DNS Records for
shackle.com
๐ Hunting for rogue glue records.
DNS Records forshackle.com
Domain DNS Health Score
88%
Total Tests
34
Passed
30
Critical Issues
1
First-Visit DNS
~35ms
Excellent
Returning Visit
~0ms
Fully cached
CNAME Depth
None
Direct A record
TTL Strategy
Needs Attention
1 record type has suboptimal TTL values
DNS Provider
DNS Provider
Avg NS Response
6ms
Fast
Insights
A2
AAAA0
NS2
MX0
TXT0
SPFโ
DMARCโ
DNSSECfail
CAAinfo
91%
39/43 tests
TTL cache lifetime
1m
5m
30m
1h
4h
1d
2d
7d
A
Good for CDN or dynamic setups (5 min). Balances freshness with caching.5 min
NS
Low NS TTL (5 min). NS records rarely change โ consider 86400s (1 day) or higher.5 min
SOA
5 min
Resolution waterfall
First visit ~35msReturning ~0ms
Root โ TLD nameserver
5ms
TLD โ Authoritative NS
20ms
NS โ A record (apex)
15ms
Benchmark: excellent
Per-nameserver response time
avg 6msspread 4ms
ns1.sawsells.com
4ms
ns2.sawsells.com
8ms
Provider DNS Provider
www resolution
www.shackle.comDirect A record โ no CNAME chain
45.77.200.16464.176.195.8SOA timing
Serial
2026031502Refresh
3 hr
How often secondaries re-check
Retry
1 hr
Wait after a failed refresh
Expire
7 days
Secondaries stop serving after
Min TTL
20 min
Negative cache duration
Zone last updated
~31 days ago
Negative cache
NXDOMAIN responses are cached for 20 min. Typos against this zone stick around that long.
Glue records at parent
via f.gtld-servers.net
| Nameserver | IPv4 | IPv6 | Zone match |
|---|---|---|---|
| ns1.sawsells.com | 172.64.52.32, 172.64.53.159 | 2606:4700:52::ac40:3420, 2606:4700:5a::ac40:359f | match |
| ns2.sawsells.com | 172.64.52.174, 172.64.53.214 | 2606:4700:52::ac40:34ae, 2606:4700:5a::ac40:35d6 | match |
These nameservers are responsible for answering queries about your domain
2 Records
ns1.sawsells.com
ns2.sawsells.com
Source: This information was kindly provided by f.gtld-servers.net ๐๐ผ
Good. f.gtld-servers.net has information for your TLD. This confirms your domain is properly delegated.
Good. The parent server has your nameservers listed and they match the actual NS records. This ensures consistent DNS resolution.
Glue Records from Parent Server
Information provided by f.gtld-servers.net
ns1.sawsells.com
Nameserver
IPv4 Addresses:
172.64.52.32172.64.53.159IPv6 Addresses:
2606:4700:52::ac40:34202606:4700:5a::ac40:359fns2.sawsells.com
Nameserver
IPv4 Addresses:
172.64.52.174172.64.53.214IPv6 Addresses:
2606:4700:52::ac40:34ae2606:4700:5a::ac40:35d6Note:
The parent server is providing glue records for these nameservers. While not required (since the nameservers are not under your domain), this helps optimize DNS resolution.
| Status | Test name | Information |
|---|---|---|
Authoritative Nameservers | These nameservers are responsible for answering queries about your domain 2 Records ns1.sawsells.comns2.sawsells.comSource: This information was kindly provided by f.gtld-servers.net ๐๐ผ | |
TLD Delegation Check | Good. f.gtld-servers.net has information for your TLD. This confirms your domain is properly delegated. | |
Nameservers Listed at Parent | Good. The parent server has your nameservers listed and they match the actual NS records. This ensures consistent DNS resolution. | |
Glue Records from Parent | Glue Records from Parent ServerInformation provided by f.gtld-servers.net ns1.sawsells.comNameserver IPv4 Addresses: 172.64.52.32172.64.53.159IPv6 Addresses: 2606:4700:52::ac40:34202606:4700:5a::ac40:359fns2.sawsells.comNameserver IPv4 Addresses: 172.64.52.174172.64.53.214IPv6 Addresses: 2606:4700:52::ac40:34ae2606:4700:5a::ac40:35d6Note: The parent server is providing glue records for these nameservers. While not required (since the nameservers are not under your domain), this helps optimize DNS resolution. |
ns1.sawsells.com
IPv4 Addresses
172.64.53.159
172.64.52.32
Authoritative
Non-Recursive
TCP
UDP
TTL: 172,800s (2 days)
ns2.sawsells.com
IPv4 Addresses
172.64.52.174
172.64.53.214
Authoritative
Non-Recursive
TCP
UDP
TTL: 172,800s (2 days)
Good. No nameservers allow recursive queries.
