Nameserver Health Check

Ready Resolver {{ resolverLabelForSummary }} {{ profileBadgeText }} Manual run NS {{ nsRows.length }} {{ issueBadgeText }} In-bailiwick {{ inBailiwickCount }} {{ addressBadgeText }} {{ spreadBadgeText }} {{ resolverBadgeText }}

Domain:

Example: example.com; pasted URLs are normalized before the DNS audit.

Resolver:

Options: Auto, Cloudflare, Google, or Quad9 for NS, SOA, A, and AAAA lookups.

Audit posture:

Balanced expects 2+ NS hosts; Strict expects 3+.

Compare resolvers:

On adds a Resolver Delta tab with NS and SOA comparisons.

Check NS CNAME:

Keep on for delegation hygiene checks before registrar or DNS-provider cutovers.

Require IPv6:

Use for dual-stack readiness; leave off when IPv4-only DNS is acceptable.

DNSSEC DO flag:

Use for signed-zone reviews; it records AD evidence without changing the delegation target.

Concurrency:

Range: 1-16 parallel host lookups; default is 6.

workers

Timeout:

Range: 500-15000 ms; default is 3500 ms.

Expected NS list:

Comma or newline list: ns1.example.net, ns2.example.net.

#	Surface	Check	Status	Evidence	Copy
{{ index + 1 }}	{{ check.surface }} {{ check.rfc }}	{{ check.label }}	{{ check.status }}	{{ check.note \|\| '-' }}

#	Nameserver	A	AAAA	Addressing	Glue	Note	Copy
{{ index + 1 }}	{{ row.ns }} {{ row.scopeLabel }}	{{ row.a.join(', ') \|\| '-' }}	{{ row.aaaa.join(', ') \|\| '-' }}	{{ row.addressScope }} {{ row.addressingSummary }}	{{ row.glueReady ? 'ready' : 'missing' }}	{{ row.note \|\| '-' }}

Resolver	Status	NS code	SOA code	Time	AD	NS snapshot	SOA	Copy
{{ row.resolver }}	{{ row.status }}	{{ row.nsCode }}	{{ row.soaCode }}	{{ row.timeMs }} ms	{{ row.adSeen ? 'seen' : 'none' }}	{{ row.nsSnapshot \|\| '-' }} {{ row.note }}	{{ row.soaMname \|\| '-' }} Serial {{ row.soaSerial !== null ? row.soaSerial : '-' }}

Enable Compare resolvers to benchmark Cloudflare and Google side by side.

No nameserver address rows are available for the current run.

No resolver timing rows are available for the current run.

SOA field	Value	Copy
{{ row.field }}	{{ row.value }}

Priority	Action	Why	Copy
{{ item.priority }}	{{ item.action }}	{{ item.why }}

Purpose	Command	Copy
{{ command.label }}	`{{ command.command }}`

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Nameserver problems often show up as uneven failures. One network reaches the domain, another still sees an old provider, and a mail server may follow cached delegation data long after a web test looks fine.

DNS delegation starts above the domain itself. The parent zone publishes NS records that point recursive resolvers toward the authoritative nameservers for the child zone. Those nameserver hostnames then need public A or AAAA address records, and nameservers inside the same domain may need glue at the parent so resolvers can reach them before asking the child zone anything.

Healthy delegation is more than an NS count. The nameserver set should match the registrar or migration plan, hosts should be canonical names rather than aliases, address records should be reachable from the public internet, and SOA data should give a clear serial and sane timer values. During a provider move, resolver disagreement can be normal for a while, but it is still evidence that users may see different answers.

Nameserver health signals and common mistakes
Signal	Healthy reading	Common mistake
NS set	The delegated hostnames match the intended DNS provider or cutover plan.	Checking a host such as `www.example.com` instead of the delegated zone.
Glue and addresses	Nameserver hosts have public A or AAAA records, with glue when in-bailiwick hosts need it.	Publishing `ns1.example.com` without parent-side address evidence.
SOA record	The MNAME, serial, refresh, retry, expire, and minimum TTL values are parseable and sensible.	Treating one resolver's old serial as proof that every resolver is wrong.
Resolver views	Public resolvers agree on the NS set and SOA evidence after cache time has passed.	Trusting one cached view during a registrar or DNS-provider change.

Diagram showing DNS delegation from parent zone to NS set, nameserver addresses, and resolver views. — A delegation review follows the path from the parent zone to nameserver hostnames, address records, glue, and resolver evidence.

Nameserver health checks are most useful before and after change windows: registrar updates, DNS-provider migrations, DNSSEC work, IPv6 readiness reviews, and incident triage where one resolver path disagrees with another.

How to Use This Tool:

Use the checker on the delegated zone, not on a single host record. The sample domain is editable, and pasted URLs are normalized to the hostname before the audit runs.

