What does the DNS health score mean?

The DNS health score is a weighted percentage based on 25+ automated tests covering parent delegation, nameserver configuration, SOA records, mail routing, and security. A score of 100% means everything passed cleanly. If you see 85%, that usually means a few non-critical warnings (missing CAA records, non-standard SOA serial format) or one moderate issue like an invalid SPF record. Critical failures like lame delegations and missing NS records hit the score harder than informational items. The score gives you a quick read, but the real value is in the detailed breakdown underneath. Each test shows pass, warning, or fail status with a plain-language explanation of what went wrong and how to fix it. For a full audit, run a DNS Propagation Checker scan afterward to confirm your records are consistent across resolvers worldwide.

What is parent DNS and why does it matter?

Parent DNS refers to the TLD-level nameservers (like the .com servers run by Verisign) that form the delegation chain as defined in RFC 1034. When a recursive resolver looks up your domain, it first asks the parent TLD server which nameservers are authoritative for your zone. If the parent has no NS records for your domain or lists the wrong nameservers, your domain essentially does not exist on the internet. No website, no email, nothing resolves. DNS Checker verifies delegation by comparing NS records at the parent with those in your actual zone file. It also checks for glue records, the IP address hints embedded at the parent level. Glue records are required when your nameservers live within your own domain. For example, if example.com uses ns1.example.com as a nameserver, glue records must exist at the .com level. Without them, you get a circular dependency where the resolver needs to look up your nameserver but cannot find it without first reaching your nameserver.

What should I check after switching nameservers?

After migrating to Cloudflare, AWS Route 53, Google Cloud DNS, or any new provider, there are several things you need to verify. Start by confirming the parent TLD servers list your new nameservers. Then check that NS records match between the parent zone and your authoritative zone file, because mismatches cause intermittent resolution failures that are maddening to debug. Verify SOA serial numbers are consistent across all nameservers to confirm zone data is synchronized. Check that A and AAAA records resolve to the correct IP addresses at your new host. And critically, confirm MX records still point to your email provider. Mail routing breaks during migrations more often than people expect. DNS Checker tests all of these in a single scan. Pay special attention to the Mismatched NS Records and Lame Delegation tests, since these are by far the most common post-migration failures. Run a propagation check afterward to confirm the changes have reached resolvers worldwide.

Why are my MX records important?

MX (Mail Exchange) records tell other mail servers where to deliver email for your domain, as defined in RFC 5321. Get them wrong and incoming messages either bounce with errors like "550 No MX Record Found" or queue up until they time out. DNS Checker validates several aspects of your MX setup: that MX records exist and are consistent across all authoritative nameservers, that each mail server hostname resolves to a valid public IP address, that no MX record points to a CNAME (which violates RFC 2181), and that priority values make sense for failover. If you use Google Workspace, MX records need to point to aspmx.l.google.com and its alternates. For Microsoft 365, they should point to your tenant-specific mail.protection.outlook.com hostname. Even a single typo in an MX hostname causes silent email delivery failures. People often do not realize anything is wrong until someone mentions they never received an important message, which makes regular validation essential for any domain that receives email.

What are SPF, DKIM, and DMARC and why do they show up in my DNS check?

SPF, DKIM, and DMARC are email authentication standards stored as DNS TXT records. They work together to prevent spoofing and improve deliverability. SPF (RFC 7208) publishes which IP addresses and servers are authorized to send email for your domain. DKIM (RFC 6376) adds a cryptographic signature to outgoing emails that recipients verify using a public key in your DNS. DMARC (RFC 7489) ties them together by telling receiving mail servers what to do when authentication fails, whether to quarantine or reject the message. DNS Checker parses all three and flags common misconfigurations. The ones that come up most often are circular SPF includes that blow past the 10-lookup limit, overly permissive policies like +all that let anyone spoof your domain, missing DMARC records that leave you blind to authentication failures, and DKIM selectors that do not resolve. These three standards form the foundation of modern email security, and most deliverability problems trace back to getting one of them wrong.

What is DNSSEC and should I enable it?

DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify the data has not been tampered with in transit. It is defined across RFC 4033, RFC 4034, and RFC 4035. Without DNSSEC, an attacker can intercept DNS queries and return forged responses through cache poisoning or man-in-the-middle attacks. Enabling DNSSEC creates a chain of trust from the root zone down to your domain, with each level signing the delegation to the next. The good news is that most major DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS) make activation straightforward. You typically just need to add a DS record at your registrar. While not strictly mandatory, DNSSEC is strongly recommended for domains handling sensitive traffic like banking, healthcare, e-commerce, or government services. DNS Checker checks whether your domain has valid DNSKEY and DS records and whether the signature chain validates correctly all the way from the root zone.

What does 'lame delegation' mean?

A lame delegation happens when the parent TLD servers list a nameserver as authoritative for your domain, but that nameserver either does not have your zone data or refuses to respond authoritatively. RFC 1912 specifically calls this out as problematic, and it is one of the most common DNS misconfigurations. It usually happens when you switch DNS providers but forget to update NS records at your registrar, when a secondary nameserver subscription lapses, or when a hosting provider decommissions a server without telling you. The symptoms are frustrating: roughly half of DNS queries reach the working nameserver while the other half hit the broken one. Users experience unpredictable timeouts where some page loads work fine and others hang for seconds before falling back. The intermittent nature makes it particularly hard to diagnose without the right tools. DNS Checker tests each listed nameserver individually with an authoritative query to detect lame delegations and flags exactly which server is non-responsive.

How do I interpret SOA record values?

The SOA (Start of Authority) record contains operational parameters that control how your DNS zone behaves, as defined in RFC 1035 with recommended values in RFC 1912. The serial number is a version counter that must increment with every zone update. The common YYYYMMDDNN format allows up to 100 changes per day. The refresh interval (typically 3600-86400 seconds) tells secondary nameservers how often to check the primary for updates. Retry (usually 900-3600 seconds) controls how long to wait after a failed refresh before trying again. The expire value (typically 604800-2419200 seconds) determines how long secondaries keep serving zone data if the primary goes completely unreachable. Then there is the minimum TTL field (300-86400 seconds), which sets negative caching duration per RFC 2308. This controls how long resolvers remember that a record does not exist, which matters more than people realize. DNS Checker validates each value against RFC 1912 recommended ranges and checks that serial numbers are consistent across all your nameservers.

Why does my domain show different results on different DNS tools?

DNS tools show different results because they query from different locations and use different resolution strategies. Some tools query your authoritative nameservers directly, showing the canonical source of truth for your zone data. Others query through recursive resolvers like Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1), which shows what end users actually see, including potentially stale cached responses. DNS Checker queries your authoritative nameservers for the most accurate current picture and also checks what the parent TLD servers report to catch delegation mismatches. If you see discrepancies between tools, caching is almost always the cause. Resolvers cache records for the duration specified by the TTL value. So a resolver that cached your old A record with a TTL of 86400 seconds will keep serving stale data for up to 24 hours regardless of what you changed. Running a DNS propagation check reveals exactly which resolvers worldwide have picked up your latest changes and which are still holding onto cached copies.

Can I use this tool to check my DNS before making it live?

DNS Checker inspects your live, publicly-accessible DNS configuration by querying real authoritative nameservers in real time. This makes it ideal for verifying changes right after applying them, catching misconfigurations, or auditing a domain before buying it. However, it cannot test unpublished changes because DNS is a public protocol and all queries go to production nameservers. If you want to test DNS changes before going live, you have a few options. Set up a staging zone on a separate subdomain like staging.example.com and configure it identically to your planned production setup. Cloudflare and AWS Route 53 also offer zone preview or import validation features. Another approach is to lower your TTL to 300 seconds well before the change, make the update, verify with DNS Checker, and roll back quickly if something looks wrong. The short TTL ensures resolvers worldwide pick up any correction within minutes rather than hours.

How is DNS Checker's DNS Inspector different from other DNS tools?

