DNS Propagation Checker

{{ verdict.badgeText }} {{ comparisonBadge }} {{ selectedResolverCount }} resolvers {{ holdoutBadge }} {{ uniqueAnswerBadge }} {{ failureCount }} failures Needs rerun

Last run: {{ lastRunLocal }}

Domain:

Enter one hostname or URL, then press Enter or Check for a resolver snapshot.

Record type:

Choose A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, or CAA.

Expected answer:

Comparison rule:

Exact matches the full row; Contains finds one token; Regex is for careful patterns.

Resolvers:

Defaults cover broad public views; Select all widens evidence but takes longer.

{{ resolver_keys.length }} / {{ resolverCatalog.length }} selected

DNSSEC DO bit:

Turn on when validation status matters to the cutover read.

DNSSEC CD bit:

Use only for DNSSEC troubleshooting; normal propagation checks can leave it off.

EDNS client subnet:

Optional CIDR examples: 0.0.0.0/0, 203.0.113.0/24, or 2001:db8::/32.

Timeout:

Accepted minimum is 500 ms; 2500-5000 ms avoids most false negatives.

Retries:

Accepted values: 0-4 extra attempts; 0 keeps the snapshot fastest.

Resolver matrix sort:

Choose how resolver rows should be ordered in the matrix artifact.

Section	Signal	Detail
Current verdict	{{ verdict.title }}	{{ verdict.lead }} {{ verdict.detail }}
Recommended next check	Next check	{{ step }}
Operational fact	Fact	{{ fact }}
Observed answer group	{{ group.label }}	{{ group.answerDisplay }} · {{ group.count }} resolvers · {{ group.resolverList }}

#	Resolver	Status	Answer	TTL	AD	Time (ms)	Copy
{{ index + 1 }}	{{ row.resolver }} {{ row.resolverPolicyShort }}	{{ row.statusLabel }}	{{ row.answer \|\| '—' }}	{{ row.ttl !== null ? row.ttl : '—' }}	{{ row.ad === true ? 'Yes' : (row.ad === false ? 'No' : '—') }}	{{ row.ms !== null ? row.ms : '—' }}
No resolver rows are available Run a DNS propagation check before exporting the resolver matrix.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

DNS propagation is cache convergence after an authoritative DNS change. The DNS provider may publish a new record immediately, but most visitors do not ask that provider directly. They ask recursive resolvers, and those resolvers can keep an earlier answer until its time to live, or TTL, expires.

That caching delay is why a site move, mail exchanger change, TXT record update, certificate validation record, or CDN cutover can look complete from one network and stale from another. The record is not spreading outward from a central switch. Authoritative nameservers hold the zone data, while recursive resolvers refresh answers according to TTL, cache timing, resolver policy, DNSSEC validation, and sometimes geography.

Authoritative answer: The record published by the DNS provider that serves the zone.
Recursive answer: The answer returned by a resolver after cache, policy, and validation are applied.
RRset: The full set of records for one name and type, such as all A records for www.example.com.

Each record type has its own propagation story. An A record may converge while the matching AAAA, CNAME, MX, TXT, NS, SOA, SRV, or CAA answer is still unchanged. Multi-value records add another common mistake: one missing address, one old mail exchanger, or one absent SPF token can matter even when the overall record type appears to return something.

A useful propagation read separates expected matches, cached holdouts, and failed lookups instead of reducing a DNS change to one yes or no.

TTL is the main timing clue, but it is not a shared countdown for every visitor. A resolver may have refreshed the old value seconds before the change. A laptop, browser, office forwarder, ISP resolver, or security gateway may keep its own cache. Negative answers such as NXDOMAIN can also be cached, so a newly created hostname may lag for reasons different from an edited record.

Public resolver agreement narrows uncertainty, but it does not represent every network. Private corporate resolvers, regional ISP caches, split-horizon DNS, browser caches, and location-aware CDN answers can still differ. A strong propagation judgment compares the exact expected RRset, checks holdout TTLs and answer text, and treats DNSSEC or EDNS Client Subnet clues as context rather than proof that every client now sees the same result.

