DNS Records for
blah.com
๐ Hunting for rogue glue records.
DNS Records forblah.com
Domain DNS Health Score
70%
Total Tests
23
Passed
16
Critical Issues
3
DNS Performance Analysis
Performance analysis data is not available for this domain. This can happen when the analysis times out or when nameservers are unreachable.
Insights
A1
AAAA0
NS4
MX5
TXT0
SPFโ
DMARCโ
DNSSECfail
CAAinfo
78%
25/32 tests
SOA timing
Serial
2007031442Refresh
15 min
How often secondaries re-check
Retry
10 min
Wait after a failed refresh
Expire
1 day
Secondaries stop serving after
Min TTL
10 min
Negative cache duration
Zone last updated
~6974 days ago
Negative cache
NXDOMAIN responses are cached for 10 min. Typos against this zone stick around that long.
Glue records at parent
via b.gtld-servers.net
| Nameserver | IPv4 | IPv6 | Zone match |
|---|---|---|---|
| rjocpdne02.timbrasil.com.br | 189.40.220.34 | โ | match |
| rjocpdne01.timbrasil.com.br | 189.40.220.33 | โ | match |
Mail exchange priority
5 MX records
pref 1
aspmx.l.google.com
Primary
pref 5
alt2.aspmx.l.google.com
Tied priority
pref 5
alt1.aspmx.l.google.com
Tied priority
pref 10
aspmx2.googlemail.com
Tied priority
pref 10
aspmx3.googlemail.com
Tied priority
These nameservers are responsible for answering queries about your domain
2 Records
rjocpdne02.timbrasil.com.br
rjocpdne01.timbrasil.com.br
Source: This information was kindly provided by b.gtld-servers.net ๐๐ผ
Good. b.gtld-servers.net has information for your TLD. This confirms your domain is properly delegated.
Warning
Warning: Mismatch between parent nameservers and actual NS records.
NS-only nameservers (in NS records but not listed at parent):
โข ns2.blah.com
โข ns1.blah.com
This inconsistency can cause DNS resolution issues and should be resolved by updating either the parent nameservers or the NS records.
Glue Records from Parent Server
Information provided by b.gtld-servers.net
rjocpdne02.timbrasil.com.br
Nameserver
IPv4 Addresses:
189.40.220.34rjocpdne01.timbrasil.com.br
Nameserver
IPv4 Addresses:
189.40.220.33Note:
The parent server is providing glue records for these nameservers. While not required (since the nameservers are not under your domain), this helps optimize DNS resolution.
| Status | Test name | Information |
|---|---|---|
Authoritative Nameservers | These nameservers are responsible for answering queries about your domain 2 Records rjocpdne02.timbrasil.com.brrjocpdne01.timbrasil.com.brSource: This information was kindly provided by b.gtld-servers.net ๐๐ผ | |
TLD Delegation Check | Good. b.gtld-servers.net has information for your TLD. This confirms your domain is properly delegated. | |
Nameservers Listed at Parent | Warning: Mismatch between parent nameservers and actual NS records.
NS-only nameservers (in NS records but not listed at parent):
โข ns2.blah.com
โข ns1.blah.com
This inconsistency can cause DNS resolution issues and should be resolved by updating either the parent nameservers or the NS records. | |
Glue Records from Parent | Glue Records from Parent ServerInformation provided by b.gtld-servers.net rjocpdne02.timbrasil.com.brNameserver IPv4 Addresses: 189.40.220.34rjocpdne01.timbrasil.com.brNameserver IPv4 Addresses: 189.40.220.33Note: The parent server is providing glue records for these nameservers. While not required (since the nameservers are not under your domain), this helps optimize DNS resolution. |
The following nameservers are not responding to DNS queries:
โข ns2.blah.com
โข rjocpdne01.timbrasil.com.br
โข ns1.blah.com
This is a critical issue โ these nameservers are configured for your domain but are not reachable. DNS resolution will fail when queries are directed to these servers. This can cause intermittent failures, slow resolution, and degraded availability for your domain.
Possible causes:
โข The nameserver host is down or misconfigured
โข A firewall is blocking DNS traffic (port 53)
โข The nameserver software is not running
โข The nameserver is not configured to serve this domain
Recommendation: Contact your DNS provider or update your nameserver records to point to working servers.
Error
Error performing nameserver checks: Module timeout (time budget exceeded)
| Status | Test name | Information |
|---|---|---|
Nameserver Reachability | The following nameservers are not responding to DNS queries:
โข ns2.blah.com
โข rjocpdne01.timbrasil.com.br
โข ns1.blah.com
This is a critical issue โ these nameservers are configured for your domain but are not reachable. DNS resolution will fail when queries are directed to these servers. This can cause intermittent failures, slow resolution, and degraded availability for your domain.