Most DNS tools — including dig, nslookup, MXToolbox, and IntoDNS — show raw DNS records and leave interpretation to you. DNS Checker goes significantly further. Every scan produces a scored health report that grades your DNS configuration across 25+ tests, then explains every finding in plain language with actionable fix recommendations. The report detects your CDN provider (Cloudflare, AWS CloudFront, Akamai), identifies your email provider (Google Workspace, Microsoft 365, Zoho), validates the full delegation chain from parent TLD servers through your authoritative nameservers, and checks email authentication (SPF, DKIM, DMARC) against their respective RFCs. Results are structured for both technical engineers who need precise diagnostic data and non-technical domain owners who need to understand what is wrong and how to fix it. No other free DNS tool combines this depth of automated analysis with clear, human-readable explanations in a single scan.

What is the best free DNS health check tool?

The best free DNS health check tool depends on what you need. For a comprehensive all-in-one audit, DNS Checker is the most thorough free option available — it runs 25+ automated tests across parent delegation, nameserver health, SOA validation, mail routing, email authentication, and security, producing a scored 0 to 100 report with prioritized fix recommendations. For email-specific diagnostics and blacklist checking, MXToolbox is the industry standard. For DNS propagation monitoring across global resolvers, DNSChecker is purpose-built for that. For quick delegation checks, IntoDNS provides solid basic analysis. For raw DNS queries with full control, dig is the professional command-line tool. No single tool is best at everything, but DNS Checker covers the widest range of checks in a single scan with the most actionable output.

Why does DNS misconfiguration cost businesses money?

DNS is the entry point for every interaction with your domain. When DNS is misconfigured, visitors cannot reach your website, emails bounce or disappear silently, and SSL certificates fail to issue. Each of these directly impacts revenue. A lame delegation causes roughly half of all DNS queries to fail, meaning half your potential visitors see timeout errors instead of your website. Broken MX records mean incoming sales inquiries, customer support emails, and partnership requests never arrive. Expired or incorrect SPF and DMARC records cause legitimate business emails to land in spam folders, reducing response rates. For e-commerce sites, even a few hours of DNS downtime during a peak period can mean thousands of dollars in lost sales. DNS Checker catches these issues proactively — before customers notice. Running a DNS health check after any infrastructure change, and periodically as a routine audit, is one of the simplest ways to protect the investment you have already made in your website and online presence.

What does the DNS performance analysis show?

The DNS performance analysis in DNS Checker's Insights panel measures how fast your domain resolves and identifies bottlenecks in the resolution chain. It includes four key components. First, the nameserver response time chart measures latency to each of your authoritative nameservers, showing which respond fastest and whether any are slow or unreachable. Anycast detection flags whether your nameservers use anycast routing for globally distributed resolution. Second, the TTL strategy analysis evaluates the time-to-live value for every record type (A, AAAA, NS, MX, SOA, TXT) and flags TTLs that are too short (causing excessive queries and slower resolution) or too long (delaying propagation of changes). Third, the DNS resolution waterfall traces the full lookup chain from root servers through TLD servers to your authoritative nameservers, estimating the millisecond cost at each step. It compares first-visit resolution time (cold cache, requiring the full chain) against returning-visit time (warm cache, hitting TTL-cached responses) and benchmarks the total against industry standards. Fourth, the CNAME chain analysis checks both your apex domain and www subdomain for CNAME chains, measuring chain depth and identifying the final target IP addresses. Deep CNAME chains add latency to every DNS lookup because each hop requires a separate resolution.

How do I optimize my DNS TTL values?

TTL (Time to Live) values control how long DNS resolvers cache your records before re-querying your authoritative nameservers. The right TTL depends on the record type and how frequently it changes. For A and AAAA records on stable production sites, 3600 seconds (1 hour) is a common baseline. For NS records, 86400 seconds (24 hours) is typical since nameserver changes are rare. MX records should use 3600 to 14400 seconds — long enough to reduce query load but short enough to recover quickly from mail server changes. SOA records typically use 3600 seconds for the minimum TTL field, which controls negative caching (how long resolvers remember that a record does not exist, per RFC 2308). Before making DNS changes, temporarily lower the TTL to 300 seconds (5 minutes) so resolvers pick up the new values quickly, then raise it back afterward. DNS Checker's TTL strategy analysis evaluates each record type individually and flags values that are too aggressive (under 300 seconds, causing unnecessary query volume) or too conservative (over 86400 seconds, making emergency changes slow to propagate).