How to Use This Tool:

Start with the exact record you changed, then widen resolver, DNSSEC, and ECS options only when the first snapshot needs more evidence.

Enter the Domain as a hostname or URL. URLs are reduced to the host, and the host must be a fully qualified domain name.
Choose the Record type: A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, or CAA.
Use Expected answer for cutovers, rollbacks, mail changes, and validation records. Leave it blank only when you want to see the largest current answer group.
Set Comparison rule to exact text for a full answer, contains text for one token inside a longer answer, or regular expression for a careful pattern.
Keep the default Resolvers for a quick public snapshot. Use Select all when you need broader evidence and can tolerate more timeout noise.
Use DNSSEC DO bit, DNSSEC CD bit, and EDNS client subnet only when DNSSEC validation or location-sensitive DNS steering is part of the investigation.
Review Propagation Brief first. Use Resolver Matrix, Answer Distribution, Resolver Latency, and JSON for row-level evidence, copied CSV, downloadable files, or a diagnostic record.

Interpreting Results:

With an expected answer, the percentage shows how many selected resolvers returned the target under the chosen comparison rule. That is the safest mode for real cutovers because a public resolver majority is not useful if the majority answer is still the wrong value.

Without an expected answer, the percentage shows how many selected resolvers share the largest normalized answer group. Treat that as consensus evidence, then confirm that the lead answer is actually the answer you intended to publish.

Expected rows match your target. Lead rows belong to the largest answer group when no target is set.
Different and Other rows are holdouts or alternate answers. Inspect answer text and TTL before assuming they are only slow caches.
Fail rows did not return a usable answer and still lower the score, because failed evidence should not disappear from the denominator.
TTL wait is a clue from nonmatching answers. It does not prove when downstream caches, browsers, or clients will refresh.
AD is a DNSSEC authenticated-data signal from the resolver response. A missing AD value can reflect validation policy, not just propagation lag.

Technical Details:

A recursive resolver may answer from cache until the resource record TTL expires. The TTL value returned by a recursive resolver is usually the remaining cache lifetime for that resolver's current answer, not a promise about every client cache. Separate resolvers can therefore show different TTLs for the same old RRset.

DNS over HTTPS carries the DNS question inside an HTTPS request to a public resolver. Resolver responses may arrive as JSON-style DNS answers or DNS wire-format messages, but the propagation judgment depends on the same evidence: whether a usable answer was returned, what the cleaned answer text is, what TTL was reported, whether AD was present, and how long the request took.

Formula Core:

The score keeps every selected resolver in the denominator, including failed or timed-out rows.

Score = round (\frac{m}{s} \times 100)

Here s is the number of selected resolvers. With an expected answer, m is the number of rows that match the target. Without an expected answer, m is the size of the largest normalized answer group. For example, 4 matching rows out of 5 selected resolvers produces round(4 / 5 * 100) = 80%.

Rule Core:

DNS propagation row status rules
Mode	Good row	Warning row	Fail row
Expected answer	Returned answer matches the exact, contains, or regular-expression rule.	Returned answer is usable but does not match the target.	No usable answer was returned before timeout.
Majority baseline	Returned answer belongs to the largest normalized answer group.	Returned answer is usable but belongs to a smaller group.	No usable answer was returned before timeout.

Answer normalization removes trailing dots from hostname-style values, strips wrapping quotes from TXT answers, sorts multi-value answers, removes duplicates, and compares the resulting text. That keeps equivalent resolver output from looking different while still preserving meaningful differences in record content.

Resolver evidence fields and interpretation
Field	Meaning	How to read it
Answer	Cleaned record data for the selected type.	Compare it with the expected answer or with the lead answer group.
TTL	The lowest TTL reported across the returned answer set.	Use it as a conservative cache-holdout clue, not a full visitor-cache guarantee.
AD	The resolver's Authenticated Data flag.	Useful for DNSSEC investigation, but dependent on resolver validation policy.
Time (ms)	Elapsed time for that resolver request.	Measures this snapshot's response speed, not DNS correctness.

