Nameserver Health Check

#	Nameserver	A	AAAA	CNAME	Notes
{{ idx + 1 }}	{{ row.ns }}	{{ row.a.join(', ') \|\| '-' }}	{{ row.aaaa.join(', ') \|\| '-' }}	{{ row.cname.join(', ') \|\| '-' }}	{{ row.note \|\| '-' }}

#	Check	Status	Notes
{{ idx + 1 }}	{{ c.label }}	{{ c.status }}	{{ c.note \|\| '-' }}

Resolver	Status	Code	Time	NS Snapshot	SOA MNAME	SOA Serial
{{ e.resolver }}	{{ e.status }}	{{ e.code }}	{{ e.timeMs }} ms	{{ e.nsSnapshot \|\| '-' }}	{{ e.soaMname \|\| '-' }}	{{ e.soaSerial === null \|\| e.soaSerial === undefined ? '-' : e.soaSerial }}

Nameservers are the signposts that tell the internet where a domain keeps its official records, and they shape how quickly and reliably names resolve. A nameserver health check looks for common delegation mistakes and configuration surprises that can turn a routine change into a messy outage.

Enter a domain name and you get a snapshot of the delegated nameservers plus a clear pass, warning, or fail summary. For each nameserver host, the report notes whether it has address records for common networks and whether it behaves like an alias. It also reads the start of authority record so you can sanity check the primary nameserver and its serial number.

Suppose you are moving a domain to a new provider and you expect two nameservers to be listed at the parent zone. If one nameserver name points only to an alias record, the results flag it so you can fix the host records before you switch traffic. If the serial number looks missing or out of place, you know to review how the zone is being published.

A clean report does not prove that a nameserver will answer every query, and it cannot measure reachability from every network. During changes, different resolvers can disagree for a while, so treat warnings as a prompt to investigate rather than a verdict. If a domain name is sensitive, avoid running checks on shared machines or in screenshots.

Use this check as a quick first pass when something feels off, then follow up with authoritative testing when the stakes are high.

Technical Details:

The Domain Name System (DNS) delegates a domain to a set of nameservers listed in Nameserver (NS) records. Inside the zone, the Start of Authority (SOA) record identifies the primary nameserver in its MNAME field and carries a serial number that often tracks zone revisions. This checker treats the NS set, the SOA MNAME, and the SOA serial as signals of whether delegation and zone metadata look coherent.

Each nameserver hostname is also a name that should resolve to addresses. The tool queries A records for IPv4 addresses and AAAA records for IPv6 addresses, then flags hosts that return no addresses. When enabled, it also queries for CNAME records to detect nameserver hostnames that behave like aliases, since NS hosts are typically expected to be canonical names.

Lookups are performed through DNS over HTTPS (DoH) using JSON responses from a recursive resolver. You can choose Cloudflare, Google, or an Auto mode that tries Cloudflare first and falls back to Google only when the first request fails at the network level. An optional comparison mode runs NS and SOA queries against both resolvers and reports any answer set differences, which can help explain propagation and caching effects.

Results are grouped into PASS, WARN, and FAIL. PASS means the observed records match common expectations, WARN highlights gaps or ambiguity worth double checking, and FAIL points to a configuration that is usually unsafe, such as a CNAME answer on a nameserver hostname. One check is always a WARN to remind you that the view is based on recursive resolver data and is not a direct authoritative probe.

Processing pipeline

Sanitize the input by extracting a hostname from a domain, URL, or email.
Convert the hostname to ASCII, lowercase it, and remove any trailing dot.
Select a resolver, or use Auto to try Cloudflare then Google.
Request NS and SOA records using DoH JSON queries with an optional timeout.
Parse and de duplicate NS hostnames, then sort them for a stable snapshot.
Parse SOA fields from the first answer and capture MNAME and serial when present.
For each NS host, query A and AAAA, and optionally query CNAME.
Run per host lookups with 1 to 16 workers, preserving the original order.
Assign PASS, WARN, FAIL checks and summarize counts across the run.