What is a DNS resolution waterfall and why does it matter?

A DNS resolution waterfall shows the step-by-step lookup chain that a recursive resolver follows to translate your domain name into an IP address. For a first-time visitor with a cold cache, the resolver must query root nameservers, then TLD nameservers (like Verisign's .com servers), then your authoritative nameservers — each step adding latency. DNS Checker's waterfall visualization estimates the millisecond cost at each step and calculates total first-visit resolution time versus returning-visit time (when TTL-cached responses skip most of the chain). A typical first-visit resolution takes 50 to 200 milliseconds depending on nameserver locations and CNAME chain depth. Returning visits with warm caches resolve in under 10 milliseconds. The waterfall matters because DNS resolution happens before any HTTP connection starts — slow DNS adds directly to Time to First Byte (TTFB) and affects Core Web Vitals. Sites using deep CNAME chains (common with CDN providers like Cloudflare or AWS CloudFront) incur extra resolution hops. The waterfall makes this cost visible so you can make informed decisions about your DNS architecture, TTL strategy, and provider choice.

DNS Lookup &Health Check

A DNS inspector is a diagnostic tool that analyzes every layer of a domain’s DNS configuration and produces a scored health report. DNS Checker runs 25+ automated tests — from parent delegation through email authentication — and explains every finding in plain language with fix recommendations.

“Because blindly trusting your DNS is like driving without a dashboard.”

Recent DNS Health Checks by the Community

Updated 2026-05-27 07:36:29 UTC

Domains recently inspected using the DNS health checker. Each score shows the percentage of DNS tests passed — covering nameservers, mail routing, DNSSEC, and more.

Recently Scanned

Top Scores

Needs Improvement

Written by Ishan Karunaratne · Last updated: April 16, 2026

What Is a DNS Inspector and Why Does It Matter?

A DNS inspector is a tool that examines a domain’s entire DNS configuration — the delegation chain, nameserver health, record consistency, mail routing, email authentication, and security settings — and reports what is working, what is broken, and what needs to be fixed. DNS is the foundation of every online interaction. If it is misconfigured, visitors cannot reach your website, emails bounce or land in spam, and SSL certificates fail to issue. Every one of those failures translates directly to lost revenue, lost customers, and wasted investment in the website and infrastructure you have already built.

The problem is that DNS misconfiguration is invisible. There is no error page, no alert, and no dashboard that tells you half your visitors are timing out because one of your nameservers is not responding. A broken MX record does not send you a notification — emails simply stop arriving. An invalid SPF record does not announce itself — your outbound emails quietly start landing in spam. By the time someone notices, the damage is done. A DNS inspector makes these invisible problems visible, and DNS Checker’s inspector does it more thoroughly than any other tool available.

What Makes DNS Checker’s DNS Inspector Different?

Most DNS tools — including dig, nslookup, MXToolbox, and IntoDNS — show raw DNS records and leave you to figure out what they mean. If you know what a SOA serial mismatch looks like or can spot a lame delegation in a dig trace, those tools work. But for the vast majority of people managing domains — business owners, marketers, developers who are not DNS specialists — raw records are not actionable. DNS Checker was built to bridge that gap.

Every scan produces a scored health report that grades your DNS configuration on a 0 to 100 scale, then walks through every finding with a clear explanation of what it means and a specific recommendation for how to fix it. The report is designed to be useful whether you are a network engineer debugging a complex delegation issue or a business owner who just needs to know if your domain is set up correctly. Here is what that looks like in practice:

Scored Health Report

A single health score from 0 to 100 tells you immediately whether your DNS needs attention. Below the score, every test is categorized and color-coded — green for pass, yellow for warning, red for failure. Critical issues like lame delegations and missing NS records are weighted more heavily than informational items like non-standard SOA serials.