Enter the zone in Domain, such as example.com, then click Check NS. IP addresses, single-label names, invalid labels, and overlong domain names stop with a validation message.
Choose Resolver when you want one public resolver view. Leave Auto for the normal first pass, which starts with Cloudflare and falls back only if the lookup cannot complete.
Set Audit posture to Balanced for ordinary checks or Strict when the review requires at least three nameservers.
Enable Compare resolvers during propagation checks. The Resolver Delta tab then compares Cloudflare, Google, and Quad9 NS and SOA evidence.
Keep Check NS CNAME enabled for delegation hygiene. Turn on Require IPv6 only when AAAA coverage is required for launch or policy acceptance.
Use Expected NS list during a provider move. Missing expected nameservers fail, and unexpected leftovers warn.
Review Delegation Health Checks, Nameserver Inventory, SOA Timer Ledger, and Repair Queue before relying on the charts or exports. Use Dig Runbook when you need shell commands to repeat key checks.

Interpreting Results:

The summary follows the strongest finding. A failed check makes the run critical, warnings move the result into review, and a healthy result means the evaluated rules passed for the sampled resolver evidence.

Fix failures first. Missing NS records, missing in-bailiwick glue, private-only nameserver addresses, aliased nameserver hosts, missing expected nameservers, and required IPv6 gaps can break or weaken delegation.
Treat warnings as change risk. Too few nameservers, very large NS sets, no IPv6 coverage, unusual SOA timers, prefix concentration, resolver disagreement, and disabled resolver comparison can matter during migrations even when the domain currently answers.
Use resolver agreement as timing evidence. Matching NS sets and SOA values across public resolvers raise confidence after a change; mismatches usually call for a registrar check, an authoritative lookup, and a wait through the relevant cache period.
Do not overread AD evidence. A returned authenticated-data flag is useful DNSSEC evidence from a sampled resolver, but it is not a complete chain-of-trust audit.

Technical Details:

Recursive DNS resolution follows referrals. A resolver learns the child zone's NS set from the parent, resolves the nameserver hostnames to addresses, then asks those authoritative servers for zone data. In-bailiwick nameservers create a bootstrapping problem because their hostnames live inside the zone they serve, so parent-side glue can be required to give resolvers a usable address path.

The audit samples NS and SOA records through DNS over HTTPS, probes each nameserver hostname for A and AAAA records, optionally checks for CNAME aliases, classifies special-purpose IP space, and compares resolver views when requested. The rule set favors practical delegation risk: reachability and intended delegation mismatches outrank softer resilience warnings.

Rule Core:

Nameserver health rule core
Area	Rule	Failure or warning condition
NS count	Balanced expects at least 2 nameservers; Strict expects at least 3.	Zero NS answers fail. Too few nameservers warn. More than 7 nameservers warn because consistency gets harder to manage.
SOA serial	The SOA record should expose a parseable serial.	A missing or unparseable serial warns.
SOA MNAME	The primary SOA nameserver should appear in the NS set.	Missing SOA MNAME evidence or an MNAME outside the NS set warns.
SOA timers	Retry should be below refresh; expire should exceed refresh and retry; minimum TTL should not exceed 86400 seconds.	Missing timer values, reversed timer order, or a minimum TTL above one day warn.
Canonical nameservers	Nameserver hostnames should answer directly, not through CNAME aliases.	Detected aliases fail when Check NS CNAME is enabled; disabled CNAME checking warns.
Glue readiness	In-bailiwick hostnames should have reachable A or AAAA evidence.	Missing address evidence for an in-bailiwick host fails.
Public address scope	Nameserver addresses should be public unicast addresses.	Hosts with only reserved or scoped addresses fail; mixed public and reserved evidence warns.
IPv6 coverage	At least one nameserver with AAAA records is preferred.	Missing AAAA coverage warns by default and fails when Require IPv6 is enabled.
Resolver agreement	Compared public resolvers should return the same NS set and SOA values.	Resolver disagreement warns. With comparison disabled, the single-view limitation also warns.
Expected NS alignment	The observed NS set should match the optional intended list.	Missing expected nameservers fail; unexpected observed nameservers warn.

Address and Spread Checks:

Address scope is determined from observed A and AAAA literals. IPv4 ranges such as 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, documentation prefixes, carrier-grade NAT space, multicast, and other non-public blocks are treated as reserved. IPv6 unspecified, loopback, unique-local, link-local, multicast, and documentation space are also reserved.

Nameserver address and prefix diversity interpretation
Output	How it is built	How to read it
Addressing	Each host is marked Public only, Reserved only, Mixed, or No address.	Reserved-only hosts are high risk because public resolvers cannot use private or special-purpose addresses on the public internet.
Glue	A nameserver with at least one A or AAAA answer is marked ready; in-bailiwick hosts are checked more strictly.	Missing glue matters most when the nameserver hostname belongs under the delegated zone.
Network spread	Public IPv4 addresses are grouped by /24 and public IPv6 addresses by /48.	Multiple nameservers concentrated in one prefix can reduce resilience during provider or routing trouble.
Resolver timing	The slower of the sampled NS and SOA requests is shown for each resolver view.	Timing is useful context, but status and answer agreement matter more than a single fast response.