Possible causes:
โข The nameserver host is down or misconfigured
โข A firewall is blocking DNS traffic (port 53)
โข The nameserver software is not running
โข The nameserver is not configured to serve this domain
Recommendation: Contact your DNS provider or update your nameserver records to point to working servers. | |
Nameserver Checks | Error performing nameserver checks: Module timeout (time budget exceeded) |
Info
Primary Nameserver
rjocpdne02.timbrasil.com.br
Hostmaster Email
webmaster.corp.blah.com
Serial Number
2007031442
Standard Format (YYYYMMDDnn)
A unique version number that changes whenever the zone file is updated
Time Intervals
Refresh900 seconds (15 minutes)
How often secondary nameservers check for updates (20m - 24h)
Retry600 seconds (10 minutes)
How long to wait before retrying a failed zone transfer (2m - 2h)
Expire86400 seconds (1 days)
How long secondary servers serve stale zone data (1w - 4w)
TTL600 seconds (10 minutes)
Default time-to-live for resource records (5m - 24h)
SOA Serial numbers per nameserver:
rjocpdne02.timbrasil.com.br: 2007031442
Good. All nameservers report the same SOA serial number.
Pass
OK. rjocpdne02.timbrasil.com.br is correctly listed as one of your nameservers.
Info
Your SOA serial number is: 2007031442.
Warning
Warning: SOA REFRESH interval is 900 seconds (15 minutes). This is below the recommended minimum of 1200 seconds as per RFC1912 section 2.2.
Pass
OK. Your SOA RETRY value is: 600 seconds (10 minutes). This is within the recommended range of 120-7200 seconds as per RFC1912 section 2.2.
Warning
Current expire time is 86400 seconds (1 days).
Warning: Common practice recommends a minimum of 14 days (1209600 seconds) to ensure secondary servers can continue serving during extended outages.
Pass
OK. Your SOA MINIMUM TTL is: 600 seconds (10 minutes). This value is used for negative caching and is within the recommended range of 180-86400 seconds as per RFC2308 section 4.
| Status | Test name | Information |
|---|---|---|
SOA record | Primary Nameserverrjocpdne02.timbrasil.com.br Hostmaster Emailwebmaster.corp.blah.com Serial Number 2007031442 Standard Format (YYYYMMDDnn) A unique version number that changes whenever the zone file is updated Time IntervalsRefresh900 seconds (15 minutes) How often secondary nameservers check for updates (20m - 24h) Retry600 seconds (10 minutes) How long to wait before retrying a failed zone transfer (2m - 2h) Expire86400 seconds (1 days) How long secondary servers serve stale zone data (1w - 4w) TTL600 seconds (10 minutes) Default time-to-live for resource records (5m - 24h) | |
SOA Serial Consistency | SOA Serial numbers per nameserver:
rjocpdne02.timbrasil.com.br: 2007031442
Good. All nameservers report the same SOA serial number. | |
SOA MNAME entry | OK. rjocpdne02.timbrasil.com.br is correctly listed as one of your nameservers. | |
SOA Serial | Your SOA serial number is: 2007031442. | |
SOA REFRESH | Warning: SOA REFRESH interval is 900 seconds (15 minutes). This is below the recommended minimum of 1200 seconds as per RFC1912 section 2.2. | |
SOA RETRY | OK. Your SOA RETRY value is: 600 seconds (10 minutes). This is within the recommended range of 120-7200 seconds as per RFC1912 section 2.2. | |
SOA EXPIRE | Current expire time is 86400 seconds (1 days).
Warning: Common practice recommends a minimum of 14 days (1209600 seconds) to ensure secondary servers can continue serving during extended outages. | |
SOA MINIMUM TTL | OK. Your SOA MINIMUM TTL is: 600 seconds (10 minutes). This value is used for negative caching and is within the recommended range of 180-86400 seconds as per RFC2308 section 4. |
IPv4 Configuration
Single IPv4 address configuration
IPv4 Addresses
189.113.174.199TTL: 600s
Provides a good balance between propagation speed and DNS loadPass
TTL of 600 seconds provides a good balance between propagation speed and DNS load.
| Status | Test name | Information |
|---|---|---|
A Record Configuration | IPv4 ConfigurationSingle IPv4 address configuration IPv4 Addresses 189.113.174.199TTL: 600s Provides a good balance between propagation speed and DNS load | |
A Record TTL | TTL of 600 seconds provides a good balance between propagation speed and DNS load. |
Info
No AAAA (IPv6) records found. While not required, IPv6 support is recommended for future-proofing your domain and improving accessibility for IPv6 users.
| Status | Test name | Information |
|---|---|---|
IPv6 Support | No AAAA (IPv6) records found. While not required, IPv6 support is recommended for future-proofing your domain and improving accessibility for IPv6 users. |
All nameservers are reporting the same mail server configuration. This consistency ensures reliable email delivery.