Plain-Language Explanations

Every test result includes a human-readable explanation of what was checked and why it matters. If your NS records do not match between the parent zone and your authoritative servers, the report does not just say “NS mismatch” — it explains that this means some DNS queries will fail unpredictably and tells you exactly which records need to change.

Actionable Fix Recommendations

Every warning and failure comes with a specific, step-by-step recommendation. Not “fix your SPF record” but “your SPF record exceeds the 10-lookup limit — remove the unused include for _spf.google.com or flatten your includes.” Recommendations are prioritized so you know which fixes will have the biggest impact.

CDN and Provider Detection

The report automatically identifies whether your domain is behind Cloudflare, AWS CloudFront, Akamai, Fastly, or another CDN. It detects your email provider — Google Workspace, Microsoft 365, Zoho, ProtonMail — from MX records. This means you do not need to run dig commands or trace headers to answer basic questions like “is my site on Cloudflare?”

Full Delegation Chain Analysis

DNS Checker traces the entire resolution path from the parent TLD servers (the .com servers at Verisign, for example) through your authoritative nameservers. It compares what the parent says with what your zone actually contains. This catches delegation mismatches, missing glue records, and lame delegations — the issues that cause the most damaging intermittent failures.

25+ Automated Tests in One Scan

A single scan covers parent delegation, glue records, nameserver health, lame delegation detection, NS record consistency, SOA validation, A/AAAA records, MX routing, mail server reachability, SPF parsing, DKIM validation, DMARC policy checks, DNSSEC chain of trust, CAA records, zone transfer restrictions, CDN detection, nameserver response times, TTL strategy analysis, and DNS resolution waterfall. No need to jump between multiple tools.

DNS Performance Analysis & Interactive Insights

Beyond configuration correctness, DNS performance directly affects how fast your site loads. DNS resolution happens before any HTTP connection starts — slow nameservers, deep CNAME chains, or misconfigured TTLs add latency to every page load and degrade Core Web Vitals. DNS Checker is the only free DNS tool that includes a full performance analysis alongside the health check, showing you not just what your records say, but how fast they resolve and where the bottlenecks are.

Every scan generates an interactive Insights panel with visualizations that break down your domain’s DNS performance across multiple dimensions. Here is what each insight reveals:

Nameserver Response Times

Measures the latency to each of your authoritative nameservers individually. Identifies which nameservers respond fastest, whether any are unreachable or slow, and whether your provider uses anycast routing for globally distributed resolution. Slow nameservers directly increase Time to First Byte (TTFB) for every visitor.

TTL Strategy Analysis

Evaluates the time-to-live value for every record type — A, AAAA, NS, MX, SOA, and TXT. Flags TTLs that are too short (under 300 seconds, causing excessive resolver queries) or too long (over 86400 seconds, delaying propagation of changes). Each assessment includes a status and recommendation specific to that record type.

DNS Resolution Waterfall

Traces the full DNS lookup chain from root servers through TLD servers to your authoritative nameservers. Shows the estimated millisecond cost at each step, compares first-visit resolution time (cold cache) against returning-visit time (warm cache), and benchmarks total latency against industry standards. Typical first-visit resolution ranges from 50 to 200 ms.

CNAME Chain Depth Analysis

Checks both your apex domain and www subdomain for CNAME chains. Each hop in a CNAME chain requires a separate DNS resolution, adding latency. The analysis shows chain depth, each hop from source to target, and the final resolved IP addresses. Common with CDN setups (Cloudflare, CloudFront, Fastly) where the CNAME points through multiple layers.

Interactive Score Ring

A radial visualization that breaks your overall DNS health score into nine categories: Parent DNS, Nameservers, SOA, A records, AAAA records, Mail (MX), WWW, Security, and TXT records. Each segment is color-coded by pass, warning, or failure status, giving an instant visual overview of where your DNS configuration needs attention.

Record Census & Mail Routing

The record census provides a quick inventory of all DNS record types present. Below that, the MX priority ladder visualizes mail routing with exchange servers ordered by priority, the SPF mechanism pipeline shows each include, IP block, and mechanism in your SPF record with lookup counting, and the DMARC card displays your email authentication policy at a glance.