Symbols and units

Key symbols, meanings, and datatypes used by the checker
Symbol	Meaning	Unit or datatype	Source
`d`	Domain input after basic sanitization	string	Input
`d_ascii`	ASCII normalized hostname used for queries	string	Derived
`r`	Resolver selection	enum	Input
`t`	Per request timeout	ms	Input
`w`	Parallel lookup workers	integer	Input
`N_NS`	Number of unique NS hostnames found	count	Derived
`MNAME`	Primary nameserver field from SOA	hostname	Derived
`S`	SOA serial number	integer	Derived
`status`	Check outcome category	PASS, WARN, FAIL	Derived

Worked example

The values below are illustrative and show how the status rules are applied to one run.

Input: d = example.test, r = Auto, w = 6, t = 3500 ms

N_{NS} = 2

Assume the query returns two nameservers, and the SOA record parses with a matching MNAME and a numeric serial.

MNAME = ns1.example.test

S = 2025010101

If one nameserver host returns a CNAME answer when the alias check is enabled, the canonical host check becomes a FAIL even if address records exist.

{status}_{cname} = FAIL

In practice, a single FAIL is a cue to fix the delegation or host records before relying on the domain change.

Interpretation thresholds

Thresholds for the NS record count check
Threshold band	Lower bound	Upper bound	Interpretation	Action cue
FAIL	0	0	No NS records were returned for the queried name.	Confirm the domain and delegation point.
WARN	1	1	Only one nameserver was returned, which reduces redundancy.	Add a second nameserver before changes.
PASS	2	∞	Two or more nameservers were returned.	Proceed, then check the rest of the results.

Other checks use the same PASS, WARN, FAIL scheme, with WARN reserved for missing optional signals and FAIL used for unsafe aliasing.

Parameters

Parameters that control resolver selection and lookup behavior
Parameter	Meaning	Unit or datatype	Typical range	Sensitivity	Notes
Resolver (`r`)	Recursive resolver used for DoH lookups	enum	Auto, Cloudflare, Google	Medium	Auto falls back only on network failure.
Compare resolvers	Runs NS and SOA queries on both resolvers	boolean	Off or on	High	Useful for spotting caching and propagation differences.
Check CNAME on NS	Queries CNAME records for nameserver hostnames	boolean	Off or on	High	When enabled, any CNAME answer produces a FAIL.
Concurrency (`w`)	Parallel nameserver host lookups	integer	1 to 16	Medium	Higher values finish faster but can amplify rate limits.
Timeout (`t`)	Abort a single DoH request after this duration	ms	0 or more	Medium	0 disables extra timeouts beyond the network stack.

Constants used by the logic

Constants and defaults defined in the client logic
Constant	Value	Unit	Source	Notes
Default domain	`example.com`	hostname	Constant	Starting value shown in the input.
Default resolver	Auto	enum	Constant	Auto attempts Cloudflare first.
Default concurrency	6	workers	Constant	Clamped to 1 to 16 at runtime.
Default timeout	3500	ms	Constant	Applied per DoH request when greater than 0.
Status reset timer	1500	ms	Constant	Used for temporary copied and downloaded indicators.

Units, precision, and rounding

Resolver response time is measured with performance.now() and rounded to whole milliseconds.
Timeout and concurrency inputs are treated as numbers, with safe fallbacks for invalid values.
Hostnames are normalized by trimming whitespace, removing trailing dots, and lowercasing.
Record lists are de duplicated before display to avoid repeated answers.

Validation and bounds

Input validation rules extracted from the UI and client logic
Field	Type	Min	Max	Step or pattern	Error text
Domain	text	–	–	Trims, extracts hostname from URL or email, strips leading and trailing dots	Domain is required.
Resolver	enum	–	–	Auto, Cloudflare, Google	–
Compare resolvers	boolean	–	–	On or off	–
Check CNAME on NS	boolean	–	–	On or off	–
Concurrency	number	1	16	Step 1, clamped to 1 to 16	–
Timeout	number	0	–	Step 100 ms, 0 disables extra timeout	–