The repair queue is derived from failed and warning checks. It points first at delegation blockers such as missing NS answers, missing glue, aliases, intended-set drift, and private-only addresses, then at resilience and propagation issues such as SOA timer concerns, prefix concentration, IPv6 gaps, resolver disagreement, and missing DNSSEC AD evidence.

Accuracy and Privacy Notes:

The audit is a snapshot of public DNS evidence for the domain and resolver settings selected at run time. DNS answers can change while caches still hold older data, so one run should be treated as evidence for a moment in time rather than a permanent health certificate.

The entered domain is sent to selected public DNS-over-HTTPS resolvers for NS, SOA, A, AAAA, and optional CNAME lookups.
Resolver disagreement may reflect normal propagation, cache timing, resolver policy, or a real delegation mismatch.
The check does not replace registrar-account review, authoritative server log analysis, DNSSEC chain validation, uptime monitoring, or provider-side incident data.

Advanced Tips:

Use Compare resolvers during cutovers so Resolver Delta can show whether public resolvers agree on both NS and SOA evidence.
Paste the intended provider hostnames into Expected NS list before a migration; this turns hidden leftovers into visible warnings or failures.
Keep Check NS CNAME on unless you are deliberately isolating another issue, because aliased nameserver targets are a delegation hygiene problem.
Raise Timeout only when a network path is slow. A high timeout can hide slowness; a low timeout can turn transient resolver delay into misleading failures.
Use Concurrency conservatively for large NS sets. More parallel host probes can finish faster, but it also creates more simultaneous resolver traffic.
Copy the Dig Runbook after a failed run so the same NS, SOA, resolver, and DNSSEC-aware checks can be repeated from another network.

Worked Examples:

Provider move with intended hostnames

Enter example.com, enable Compare resolvers, and paste ns1.newdns.example and ns2.newdns.example into Expected NS list. If Expected NS alignment fails because an old provider hostname remains, fix the registrar delegation before debugging the web server or CDN.

In-bailiwick host without address evidence

A zone delegated to ns1.example.com and ns2.example.com can fail In-bailiwick glue readiness when one host returns no A or AAAA answer. Publish the missing parent-side address evidence or move the delegation to reachable external nameserver hostnames.

Resolver drift after a registrar update

After a cutover, Resolver Delta may show Cloudflare with the new NS set while Google or Quad9 still shows the old SOA serial. Confirm the registrar record, wait through the relevant cache period, and rerun until Resolver agreement (NS set) and Resolver agreement (SOA) match.

FAQ:

Should I enter the root domain or a host such as www.example.com?

Enter the delegated zone, usually example.com. A host inside the zone may resolve correctly while the zone delegation itself still has weak or mismatched nameserver evidence.

Why does the result warn when the website still loads?

Warnings can describe resilience and migration risk rather than a current outage. Weak NS count, missing IPv6, unusual SOA timers, prefix concentration, or resolver disagreement can matter during the next DNS change.

Is missing IPv6 always a failure?

No. Missing AAAA coverage warns by default. It becomes a failure only when Require IPv6 is enabled because that setting makes dual-stack nameserver reachability part of the acceptance criteria.

What does resolver comparison add?

It samples Cloudflare, Google, and Quad9 and compares their NS and SOA evidence. Matching views improve confidence after a change, while mismatches point to propagation, cache timing, resolver policy, or delegation drift.

Why was my domain rejected?

The input must normalize to a valid delegated DNS name. Remove ports, paths, IP addresses, single-label names, wildcard prefixes, and illegal label characters before running the audit again.

Glossary:

Delegation: Parent-zone NS records that point resolvers toward the authoritative nameservers for a child zone.
Authoritative nameserver: A DNS server expected to answer authoritatively for the delegated zone.
Glue: Address evidence supplied with a delegation so resolvers can reach an in-bailiwick nameserver.
In-bailiwick: A nameserver hostname that belongs inside the same zone it helps serve.
SOA serial: The zone version value in the Start of Authority record.
Recursive resolver: A resolver that follows referrals, caches answers, and returns DNS responses to clients.
AD evidence: Authenticated Data evidence returned by a validating resolver when DNSSEC validation succeeds for a sampled answer.

References:

RFC 1034: Domain Names - Concepts and Facilities, RFC Editor, November 1987.
RFC 1035: Domain Names Specification, RFC Editor, November 1987.
RFC 2182: Selection and Operation of Secondary DNS Servers, RFC Editor, July 1997.
RFC 2181: Clarifications to the DNS Specification, RFC Editor, July 1997.
RFC 1912: Common DNS Operational and Configuration Errors, RFC Editor, February 1996.
RFC 9471: DNS Glue Requirements in Referral Responses, RFC Editor, September 2023.
RFC 4035: Protocol Modifications for the DNS Security Extensions, RFC Editor, March 2005.
RFC 8484: DNS Queries over HTTPS (DoH), RFC Editor, October 2018.
IPv4 Special-Purpose Address Space, Internet Assigned Numbers Authority, last updated 2025-10-09.
IPv6 Special-Purpose Address Space, Internet Assigned Numbers Authority, last updated 2025-10-09.