Warning
Warning: Mismatched IPv4 records between parent and nameserver responses. This can cause inconsistent DNS resolution.
Mismatches found:
โข ns1.sawsells.com:
IPv4: Parent has [172.64.52.32, 172.64.53.159, 2606:4700:52::ac40:3420, 2606:4700:5a::ac40:359f], Nameserver has [172.64.52.32, 172.64.53.159]
โข ns2.sawsells.com:
IPv4: Parent has [172.64.52.174, 172.64.53.214, 2606:4700:52::ac40:34ae, 2606:4700:5a::ac40:35d6], Nameserver has [172.64.52.174, 172.64.53.214]
Note: Your nameservers are not under your domain, so additional glue records are not required.
Good. The NS records at all your nameservers are identical.
Good. All nameservers listed at the parent server responded.
All NS records appear to be valid hostnames.
You have 2 nameservers. This meets the minimum requirement, though RFC2182 section 5 recommends at least 3 for better reliability.
Good. All nameservers are answering authoritatively for your domain.
Good. All NS records match between parent and nameservers, as required by RFC1034 section 3.6.
Good. All parent-listed nameservers are reported by your nameservers, as required by RFC1034 section 3.6.
Good. No CNAME records found for NS records, as per RFC1912 section 2.4 and RFC2181 section 10.3.
Warning
Found 6 pair(s) of nameserver IPs in the same /16 subnet. For better redundancy, consider using nameservers on different subnets as recommended by RFC2182 section 5. Affected pairs: 172.64.53.159 and 172.64.52.32, 172.64.53.159 and 172.64.52.174, 172.64.53.159 and 172.64.53.214, 172.64.52.32 and 172.64.52.174, 172.64.52.32 and 172.64.53.214, 172.64.52.174 and 172.64.53.214. Note: providers using anycast may have geographic redundancy despite shared subnets.
Good. All nameserver IPs (both IPv4 and IPv6) are public, ensuring global accessibility as required by RFC1035.
Good. All DNS servers allow TCP connections, which is required for larger DNS responses as per RFC1035.
Good. All DNS servers allow UDP connections, which is required for standard DNS queries.
Good. Your nameservers appear to be on different networks, providing better redundancy.
Good. All nameservers in your zone are properly registered at the parent. This ensures consistent DNS resolution for all users.
| Status | Test name | Information |
|---|---|---|
Nameserver Records from Zone | ns1.sawsells.comIPv4 Addresses 172.64.53.159 172.64.52.32 Authoritative Non-Recursive TCP UDP TTL: 172,800s (2 days) ns2.sawsells.comIPv4 Addresses 172.64.52.174 172.64.53.214 Authoritative Non-Recursive TCP UDP TTL: 172,800s (2 days) | |
Open Recursive Queries | Good. No nameservers allow recursive queries. | |
Glue Record Consistency | Warning: Mismatched IPv4 records between parent and nameserver responses. This can cause inconsistent DNS resolution.
Mismatches found:
โข ns1.sawsells.com:
IPv4: Parent has [172.64.52.32, 172.64.53.159, 2606:4700:52::ac40:3420, 2606:4700:5a::ac40:359f], Nameserver has [172.64.52.32, 172.64.53.159]
โข ns2.sawsells.com:
IPv4: Parent has [172.64.52.174, 172.64.53.214, 2606:4700:52::ac40:34ae, 2606:4700:5a::ac40:35d6], Nameserver has [172.64.52.174, 172.64.53.214] | |
Missing Glue for NS Records | Note: Your nameservers are not under your domain, so additional glue records are not required. | |
Mismatched NS records | Good. The NS records at all your nameservers are identical. | |
DNS servers responded | Good. All nameservers listed at the parent server responded. | |
Name of nameservers are valid | All NS records appear to be valid hostnames. | |
Nameserver Redundancy Check | You have 2 nameservers. This meets the minimum requirement, though RFC2182 section 5 recommends at least 3 for better reliability. | |
Lame Delegation Check | Good. All nameservers are answering authoritatively for your domain. | |
Parent Missing Nameservers | Good. All NS records match between parent and nameservers, as required by RFC1034 section 3.6. | |
Zone Missing Nameservers | Good. All parent-listed nameservers are reported by your nameservers, as required by RFC1034 section 3.6. | |
CNAMEs at Apex Check | Good. No CNAME records found for NS records, as per RFC1912 section 2.4 and RFC2181 section 10.3. | |
