Nameserver Health Check
Check a domain's nameserver health with resolver comparison, glue and CNAME checks, SOA timer review, IPv6 coverage, and repair steps.Nameserver Health
| # | Surface | Check | Status | Evidence | Copy |
|---|---|---|---|---|---|
| {{ index + 1 }} |
{{ check.surface }}
{{ check.rfc }}
|
{{ check.label }} | {{ check.status }} | {{ check.note || '-' }} |
| # | Nameserver | A | AAAA | Addressing | Glue | Note | Copy |
|---|---|---|---|---|---|---|---|
| {{ index + 1 }} |
{{ row.ns }}
{{ row.scopeLabel }}
|
{{ row.a.join(', ') || '-' }} | {{ row.aaaa.join(', ') || '-' }} |
{{ row.addressScope }}
{{ row.addressingSummary }}
|
{{ row.glueReady ? 'ready' : 'missing' }} | {{ row.note || '-' }} |
| Resolver | Status | NS code | SOA code | Time | AD | NS snapshot | SOA | Copy |
|---|---|---|---|---|---|---|---|---|
| {{ row.resolver }} | {{ row.status }} | {{ row.nsCode }} | {{ row.soaCode }} | {{ row.timeMs }} ms | {{ row.adSeen ? 'seen' : 'none' }} |
{{ row.nsSnapshot || '-' }}
{{ row.note }}
|
{{ row.soaMname || '-' }}
Serial {{ row.soaSerial !== null ? row.soaSerial : '-' }}
|
| SOA field | Value | Copy |
|---|---|---|
| {{ row.field }} | {{ row.value }} |
| Priority | Action | Why | Copy |
|---|---|---|---|
| {{ item.priority }} | {{ item.action }} | {{ item.why }} |
| Purpose | Command | Copy |
|---|---|---|
| {{ command.label }} | {{ command.command }} |
Nameserver health is a delegation problem: the parent zone, authoritative nameservers, address records, SOA data, and resolver views all need to agree closely enough for reliable DNS resolution.
Use this checker to review a domain's NS set, glue readiness, address-family coverage, SOA timer sanity, resolver consistency, and repair priorities before or after DNS changes.
Delegation Health:
Confirm the domain has enough nameservers, usable addresses, and no avoidable alias problems in the NS path.
Resolver Agreement:
Compare public resolver views to catch propagation drift, partial updates, and inconsistent SOA evidence.
Repair Queue:
Turn warnings and failures into ordered fixes for registrar, DNS host, and zone-file follow-up.
How to Use This Tool:
- Enter the registered domain name, not a full page address. Pasted page addresses are reduced to the hostname before checking.
- Use the balanced posture for routine reviews. Use strict posture before registrar moves, DNS-host migrations, zone launches, or high-availability checks.
- Enable resolver comparison when you need to detect propagation drift or disagreement between major recursive resolvers.
- Enter an expected nameserver list when validating a planned migration or confirming that an old DNS host has been fully removed.
- Use the repair queue first, then confirm the corrected domain with independent command-line checks from the runbook section.
Interpreting Results:
Failures identify conditions that can break or seriously weaken resolution, such as missing NS records, missing address records for in-bailiwick nameservers, reserved-only nameserver addresses, or expected nameservers that are absent.
Warnings identify issues that may still resolve today but deserve correction. Examples include too few nameservers for the selected posture, missing IPv6 coverage, weak network spread, SOA timer concerns, disabled resolver comparison, or unexpected nameservers during a migration.
Resolver disagreement means public recursive resolvers did not return the same NS or SOA view during the check. That can be normal during propagation, but it should be treated as a risk when a change window is considered complete.
SOA serial and timer findings should be read with the DNS host's operating model in mind. Managed DNS providers may hide zone-file workflow, but stale serials, unusual retry timing, or mismatched primary nameserver evidence can still explain operational problems.
Technical Details:
The checker validates the domain shape, converts internationalized names to their DNS-safe form, and queries selected public resolvers for NS and SOA data. For each nameserver hostname, it checks address-family coverage and flags address scopes that are not globally usable.
In-bailiwick nameservers receive special attention because they depend on glue-style address availability at the delegation boundary. A child nameserver under the same domain needs usable address evidence, otherwise resolvers can have no reliable way to reach it.
The network-spread review groups public IPv4 nameserver addresses by /24 and public IPv6 addresses by /48. Multiple nameservers placed in the same narrow network can satisfy a count check while still leaving the delegation vulnerable to provider, route, or data-center incidents.
Rule Core
This is a rule-based audit rather than a single equation. The report evaluates each check as pass, warn, or fail, then builds the remediation order from the highest-risk findings.
- Nameserver count must meet the selected posture: at least two for balanced checks and at least three for strict checks.
- Nameserver hostnames should not be aliases when alias checking is enabled.
- In-bailiwick nameservers need usable A or AAAA evidence.
- Reserved-only, private-only, or otherwise non-public nameserver addresses are treated as failures.
- SOA primary nameserver, serial, refresh, retry, expire, and negative-cache fields are checked for presence and timer sanity.
- Resolver comparison reviews whether selected resolvers agree on the NS set and SOA evidence.
- Expected nameserver alignment fails when a required name is missing and warns when extra names appear.
Common Uses:
- Validate a domain before changing registrar, DNS host, CDN, mail routing, or production records.
- Confirm that a nameserver migration has reached major public resolvers.
- Find missing glue, weak IPv6 coverage, aliases in the NS path, and narrow network diversity.
- Prepare a concise repair plan for registrar support, managed DNS support, or an internal platform team.
- Document before-and-after evidence during DNS incident response.