About

DNSdiag is a free, open-source DNS health check tool that performs 50+ individual tests across 7 categories to give you a complete picture of your domain's DNS configuration. No signup, no limits — just enter a domain and get instant results.

How It Works

When you enter a domain name, DNSdiag queries live DNS servers in real-time. We don't rely on cached or third-party data — every check is performed fresh against authoritative and recursive nameservers using the miekg/dns library written in Go. Results are scored on a 0–100 scale with letter grades (A+ through F).

What We Test

Nameserver Count Parent

Verifies your domain has at least 2 nameservers for redundancy per RFC 1035.

Parent Zone NS Records Parent

Checks that the parent zone (TLD) correctly delegates to your nameservers with proper NS records and glue records.

Parent-Child NS Consistency Parent

Ensures NS records listed in the parent zone match those served by your domain's own nameservers.

NS Subnet Diversity Nameservers

Checks that nameservers are distributed across multiple subnets for fault tolerance against network-level failures.

NS Responsiveness Nameservers

Tests whether all authoritative nameservers respond to queries. Unresponsive servers cause resolution failures.

SOA Serial Consistency Nameservers

Detects if nameservers serve different SOA serial numbers, indicating unsynchronized zone data.

Zone Transfer (AXFR) Nameservers

Verifies that unauthorized zone transfer requests are rejected, preventing exposure of your internal DNS data.

Recursive Queries Nameservers

Checks that nameservers refuse recursive queries from external sources to prevent DNS amplification attacks.

Lame Delegation Nameservers

Detects nameservers listed in NS records that are not actually authoritative for your zone.

TCP Connectivity Nameservers

Tests if nameservers accept TCP connections, required by RFC 7766 for responses larger than UDP limits.

NS Single Point of Failure Nameservers

Detects when multiple nameservers share the same IP address, creating a single point of failure.

Cross-Server NS Consistency Nameservers

Ensures all nameservers return consistent NS records, indicating synchronized zone data.

NS Public IP Nameservers

Verifies that all nameserver IP addresses are publicly routable, not private or reserved (RFC 1918).

NS CNAME Check Nameservers

Checks that NS records are not CNAME aliases, which violates RFC 2181 and can cause resolution failures.

DNSKEY Record DNSSEC

Checks for DNSKEY records that enable DNSSEC, protecting against cache poisoning and man-in-the-middle attacks (RFC 4033).

DS Record DNSSEC

Verifies the Delegation Signer record exists in the parent zone, creating the chain of trust for DNSSEC validation.

RRSIG Records DNSSEC

Checks for signed responses with RRSIG records to confirm the zone is fully signed and DNSSEC validation works.

SOA Record SOA

Verifies the Start of Authority record exists and identifies the primary nameserver and zone administrator.

SOA Serial Format SOA

Checks if the serial follows the recommended YYYYMMDDxx format for easier zone management and change tracking.

SOA Refresh / Retry / Expire SOA

Validates that SOA timing values (refresh, retry, expire, minimum TTL) are within recommended ranges per RFC 1912.

SOA Primary Nameserver SOA

Validates that the primary nameserver (MNAME) in the SOA record is listed in the domain's NS records.

SOA Minimum TTL SOA

Checks that the SOA minimum TTL value is within the recommended 300-86400 second range for negative caching.

MX Records Mail

Checks that MX records exist and point to valid mail servers for email delivery (RFC 5321).

MX Host Resolution & Reverse DNS Mail

Verifies all MX hosts resolve to valid IPs and have proper PTR (reverse DNS) records for email deliverability.

SPF Record Mail

Checks for Sender Policy Framework (SPF) TXT records to prevent email spoofing (RFC 7208).

DKIM Record Mail

Looks for DomainKeys Identified Mail (DKIM) records with common selectors to verify email authenticity (RFC 6376).

DMARC Record & Policy Mail

Validates DMARC policy that tells receivers how to handle emails failing SPF/DKIM checks (RFC 7489).

SPF Policy Strength Mail

Evaluates the SPF 'all' mechanism — weak policies like '+all' or '?all' allow anyone to send email as your domain.

MX Count & Duplicates Mail

Checks for a reasonable number of MX records and flags duplicates that provide no redundancy benefit.

MX Validation (Priority, CNAME, IP) Mail

Validates MX priority ordering, ensures MX records don't point to CNAME or raw IP addresses (RFC 5321, RFC 2181).

TTL Consistency TTL

Ensures TTL values are consistent across record types for predictable caching behavior.

TTL Value Range TTL

Flags TTLs outside the recommended 300–86400 second range that may cause excessive traffic or slow propagation.

A / AAAA Records WWW

Checks that the domain resolves to IPv4 (A) and IPv6 (AAAA) addresses for dual-stack accessibility.

WWW Subdomain WWW

Tests whether the www subdomain resolves correctly so users can reach your site with or without www.

CNAME & Domain Checks WWW

Verifies no CNAME at domain root (RFC 1912) and checks for proper hostname usage across records.

WWW Public IP WWW

Verifies that web IP addresses are publicly routable and not private or reserved addresses (RFC 1918).

Reverse MX DNS Mail

Checks that MX server IP addresses have valid reverse DNS (PTR) records with forward-confirmed matching, critical for email deliverability.

Reverse DNS (PTR) WWW

Checks that all IP addresses for your domain have valid reverse DNS records pointing back to your domain.

Scoring System

Each test has an importance weight from 2 to 5. Critical checks like nameserver responsiveness and DNSSEC have higher weights. A pass earns the full weight, a warning earns 40%, and a fail earns 0. The overall score is calculated as a weighted percentage, then mapped to a letter grade:

A+

100

Champion

90–99

Expert

B+

80–89

Professional

70–79

Specialist

C+

60–69

Apprentice

50–59

Novice

30–49

Beginner

0–29

Critical

Why DNS Health Matters

DNS is the foundation of your online presence. Misconfigured DNS causes:

Email delivery failures — Missing SPF, DKIM, or DMARC records cause your emails to land in spam or get rejected entirely.
Security vulnerabilities — Without DNSSEC, attackers can poison DNS caches and redirect your traffic.
Downtime — Single nameserver, lame delegation, or inconsistent SOA serials can make your domain unreachable.
Poor performance — Incorrect TTL values cause excessive DNS traffic or slow propagation of changes.
SEO impact — Search engines penalize domains with DNS reliability issues.

Open Source

DNSdiag is built with Go and uses the miekg/dns library for DNS queries. The tool runs real-time checks against live nameservers — no cached or third-party data. Built and maintained by WrongStack.

Check Your Domain Now →