No other free DNS tool offers this level of performance analysis. MXToolbox, IntoDNS, dig, and DNSChecker show records — DNS Checker shows records and how they perform. The Insights panel is generated automatically for every scan alongside the health score and recommendations.

How DNS Checker Compares to Other DNS Tools

Most DNS tools specialize in one area — MXToolbox focuses on email diagnostics, DNSChecker on propagation, dig on raw queries. DNS Checker is the only free tool that combines all of these capabilities into a single scored health report with prioritized fix recommendations. Here is a feature-by-feature comparison with the most commonly recommended alternatives.

Feature	DNS Checker	MXToolbox	IntoDNS	dig	DNSChecker
Scored health report (0–100)	Yes	No	Partial	No	No
Parent delegation chain analysis	Yes	No	Yes	Manual	No
Lame delegation detection	Yes	No	Yes	Manual	No
Email auth (SPF/DKIM/DMARC)	Yes	Yes	Partial	Manual	No
CDN and proxy detection	Yes	No	No	No	No
Email provider identification	Yes	Yes	No	No	No
DNSSEC chain validation	Yes	Yes	Yes	Manual	No
DNS performance analysis	Yes	No	No	No	No
TTL strategy analysis	Yes	No	No	No	No
Resolution waterfall	Yes	No	No	No	No
Nameserver response times	Yes	No	No	No	No
Prioritized fix recommendations	Yes	Some	RFC links	No	No
Blacklist (DNSBL) checking	50+ lists	100+ lists	No	No	No
SMTP diagnostics	Yes	Yes	No	No	No
Email deliverability tester	Yes	No	No	No	No
Global propagation testing	Separate tool	No	Limited	No	Yes
Number of automated tests	25+	Varies	~15	1 per query	1 per query
Cost	Free	Free (limited)	Free	Free (CLI)	Free

DNS Checker is the only platform that combines delegation chain analysis, nameserver health, email authentication, blacklist monitoring, SMTP diagnostics, email deliverability testing, security checks, CDN detection, and DNS performance analysis — all in a single scored report with prioritized fix recommendations. The performance analysis layer (nameserver response times, TTL strategy evaluation, resolution waterfall, CNAME chain depth) is unique to DNS Checker. MXToolbox focuses narrowly on email. IntoDNS provides basic delegation analysis. dig requires command-line expertise. DNSChecker specializes in propagation only.

DNS Checker vs MXToolbox: Which Should You Use?

MXToolbox is a well-known DNS tool focused primarily on email deliverability. It offers blacklist checks and SPF/DKIM/DMARC lookups — but DNS Checker provides all of those capabilities and more. DNS Checker includes a dedicated Blacklist Checker that scans 50+ DNSBL lists, individual SPF, DKIM, and DMARC record checkers with RFC-level validation, an SMTP Diagnostics tool that tests live mail server connections, an Email Tester for end-to-end deliverability testing, an Email Header Analyzer, and an MX Record Lookup tool. MXToolbox does not offer an email tester, does not check parent delegation, does not detect lame delegations, does not validate SOA records against RFC 1912, does not identify CDN providers, and does not produce a scored health report. DNS Checker covers every email diagnostic MXToolbox offers while also providing a complete DNS infrastructure audit — making it the more comprehensive choice for domain administrators who want a single platform for both email and DNS health.

DNS Checker vs IntoDNS: Key Differences

IntoDNS is a respected free DNS checker that provides solid delegation and nameserver analysis. Both IntoDNS and DNS Checker check parent delegation, NS record consistency, and SOA validation. Where they differ: DNS Checker produces a weighted 0–100 health score while IntoDNS uses basic pass/fail icons with no overall grade. DNS Checker validates SPF, DKIM, and DMARC records in depth while IntoDNS checks SPF only partially. DNS Checker detects CDN providers and email providers automatically. And DNS Checker provides prioritized fix recommendations explaining what to fix first and how, while IntoDNS links to relevant RFCs but leaves interpretation to the user. For quick delegation checks, IntoDNS works well. For a comprehensive audit with actionable guidance, DNS Checker provides more depth and clearer explanations.