NS IP Subnet Diversity | Found 6 pair(s) of nameserver IPs in the same /16 subnet. For better redundancy, consider using nameservers on different subnets as recommended by RFC2182 section 5. Affected pairs: 172.64.53.159 and 172.64.52.32, 172.64.53.159 and 172.64.52.174, 172.64.53.159 and 172.64.53.214, 172.64.52.32 and 172.64.52.174, 172.64.52.32 and 172.64.53.214, 172.64.52.174 and 172.64.53.214. Note: providers using anycast may have geographic redundancy despite shared subnets. | |
NS IP Public Accessibility | Good. All nameserver IPs (both IPv4 and IPv6) are public, ensuring global accessibility as required by RFC1035. | |
DNS servers allow TCP connection | Good. All DNS servers allow TCP connections, which is required for larger DNS responses as per RFC1035. | |
DNS servers allow UDP connection | Good. All DNS servers allow UDP connections, which is required for standard DNS queries. | |
NS AS Diversity Check | Good. Your nameservers appear to be on different networks, providing better redundancy. | |
Stealth Nameserver Check | Good. All nameservers in your zone are properly registered at the parent. This ensures consistent DNS resolution for all users. |
Info
Primary Nameserver
ns1.sawsells.com
Hostmaster Email
hostmaster.sawsells.com
Serial Number
2026031502
Recently Updated (Standard Format)
A unique version number that changes whenever the zone file is updated
Time Intervals
Refresh10800 seconds (3 hours)
How often secondary nameservers check for updates (20m - 24h)
Retry3600 seconds (1 hours)
How long to wait before retrying a failed zone transfer (2m - 2h)
Expire604800 seconds (7 days)
How long secondary servers serve stale zone data (1w - 4w)
TTL1200 seconds (20 minutes)
Default time-to-live for resource records (5m - 24h)
SOA Serial numbers per nameserver:
ns1.sawsells.com: 2026031502
ns2.sawsells.com: 2026031502
Good. All nameservers report the same SOA serial number.
Pass
OK. ns1.sawsells.com is correctly listed as one of your nameservers.
Info
Your SOA serial number is: 2026031502.
Pass
OK. Your SOA REFRESH interval is: 10800 seconds (180 minutes). This is within the recommended range of 1200-43200 seconds as per RFC1912 section 2.2.
Pass
OK. Your SOA RETRY value is: 3600 seconds (60 minutes). This is within the recommended range of 120-7200 seconds as per RFC1912 section 2.2.
Warning
Current expire time is 604800 seconds (7 days).
Warning: Common practice recommends a minimum of 14 days (1209600 seconds) to ensure secondary servers can continue serving during extended outages.
Pass
OK. Your SOA MINIMUM TTL is: 1200 seconds (20 minutes). This value is used for negative caching and is within the recommended range of 180-86400 seconds as per RFC2308 section 4.
| Status | Test name | Information |
|---|---|---|
SOA record | Primary Nameserverns1.sawsells.com Hostmaster Emailhostmaster.sawsells.com Serial Number 2026031502 Recently Updated (Standard Format) A unique version number that changes whenever the zone file is updated Time IntervalsRefresh10800 seconds (3 hours) How often secondary nameservers check for updates (20m - 24h) Retry3600 seconds (1 hours) How long to wait before retrying a failed zone transfer (2m - 2h) Expire604800 seconds (7 days) How long secondary servers serve stale zone data (1w - 4w) TTL1200 seconds (20 minutes) Default time-to-live for resource records (5m - 24h) | |
SOA Serial Consistency | SOA Serial numbers per nameserver:
ns1.sawsells.com: 2026031502
ns2.sawsells.com: 2026031502
Good. All nameservers report the same SOA serial number. | |
SOA MNAME entry | OK. ns1.sawsells.com is correctly listed as one of your nameservers. | |
SOA Serial | Your SOA serial number is: 2026031502. | |
SOA REFRESH | OK. Your SOA REFRESH interval is: 10800 seconds (180 minutes). This is within the recommended range of 1200-43200 seconds as per RFC1912 section 2.2. | |
SOA RETRY | OK. Your SOA RETRY value is: 3600 seconds (60 minutes). This is within the recommended range of 120-7200 seconds as per RFC1912 section 2.2. | |
SOA EXPIRE | Current expire time is 604800 seconds (7 days).