EDNS Client Subnet can change CDN and latency-sensitive DNS answers because a resolver may send a client-network prefix to an authoritative server. It also has privacy and caching tradeoffs. Cloudflare 1.1.1.1 generally does not forward ECS, while Google Public DNS uses ECS only when the authoritative side implements it correctly. ECS results are therefore resolver-specific evidence, not a universal location test.

Retries repeat failed resolver requests and keep the fastest successful answer for each resolver. Raising timeout and retries can reduce false failures, but it cannot fix an invalid hostname, a wrong record type, a DNSSEC validation problem, or an authoritative zone that has not published the expected RRset.

Privacy and Accuracy Notes:

DNS checks leave the page and are sent to the selected public resolvers. The hostname, record type, DNSSEC choices, ECS value, and request timing can be visible to those providers. Avoid checking private hostnames or sensitive pre-launch names when that disclosure is not acceptable.

A public resolver snapshot cannot represent every user. Local browser caches, operating-system caches, office DNS forwarders, ISP resolvers, split-horizon DNS, and authoritative CDN steering may still produce different answers after the selected resolver set looks aligned.

Worked Examples:

A planned A-record move to 203.0.113.20 should use Record type A and Expected answer 203.0.113.20. If the brief says Mostly propagated to expected value at 80%, and the matrix shows one Different row with an 18-minute TTL, wait for that holdout window and rerun before treating the public recursive view as converged.

A TXT record update for SPF is often easier to validate with Contains text. Checking for include:_spf.example.net can confirm that one required token appears while the matrix still shows the full TXT answer, so missing mechanisms or duplicated fragments remain visible.

If the current verdict is No usable resolver answers, do not read the score as propagation delay. Check that the domain has at least two labels, the record type is correct, the regular expression is valid if used, and the timeout is long enough for the selected resolver set.

FAQ:

Does 100% mean every visitor sees the new DNS record?

No. It means the selected public resolvers matched in this snapshot. Other recursive resolvers, local caches, enterprise DNS, and CDN steering can still produce different answers.

Should I enter an expected answer?

Yes for cutovers, rollbacks, mail changes, and certificate validation records. Leaving it blank only measures the largest observed answer group, which may be the wrong value.

Why do failures count against the percentage?

A failed resolver is missing evidence. Keeping failures in the denominator prevents a small successful subset from looking like full propagation.

When should I use DNSSEC DO or CD?

Use DO when DNSSEC evidence matters. Use CD only for troubleshooting because it asks the resolver to disable checking and can separate validation policy from cache state.

What should I do when the snapshot becomes stale?

Run the check again. A stale warning means the current fields no longer match the completed resolver snapshot, so the visible result should not guide a cutover decision.

Glossary:

AD: Authenticated Data, a DNSSEC-related signal returned by a resolver response.
CD: Checking Disabled, a DNSSEC flag that asks a resolver not to perform validation for the query.
DO: DNSSEC OK, an EDNS flag that requests DNSSEC records and validation context.
ECS: EDNS Client Subnet, an optional subnet hint that may affect location-aware DNS answers.
Recursive resolver: A DNS resolver that answers from cache or performs resolution on behalf of clients.
TTL: Time to live, the number of seconds a DNS answer may remain cached.

References:

RFC 1035: Domain Names - Implementation and Specification, IETF, November 1987.
RFC 2308: Negative Caching of DNS Queries, IETF, March 1998.
RFC 4035: Protocol Modifications for DNSSEC, IETF, March 2005.
RFC 7871: Client Subnet in DNS Queries, IETF, May 2016.
RFC 8484: DNS Queries over HTTPS, IETF, October 2018.
Cloudflare 1.1.1.1 FAQ, Cloudflare.
EDNS Client Subnet Guidelines, Google Public DNS.
How to check DNS resolution in Linux, Simplified Guide.
How to query DNS records in Windows, Simplified Guide.