Switching hosting providers requires careful DNS verification to avoid downtime. Learn the step-by-step process for checking A, CNAME, MX, and NS records after a migration.
8 min read
What Is DNS Propagation and Why Does It Take So Long?
DNS propagation is the process of updating DNS records across servers worldwide. Learn how it works, why it takes up to 48 hours, and how to check propagation status in real time.
DNS Basics
Foundational articles about how the Domain Name System works, from records to resolution.
12 min read
DNS Root Servers Explained: The 13 Servers That Run the Internet
A complete guide to DNS root servers — what they are, who operates them, how anycast makes 13 logical servers into 1,700+ physical instances, and why they matter for every DNS query.
8 min read
What Is SERVFAIL? Understanding DNS Server Failure Responses
SERVFAIL is the DNS response code that means a resolver encountered an error during lookup — the domain might exist, but the server could not determine the answer. Learn what causes SERVFAIL, how to diagnose it, and how to fix it.
8 min read
What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response
NXDOMAIN is the DNS response code that means a domain name does not exist. Learn what triggers it, how to troubleshoot it, the difference between NXDOMAIN and SERVFAIL, and when NXDOMAIN indicates a security issue.
9 min read
What Is DNS TTL? How Time to Live Controls Caching, Propagation, and Performance
DNS TTL (Time to Live) determines how long resolvers cache a DNS record before re-querying. Learn how TTL affects propagation speed, performance, and security — and how to choose the right values for your domain.
9 min read
DNS Propagation Myths Debunked: It's Really About Cache Freshness
The term 'DNS propagation' is everywhere, but it describes something that doesn't actually happen. I debunk the biggest myths and explain what's really going on: cache freshness.
5 min read
25 DNS Jokes Every SysAdmin Will Painfully Relate To
A collection of 25 DNS jokes born from real-world frustration. If you have ever stared at a terminal waiting for propagation, these will hit close to home.
10 min read
Understanding DNS Record Types: A, AAAA, CNAME, MX, TXT, and More
A comprehensive guide to every major DNS record type. Learn what A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA, and PTR records do, when to use each one, and see practical configuration examples.
TLD Guide
Explore the world of top-level domains from classic .com to the newest gTLDs.
9 min read
The New gTLD Explosion: Over 1,500 Domain Extensions Explained
Explore the massive expansion of generic top-level domains since ICANN's 2012 program. Learn about new gTLD categories, adoption trends, pricing, SEO impact, and how to find the right domain extension for your project.
8 min read
Choosing the Right TLD for Your Business: .com vs .io vs New gTLDs
A practical guide to selecting the best top-level domain for your business. Compare .com, .io, .co, .dev, .app, and new gTLDs across trust, SEO, branding, and cost.
Ishan Karunaratne
Software Architect & Infrastructure Engineer
US Army veteran with a B.S. in Information Technology, CompTIA A+, Network+, and Security+ certified. 20+ years building and securing web infrastructure — from running cables and configuring Linux systems in the mid-1990s to architecting cloud deployments on AWS, GCP, and Azure today.
CompTIA A+CompTIA Network+CompTIA Security+B.S. Information Technology