Warning: Common practice recommends a minimum of 14 days (1209600 seconds) to ensure secondary servers can continue serving during extended outages. | |
SOA MINIMUM TTL | OK. Your SOA MINIMUM TTL is: 1200 seconds (20 minutes). This value is used for negative caching and is within the recommended range of 180-86400 seconds as per RFC2308 section 4. |
IPv4 Configuration
Multiple IPv4 addresses configured for redundancy and load balancing
IPv4 Addresses
45.77.200.16464.176.195.8Configuration Benefits
DNS-based load balancing
Distributes traffic across multiple servers to improve performance and reliability
Failover capability
Automatic fallback to healthy servers if one becomes unavailable
Geographic distribution potential
Ability to serve content from servers closest to users
TTL: 300s
Provides a good balance between propagation speed and DNS loadPass
TTL of 300 seconds provides a good balance between propagation speed and DNS load.
| Status | Test name | Information |
|---|---|---|
A Record Configuration | IPv4 ConfigurationMultiple IPv4 addresses configured for redundancy and load balancing IPv4 Addresses 45.77.200.16464.176.195.8Configuration Benefits DNS-based load balancing Distributes traffic across multiple servers to improve performance and reliability Failover capability Automatic fallback to healthy servers if one becomes unavailable Geographic distribution potential Ability to serve content from servers closest to users TTL: 300s Provides a good balance between propagation speed and DNS load | |
A Record TTL | TTL of 300 seconds provides a good balance between propagation speed and DNS load. |
Info
No AAAA (IPv6) records found. While not required, IPv6 support is recommended for future-proofing your domain and improving accessibility for IPv6 users.
| Status | Test name | Information |
|---|---|---|
IPv6 Support | No AAAA (IPv6) records found. While not required, IPv6 support is recommended for future-proofing your domain and improving accessibility for IPv6 users. |
No MX records found. Email delivery will fall back to the domain's A record.
| Status | Test name | Information |
|---|---|---|
Mail Server Configuration | No MX records found. Email delivery will fall back to the domain's A record. |
WWW record type: A
www.
A Record
IPv4 Addresses
Matches Apex
64.176.195.845.77.200.164Multiple records of the same type found:
โข IPv4: 2 A records
This can provide redundancy if the IPs are on different servers, but doesn't automatically mean load balancing is in use.
| Status | Test name | Information |
|---|---|---|
WWW Configuration | WWW record type: A www. A Record IPv4 Addresses Matches Apex 64.176.195.845.77.200.164 | |
Multiple WWW Records | Multiple records of the same type found:
โข IPv4: 2 A records
This can provide redundancy if the IPs are on different servers, but doesn't automatically mean load balancing is in use. |
Error
DNSSEC validation failed. This indicates a problem with your DNSSEC configuration:
โข DNSKEY query failed with SERVFAIL
โข DS query failed with SERVFAIL
Please check your DNSSEC configuration with your DNS provider.
Pass
Zone transfer (AXFR) is properly restricted. Tested 2 nameservers โ all refused the transfer request.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#dns-zone-transfer-attack-axfr
Pass
Good. Tested notrealdnschkr.shackle.com - No wildcard DNS records found, ensuring random subdomains won't resolve to an IP address.
Good. Tested notrealdnschkr.shackle.com - Server returns NXDOMAIN for non-existent domains. While an SOA record is recommended, NXDOMAIN alone is a valid response.
Info
No CAA records found. While optional, CAA records help control which Certificate Authorities can issue certificates for your domain.
Checked 8 common subdomains โ none have external CNAME records. No subdomain takeover risk from dangling CNAMEs.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#subdomain-takeover
| Status | Test name | Information |
|---|---|---|
DNSSEC | DNSSEC validation failed. This indicates a problem with your DNSSEC configuration:
โข DNSKEY query failed with SERVFAIL
โข DS query failed with SERVFAIL
Please check your DNSSEC configuration with your DNS provider. | |
Zone Transfer | Zone transfer (AXFR) is properly restricted. Tested 2 nameservers โ all refused the transfer request.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#dns-zone-transfer-attack-axfr | |
Wildcard DNS | Good. Tested notrealdnschkr.shackle.com - No wildcard DNS records found, ensuring random subdomains won't resolve to an IP address. | |
NXDOMAIN Response | Good. Tested notrealdnschkr.shackle.com - Server returns NXDOMAIN for non-existent domains. While an SOA record is recommended, NXDOMAIN alone is a valid response. | |
CAA Records | No CAA records found. While optional, CAA records help control which Certificate Authorities can issue certificates for your domain. | |
Subdomain Takeover | Checked 8 common subdomains โ none have external CNAME records. No subdomain takeover risk from dangling CNAMEs.
Learn more: https://dnschkr.com/blog/dns-attacks-guide#subdomain-takeover |
Info
No TXT records found at the apex (@) of this domain. TXT records may still exist on subdomains (e.g., _dmarc, _domainkey selectors).
| Status | Test name | Information |
|---|---|---|
TXT Records | No TXT records found at the apex (@) of this domain. TXT records may still exist on subdomains (e.g., _dmarc, _domainkey selectors). |