Mail Exchange Configuration
| Priority | Mail Server | Actions |
|---|---|---|
1 | aspmx.l.google.com | |
5 | alt2.aspmx.l.google.com | |
5 | alt1.aspmx.l.google.com | |
10 | aspmx2.googlemail.com | |
10 | aspmx3.googlemail.com |
All mail server hostnames are properly formatted.
All mail servers use public IP addresses, ensuring global email delivery.
Pass
Mail servers are properly configured without CNAME records.
Warning
Warning: The following IP addresses are shared between multiple mail servers:
172.253.116.27 is shared by: alt2.aspmx.l.google.com, aspmx3.googlemail.com
108.177.123.26 is shared by: alt1.aspmx.l.google.com, aspmx2.googlemail.com
This may indicate suboptimal mail handling distribution.
Using managed mail services: Google Workspace. PTR records are automatically managed by these providers.
| Status | Test name | Information | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Mail Server Consistency | All nameservers are reporting the same mail server configuration. This consistency ensures reliable email delivery. | |||||||||||||||||||
Mail Server Configuration | Mail Exchange Configuration
| |||||||||||||||||||
Mail Server Hostname Validation | All mail server hostnames are properly formatted. | |||||||||||||||||||
Public IP Validation | All mail servers use public IP addresses, ensuring global email delivery. | |||||||||||||||||||
CNAME Validation | Mail servers are properly configured without CNAME records. | |||||||||||||||||||
IP Uniqueness | Warning: The following IP addresses are shared between multiple mail servers:
172.253.116.27 is shared by: alt2.aspmx.l.google.com, aspmx3.googlemail.com
108.177.123.26 is shared by: alt1.aspmx.l.google.com, aspmx2.googlemail.com
This may indicate suboptimal mail handling distribution. | |||||||||||||||||||
Reverse DNS Records | Using managed mail services: Google Workspace. PTR records are automatically managed by these providers. |
WWW record type: A
www.
A Record
IPv4 Addresses
Matches Apex
189.113.174.199| Status | Test name | Information |
|---|---|---|
WWW Configuration | WWW record type: A www. A Record IPv4 Addresses Matches Apex 189.113.174.199 |
Error
DNSSEC validation failed. This indicates a problem with your DNSSEC configuration:
โข DNSKEY query failed with SERVFAIL
โข DS query failed with SERVFAIL
Please check your DNSSEC configuration with your DNS provider.
Pass
Zone transfer (AXFR) is properly restricted. Tested 1 nameserver โ all refused the transfer request.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#dns-zone-transfer-attack-axfr
Pass
Good. Tested notrealdnschkr.blah.com - No wildcard DNS records found, ensuring random subdomains won't resolve to an IP address.
Good. Tested notrealdnschkr.blah.com - Server returns NXDOMAIN for non-existent domains. While an SOA record is recommended, NXDOMAIN alone is a valid response.
Info
No CAA records found. While optional, CAA records help control which Certificate Authorities can issue certificates for your domain.
Checked 8 common subdomains โ none have external CNAME records. No subdomain takeover risk from dangling CNAMEs.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#subdomain-takeover
| Status | Test name | Information |
|---|---|---|
DNSSEC | DNSSEC validation failed. This indicates a problem with your DNSSEC configuration:
โข DNSKEY query failed with SERVFAIL
โข DS query failed with SERVFAIL
Please check your DNSSEC configuration with your DNS provider. | |
Zone Transfer | Zone transfer (AXFR) is properly restricted. Tested 1 nameserver โ all refused the transfer request.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#dns-zone-transfer-attack-axfr | |
Wildcard DNS | Good. Tested notrealdnschkr.blah.com - No wildcard DNS records found, ensuring random subdomains won't resolve to an IP address. | |
NXDOMAIN Response | Good. Tested notrealdnschkr.blah.com - Server returns NXDOMAIN for non-existent domains. While an SOA record is recommended, NXDOMAIN alone is a valid response. | |
CAA Records | No CAA records found. While optional, CAA records help control which Certificate Authorities can issue certificates for your domain. | |
Subdomain Takeover | Checked 8 common subdomains โ none have external CNAME records. No subdomain takeover risk from dangling CNAMEs.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#subdomain-takeover |
Info
No TXT records found at the apex (@) of this domain. TXT records may still exist on subdomains (e.g., _dmarc, _domainkey selectors).
| Status | Test name | Information |
|---|---|---|
TXT Records | No TXT records found at the apex (@) of this domain. TXT records may still exist on subdomains (e.g., _dmarc, _domainkey selectors). |