Inputs and outputs

Accepted input families and the resulting output artifacts
Input	Accepted families	Output	Encoding or precision	Rounding
Domain	Hostname, full URL, or email address	NS list, SOA MNAME and serial, per host A and AAAA, optional CNAME notes	ASCII normalized hostname	Not applicable
Resolver options	Auto, Cloudflare, Google, optional comparison	Resolver evidence snapshot including status code and response time	Time in ms	Whole ms
Exports	Copy, download, or report export	CSV tables, JSON summary, and DOCX reports	UTF-8 text	Not applicable

Networking and storage

DNS queries are sent from your browser to the selected recursive resolver using DoH.
No local or session storage calls are present in the provided client logic.
When comparison is enabled, NS and SOA lookups run against both Cloudflare and Google.
Timeouts use an abort signal per request when supported by the browser.

Performance and complexity

The work scales linearly with the number of nameservers. Each nameserver host triggers two address queries, plus one extra alias query when enabled. Concurrency controls how many host lookups run in parallel, which can reduce wall clock time but increase burst traffic to the resolver.

Diagnostics and determinism

Identical inputs can yield different snapshots over time because recursive resolvers cache answers and zones propagate changes at different speeds. The resolver comparison mode is most useful when you want evidence of disagreement rather than a single definitive view.

Security considerations

Inputs are treated as text, normalized to a hostname, and used only to form resolver queries.
Do not paste secrets or internal hostnames you would not want a resolver provider to see.
Exported files may contain domain details and should be shared thoughtfully.
Results reflect record presence, not reachability, authentication, or DNSSEC validation.

Assumptions and limitations

Heads-up The check uses recursive resolver data and does not directly probe authoritative servers.
Auto resolver mode falls back only when the first request fails at the network level.
The SOA parser reads the first SOA answer and expects a standard seven field layout.
A missing A or AAAA record is reported as a warning even if the nameserver is reachable via other means.
CNAME detection is based on explicit CNAME answers and does not attempt to follow chains.
IPv6 reachability is inferred from the presence of any AAAA answers, not from connectivity tests.
Delegations with split horizon DNS can look inconsistent when queried from public resolvers.
Fresh changes may be masked by caching and negative caching windows at resolvers.

Edge cases and error sources

Internationalized domain names are converted to ASCII by URL parsing, which can surprise if the input is malformed.
Trailing dots and multiple dots are stripped, which can change the queried name for unusual inputs.
Resolvers may return quoted strings or unusual whitespace that reduces SOA parse success.
Timeout values that are not finite numbers can behave like 0 or revert to defaults.
Very high concurrency can trigger rate limiting, causing false failures or slower retries.
Network filters or captive portals can block DoH endpoints and make all lookups fail.
NXDOMAIN and no answer responses can be correct for a subdomain even when the apex is healthy.
CNAME answers for nameserver hosts can be cached differently than A and AAAA answers.
Signed zero and floating point drift can affect timing math only at sub millisecond scales, which are rounded away.
Stale caches can show old NS sets during migrations even after authoritative changes are made.

Standards and references

DNS fundamentals and record formats are defined by RFC 1034 and RFC 1035. DNS over HTTPS is specified by RFC 8484. Operational guidance on common DNS pitfalls is widely captured in RFC 1912.

Privacy and compliance

This checker sends the queried domain name to the selected resolver provider from your browser, and results are kept only in the current page session unless you export them.

Step-by-Step Guide:

Nameserver configuration checks are most useful when you follow a consistent routine and interpret each warning in context.

Enter the Domain you want to verify, ideally the delegation point.
Choose a Resolver if you need a specific viewpoint, or leave Auto.
Enable Compare resolvers when you suspect caching or propagation differences.
Keep Check CNAME on NS enabled to catch alias based nameserver hosts.
Tune Concurrency and Timeout on slow or filtered networks.
Review FAIL items first, then revisit WARN items and rerun after changes.

Example workflow: Before a DNS migration, run the check on the current domain, save the JSON output, then rerun after updating NS records to confirm the new set appears consistently.

If the two resolvers disagree, wait for caches to expire and verify the delegation at the authoritative provider.

If you paste a full URL, confirm the extracted hostname matches the domain you intended to check.
Lower concurrency when you see timeouts or intermittent failures.
Treat a missing IPv6 address as a warning unless your environment requires IPv6 only access.

