DNSInspector
Comprehensive DNS analysis for your domains.
Check nameservers, records, and configuration in seconds.
Comprehensive DNS analysis for your domains.
Check nameservers, records, and configuration in seconds.
Look into DNS health for any domain. Get a scored report covering nameservers, mail routing, security, and 25+ automated tests.
Most DNS lookup tools show you a list of records and call it a day. Our inspector goes further — it dives into DNS at every layer, tracing the full resolution chain from parent TLD servers through your authoritative nameservers down to individual record types, running over 25 automated tests along the way. You get a health score, specific pass/fail results for every check, and plain-language explanations of what each finding means.
Whether you’re debugging why emails aren’t arriving, verifying a nameserver migration went smoothly, or auditing a domain before acquisition, the inspector gives you a single report that covers everything without needing to jump between multiple tools. It turns a routine lookup into DNS intelligence you can actually act on.
Every scan runs a structured sequence of checks. Here’s what each category covers and why it matters.
We query the TLD servers (like the .com servers at Verisign) to confirm your domain is properly delegated. This checks that your nameservers are listed at the parent, glue records are present, and delegation matches your actual zone. A broken delegation means your domain is unreachable — no website, no email, nothing.
We test each nameserver individually: are they responding, are they authoritative, do they agree on the same records? We check for lame delegations (servers that don’t answer for your zone), open recursive queries (a security risk), mismatched NS records between servers, and whether you have enough nameserver redundancy per RFC 2182.
The SOA record controls how your zone operates — serial numbers, refresh intervals, retry timing, and cache behavior. We validate each value against the recommended ranges from RFC 1912, check that serial numbers are consistent across all nameservers, and flag misconfigurations that could cause zone transfer failures or stale data serving.
Email delivery depends entirely on correct MX records. We verify that all nameservers report identical MX configurations, that each mail server hostname resolves to a valid public IP, that priorities are set correctly, and that no MX record points to a CNAME (which violates RFC 2181). We also identify your mail provider — Google Workspace, Microsoft 365, Zoho, etc. — so you can confirm it matches expectations.
We parse your TXT records to find and validate SPF, DKIM, and DMARC entries. SPF mistakes (like circular includes, too many lookups, or overly permissive +all) are flagged specifically. DMARC records are checked for valid policies. Domain verification records for services like Google, Firebase, and others are identified and categorized separately for clarity.
We check DNSSEC status (whether your zone is signed and validating), CAA records (which Certificate Authorities can issue certs for your domain), and zone transfer restrictions. We also detect CDN and proxy configurations — if your domain is behind Cloudflare, AWS CloudFront, or another provider, we identify it and explain what that means for your setup.
A DNS inspection isn’t something you need to run every day, but there are critical moments where getting full insight into DNS configuration can save you hours of troubleshooting or prevent a problem before it starts.
Verify that delegation, glue records, A/AAAA records, and MX records all survived the migration intact.
Check MX records, SPF, DKIM, and DMARC in one scan. Most email delivery issues trace back to DNS.
Check DNSSEC, CAA records, zone transfer exposure, and whether nameservers allow open recursive queries.
Understand the current DNS setup, identify technical debt, and check for issues that could affect the transfer.
Lame delegations, mismatched NS records, or expired zones can cause random resolution failures that are hard to diagnose otherwise.
DNS records can drift over time — deprecated verification TXT records, stale MX entries from old email trials, forgotten subdomains.
Your report breaks down into DNS categories that follow the natural resolution chain. Each test within a category gets a pass, warning, or fail status. Here’s how to read the results:
This is a weighted percentage. Critical issues (like lame delegations or missing MX records) impact the score more heavily than informational items (like missing CAA records or non-standard SOA serials). Focus on any tests marked as critical first — these are the ones most likely to cause real-world problems.
Parent DNS is checked first because if delegation is broken, nothing else matters. Then nameservers, since they serve all your records. Then SOA (zone configuration), followed by individual record types (A, MX, TXT) and security checks. If you see failures high up in the chain, those will likely cause cascading failures in later sections.
The “Top Recommendations” section at the top of your report highlights the most impactful issues. These are the items where a fix will have the greatest effect on your domain’s reliability, email deliverability, or security posture. Address these first before worrying about lower-priority warnings.