Backed by Real DNS Data at Scale

DNS Checker is not just a lookup tool — it is built on top of one of the largest DNS datasets publicly available. The platform analyzes over 247 million domains daily from TLD zone files, maintains 220 million WHOIS/RDAP records covering 1,900+ TLDs, and tracks 1,500+ DNS providers with market share data. This dataset powers the inspector’s ability to identify your CDN provider, email provider, and nameserver provider instantly — because DNS Checker already knows which providers serve which infrastructure patterns across the global DNS ecosystem.

247M+

Domains analyzed daily

220M+

WHOIS records maintained

1,933

TLDs in the directory

1,500+

DNS providers tracked

What Problems Does a DNS Health Check Catch?

DNS misconfigurations range from catastrophic (your domain does not resolve at all) to subtle (emails intermittently land in spam). Many of these issues are invisible to the domain owner until they cause real damage. Here are the most common problems DNS Checker detects, what they mean, and why they matter.

Problem	What It Means	Impact
Lame delegation	A listed nameserver does not respond authoritatively for your domain	~50% of DNS queries fail — intermittent timeouts for visitors
NS record mismatch	Parent TLD servers and your zone file list different nameservers	Unpredictable resolution failures, especially after provider migrations
Missing glue records	Nameserver IPs not embedded at the parent level when required	Circular dependency — domain cannot resolve at all
Broken MX records	Mail server hostnames do not resolve or point to invalid IPs	Incoming emails bounce silently — senders may not retry
Invalid SPF record	Too many DNS lookups, permissive +all, or syntax errors	Outbound emails land in spam or get rejected entirely
Missing DMARC	No DMARC record published for the domain	No visibility into email spoofing — attackers can send as your domain
SOA serial mismatch	Different nameservers report different serial numbers	Zone data is out of sync — some servers serve stale records
No DNSSEC	Domain is not signed with DNSSEC	Vulnerable to cache poisoning and DNS spoofing attacks

Each of these issues appears in the scored report with a severity level, explanation, and fix recommendation. The most dangerous problems — lame delegations, missing NS records, broken MX — are weighted most heavily in the health score.

What Does the DNS Inspector Check?

Every scan follows the DNS resolution chain from top to bottom. Tests are ordered by dependency — if delegation is broken at the top, everything below it will fail too. Here is what each category covers.

Parent DNS & Delegation

Queries the TLD servers (like the .com servers at Verisign) to confirm your domain is properly delegated. Checks that nameservers are listed at the parent, glue records are present when needed, and delegation matches your actual zone. A broken delegation means your domain is unreachable — no website, no email, nothing.

Nameserver Health

Tests each nameserver individually: are they responding, are they authoritative, do they agree on the same records? Checks for lame delegations, open recursive queries (a security risk), mismatched NS records between servers, and whether you have enough nameserver redundancy per RFC 2182.

SOA Record Validation

The SOA record controls zone operations — serial numbers, refresh intervals, retry timing, and cache behavior. Validates each value against RFC 1912 recommended ranges, checks serial consistency across all nameservers, and flags misconfigurations that could cause zone transfer failures or stale data.

Mail Routing (MX)

Email delivery depends entirely on correct MX records. Verifies that all nameservers report identical MX configurations, each mail server hostname resolves to a valid public IP, priorities are set correctly, and no MX record points to a CNAME (violates RFC 2181). Identifies your mail provider — Google Workspace, Microsoft 365, Zoho — so you can confirm it matches expectations.

Email Authentication (TXT)

Parses TXT records to find and validate SPF, DKIM, and DMARC entries. Flags circular SPF includes, too many lookups, overly permissive policies, and missing DMARC records. For a deep dive, see our guide on SPF, DKIM, and DMARC email authentication.

Security & Infrastructure

Checks DNSSEC status, CAA records (which Certificate Authorities can issue certs), and zone transfer restrictions. Detects CDN and proxy configurations — Cloudflare, AWS CloudFront, Akamai, Fastly — and explains what that means for your setup. Also available: HTTP Security Headers and Reputation Check.