Pro tip: Run comparison mode twice a few minutes apart to see whether disagreement is shrinking or staying stable.

Features:

Summarizes NS count, SOA MNAME, and serial in one snapshot.
Resolves each nameserver hostname to A and AAAA records, with optional CNAME detection.
Compares Cloudflare and Google resolver answers for NS and SOA when enabled.
Shows a PASS, WARN, FAIL checklist with short, actionable notes.
Copies or downloads results as CSV, exports DOCX reports, and saves a JSON summary.

FAQ:

Is my data stored?

The page sends DNS queries from your device to the selected resolver provider and keeps results only in memory unless you export them. Resolver providers may log queries under their own policies.

How accurate is it?

It reflects what a recursive resolver returns at that moment, which is useful for troubleshooting but not a guarantee of authoritative truth. Caching, propagation, and split horizon DNS can all change what you see.

What does WARN mean?

WARN means the checker saw something incomplete or ambiguous, like missing AAAA records, an unparseable SOA serial, or disagreement between resolvers. It is a prompt to verify, not proof of failure.

Can I use it offline?

No. The checks rely on live resolver requests, so without an internet connection the lookups cannot run.

What input is accepted?

You can enter a hostname, paste a full URL, or paste an email address. The checker extracts the hostname, trims whitespace, removes trailing dots, and queries that exact name, so use the delegation point when possible.

Compare resolver answers

Enable comparison to run NS and SOA lookups on both Cloudflare and Google and capture the snapshots side by side. Differences usually point to caching, propagation delays, or resolver specific views.

check cname on ns

When the CNAME check is enabled, any CNAME answer returned for a nameserver hostname triggers a FAIL for canonical hostnames. This helps catch alias based NS hosts that can add extra lookups or break glue assumptions.

Licensing and cost

The provided metadata does not include licensing terms. Treat usage and redistribution according to where you obtained this package.

Does PASS prove it works?

PASS means the observed records look consistent, not that every authoritative server is reachable or configured correctly. It does not test UDP or TCP reachability, DNSSEC, or per location behavior.

Troubleshooting:

Domain is required. Enter a hostname, or paste a URL and let the hostname be extracted.
No NS records found. Remove subdomains and query the delegation point, then confirm the domain exists.
SOA serial is missing. The resolver may not return a parseable SOA answer, try the other resolver.
Some nameservers have no A or AAAA. Publish address records for the nameserver hostnames.
CNAME on nameserver host. Replace aliasing with canonical hostnames and direct address records.
Repeated timeouts. Increase timeout, reduce concurrency, and check for network filtering.
Resolvers disagree. Wait for caches to expire and verify authoritative delegation and zone publishing.

Blocking: If every request fails, your network may block resolver endpoints or abort HTTPS requests. Try a different network, reduce concurrency to 1, and increase timeout.

Advanced Tips:

Tip Use comparison mode before and after a change to see whether NS and SOA snapshots converge.
Tip Keep a saved JSON snapshot in tickets to document what you observed at a specific time.
Tip Lower concurrency when you suspect rate limiting or when using a high latency connection.
Tip If you expect IPv6 support, treat missing AAAA as a deployment gap rather than a cosmetic warning.
Tip When a CNAME is flagged, check whether the alias target changes over time due to load balancing.
Tip If you paste a URL, confirm the hostname is not a tracking subdomain or redirect host.
Tip Rerun after TTL windows to separate short lived cache effects from persistent misconfiguration.

Glossary:

Delegation: The parent zone listing of NS records for a domain.
NS record: A record that names the authoritative nameserver hostnames.
SOA record: A zone metadata record that includes MNAME and a serial number.
MNAME: The primary nameserver hostname field inside the SOA record.
Serial: A number used by many zones to indicate a revision or version.
A record: A mapping from a hostname to an IPv4 address.
AAAA record: A mapping from a hostname to an IPv6 address.
CNAME record: An alias that points one name to another canonical name.
Recursive resolver: A resolver that follows delegations and caches answers.
DoH: DNS over HTTPS, a way to request DNS answers via HTTPS.
ms: Milliseconds, used for per request timeout and timing.