Good. j.gtld-servers.net has information for your TLD. This confirms your domain is properly delegated.

Good. The parent server has your nameservers listed and they match the actual NS records. This ensures consistent DNS resolution.

Good. No nameservers allow recursive queries.

The GLUE records from the parent zone match those from your nameservers. This is important for consistent DNS resolution.

Note: Your nameservers are not under your domain, so additional glue records are not required.

Good. The NS records at all your nameservers are identical.

Good. All nameservers listed at the parent server responded.

All NS records appear to be valid hostnames.

You have 4 nameservers. This meets the minimum requirement, though RFC2182 section 5 recommends at least 3 for better reliability.

Good. All nameservers are answering authoritatively for your domain.

Good. All NS records match between parent and nameservers, as required by RFC1034 section 3.6.

Good. All parent-listed nameservers are reported by your nameservers, as required by RFC1034 section 3.6.

Good. No CNAME records found for NS records, as per RFC1912 section 2.4 and RFC2181 section 10.3.

Found 1 pair(s) of nameserver IPs in the same /16 subnet. For better redundancy, consider using nameservers on different subnets as recommended by RFC2182 section 5. Affected pairs: 212.18.248.36 and 212.18.249.36. Note: providers using anycast may have geographic redundancy despite shared subnets.

Good. All nameserver IPs (both IPv4 and IPv6) are public, ensuring global accessibility as required by RFC1035.

Good. All DNS servers allow TCP connections, which is required for larger DNS responses as per RFC1035.

Good. All DNS servers allow UDP connections, which is required for standard DNS queries.

Good. Your nameservers appear to be on different networks, providing better redundancy.

Good. All nameservers in your zone are properly registered at the parent. This ensures consistent DNS resolution for all users.

SOA Serial numbers per nameserver: ns3.nic.co.com: 2014408867 ns4.nic.co.com: 2014408867 ns2.nic.co.com: 2014408867 ns1.nic.co.com: 2014408867 Good. All nameservers report the same SOA serial number.

Warning: Primary nameserver ns0.nic.co.com is not listed in your NS records. MNAME doesn't match a member of the NS RRSET. This is OK but may be problematic with zones using Dynamic Updates.

Your SOA serial number is: 2014408867.

Warning: SOA REFRESH interval is 900 seconds (15 minutes). This is below the recommended minimum of 1200 seconds as per RFC1912 section 2.2.

Warning: SOA RETRY value (1800 seconds) is higher than refresh (900 seconds). According to RFC1912 section 2.2, retry should be less than refresh to prevent unnecessary zone transfer attempts.

Current expire time is 6048000 seconds (70 days). Warning: Common practice recommends a maximum of 28 days (2419200 seconds) to avoid stale data being served for too long.

OK. Your SOA MINIMUM TTL is: 3600 seconds (60 minutes). This value is used for negative caching and is within the recommended range of 180-86400 seconds as per RFC2308 section 4.

TTL of 300 seconds provides a good balance between propagation speed and DNS load.

No AAAA (IPv6) records found. While not required, IPv6 support is recommended for future-proofing your domain and improving accessibility for IPv6 users.

All nameservers are reporting the same mail server configuration. This consistency ensures reliable email delivery.

All mail server hostnames are properly formatted.

All mail servers use public IP addresses, ensuring global email delivery.

Mail servers are properly configured without CNAME records.

Warning: The following IP addresses are shared between multiple mail servers: 38.101.250.150 is shared by: mx.spamexperts.com, fallbackmx.spamexperts.eu 38.89.254.156 is shared by: fallbackmx.spamexperts.eu, lastmx.spamexperts.net 38.71.16.244 is shared by: fallbackmx.spamexperts.eu, lastmx.spamexperts.net This may indicate suboptimal mail handling distribution.

DNSSEC validation failed. This indicates a problem with your DNSSEC configuration: • DNSKEY query failed with SERVFAIL • DS query failed with SERVFAIL Please check your DNSSEC configuration with your DNS provider.

Zone transfer (AXFR) is properly restricted. Tested 4 nameservers — all refused the transfer request. Learn more: https://dnschkr.com/blog/dns-attacks-guide#dns-zone-transfer-attack-axfr

Warning: Wildcard DNS records found. This means any subdomain will resolve to an IP address, which could pose security risks.

Warning: Server does not return NXDOMAIN for non-existent domains. This could indicate misconfiguration or intentional wildcard records.

No CAA records found. While optional, CAA records help control which Certificate Authorities can issue certificates for your domain.

Checked 8 common subdomains — none have external CNAME records. No subdomain takeover risk from dangling CNAMEs. Learn more: https://dnschkr.com/blog/dns-attacks-guide#subdomain-takeover

Found SPF record: v=spf1 mx ip4:169.60.151.232 ip4:184.172.61.109 ip4:169.60.163.139 ip4:169.60.135.222 a:codotcom.kayako.com include:servers.mcsv.net -all

Found DMARC record: v=DMARC1; p=quarantine; sp=none; rua=mailto:[email protected]