Performance Analysis

Measures nameserver response times to identify slow or unreachable servers, analyzes TTL values across all record types to flag overly aggressive or conservative caching strategies, and generates a DNS resolution waterfall showing the full lookup chain cost in milliseconds — from root servers through TLD servers to your authoritative nameservers. Compares first-visit resolution (cold cache) against returning-visit performance (warm cache) and benchmarks against industry standards. Also traces CNAME chains for both apex and www subdomains to identify latency-adding hops.

When Should You Run a DNS Health Check?

A DNS health check is not something you run every day, but there are critical moments where a full inspection prevents hours of troubleshooting or catches a problem before it costs you traffic and revenue. The most important time to run one is immediately after any infrastructure change — switching hosting providers, migrating DNS to Cloudflare or Route 53, changing email providers, or updating nameservers. These are the moments when misconfigurations are most likely to be introduced.

After switching hosting or DNS providers

Verify that delegation, glue records, A/AAAA records, and MX records all survived the migration intact. Then confirm worldwide resolution with the Propagation Checker.

When emails are not being delivered

Check MX records, SPF, DKIM, and DMARC in one scan. Most email delivery issues trace back to DNS misconfigurations — broken MX routing, invalid SPF syntax, or missing DMARC policies.

When your site is intermittently unreachable

Lame delegations, mismatched NS records, or expired zones cause random resolution failures that are nearly impossible to diagnose without inspecting each nameserver individually — which is exactly what this tool does.

Before or during a security audit

Check DNSSEC chain of trust, CAA records, zone transfer exposure, open recursive queries, and email authentication in one pass. The scored report serves as documentation for compliance reviews.

When evaluating a domain to acquire

Understand the current DNS setup, identify technical debt, and check for issues that could affect the transfer or require immediate work after purchase.

As a periodic health check

DNS records drift over time — deprecated TXT records from old verification attempts, stale MX entries from email trials, forgotten subdomains. A quarterly inspection catches problems before they affect users.

How Do You Read Your DNS Report?

The report breaks down into categories that follow the natural DNS resolution chain. Each test gets a pass, warning, or fail status with a plain-language explanation. Here is how to read the results and prioritize fixes.

The health score

A weighted percentage where critical issues (lame delegations, missing NS records, broken MX) impact the score more heavily than informational items (missing CAA, non-standard SOA serials). Focus on tests marked as critical first — these are the ones causing real-world problems right now.

Categories are ordered by dependency

Parent DNS is checked first because if delegation is broken, nothing else matters. Then nameservers, since they serve all your records. Then SOA (zone configuration), followed by individual record types and security checks. Failures high in the chain often cause cascading failures below.

Recommendations are prioritized

The top recommendations highlight the most impactful issues — the ones where a fix will have the greatest effect on your domain’s reliability, email deliverability, or security. Address these first before worrying about lower-priority warnings.

Related DNS Tools

DNS Propagation Checker

After fixing issues found in the inspector, verify your changes have reached DNS resolvers worldwide with real-time TTL countdowns.

SPF Record Checker

Deep-dive into your SPF record with lookup counting, mechanism parsing, and RFC 7208 compliance validation.

MX Record Lookup

Focused mail routing analysis with SMTP connectivity testing and mail provider identification.

Reverse IP Domain Check

Find all domains hosted on a given IP address. Useful for investigating shared hosting environments and IP neighbours.

Need this in code?

Every check this tool runs is also available via the DNS Inspector API with examples in cURL, JavaScript, Python, PHP, Ruby, and Java.

API docs

Built and maintained alongside this tool. Free, no signup required.

DNS propagation checkerTrack changes across global resolvers in real-time.WHOIS lookupRegistrant, registrar, and abuse contacts.MX record lookupJust the email side of DNS, with handshake validation.Reverse nameserver lookupFind every domain delegated to the same NS.

Frequently Asked Questions

Built and maintained by Ishan Karunaratne — software engineer and infrastructure architect with 20+ years of experience in DNS, networking, and cloud infrastructure. CompTIA A+, Network+, and Security+ certified.