DNS Record Enumerator

#	Metric	Value	Notes	Copy
{{ idx + 1 }}	{{ row.metric }}	{{ row.value \|\| '-' }}	{{ row.note \|\| '-' }}

#	Priority	Recommendation	Why now	Copy
{{ idx + 1 }}	{{ row.priority }}	{{ row.recommendation }}	{{ row.rationale }}

#	Section	Type	Name	Data	TTL	Copy
{{ idx + 1 }}	{{ row.section }}	{{ row.type }}	{{ row.name }}	{{ row.data }}	{{ row.ttl }}

#	Query	Status	Resolver	Answers	AD	Latency (ms)	Copy
{{ idx + 1 }}	{{ row.query }}	{{ row.status }}	{{ row.resolver }}	{{ row.answers }}	{{ row.ad ? 'Yes' : 'No' }}	{{ row.ms === null ? '-' : row.ms }}

DNS records are the public instructions that tell recursive resolvers where a name should point, which mail hosts should accept traffic, whether certificate issuance is constrained, and whether signed data is visible. When those records are incomplete or inconsistent, users often experience the problem as a broken site, failed mail flow, or confusing resolver drift rather than as a DNS issue.

This page gathers that public view for one target and turns it into a review set that is easier to scan than a stack of single-record lookups. You can enter a domain, hostname, URL, email address, or IP address. Domain-style input expands into core record checks and, when enabled, service-binding records, DNSSEC material, mail-policy names, and A or AAAA probes for common host labels. IP input follows a different path and queries only the derived PTR name for reverse DNS.

The result is split into practical layers. The summary box and Probe Snapshot answer the immediate questions about probe success, record volume, latency, TTL spread, and the strongest next action. Hardening Queue turns common DNS, mail-authentication, and DNSSEC gaps into ranked follow-up items. Record Ledger and Resolver Evidence keep the exact lookup trail available, while the two charts compress type mix and a local posture heuristic for repeat comparisons.

The privacy and scope boundary matters. The browser builds the query plan locally, then sends requests to public DNS-over-HTTPS providers, and the active target plus settings are also reflected in the page URL so runs can be shared or repeated. Use it only for assets you own or are explicitly allowed to assess. It does not attempt zone transfers, it does not talk to authoritative servers directly, and it does not prove that a website, mail server, or certificate endpoint is reachable.

Technical Details:

Input handling is deliberately narrow so the run stays predictable. The page keeps only the first nonblank line, trims whitespace, strips a trailing dot, lowercases the result, extracts the hostname from a pasted URL, and uses the domain portion of a pasted email address. Hostnames must already be ASCII labels, so an internationalized name has to be entered in its A-label form. If the target is an IPv4 or IPv6 address, the page converts it into the matching in-addr.arpa or ip6.arpa name and switches to PTR-only mode.

What one run covers

1. Normalize the target
One target per run. URLs become hostnames, email input becomes its domain, and IP input becomes a reverse-DNS PTR query.

2. Build the query plan
Core record types are always available, while service, DNSSEC, mail-policy, authority, additional, and host-probe checks are optional.

3. Summarize the evidence
The run produces tables, exportable charts, and JSON so you can triage quickly and still keep exact resolver evidence.

Query families used by the DNS record enumerator
Family	Records queried	What that family helps you verify
Core zone view	`A`, `AAAA`, `NS`, `SOA`, `MX`, `TXT`, `CAA`	Basic routing, delegation visibility, mail routing, TXT policies, and certificate-authority restrictions
Service discovery	`SVCB`, `HTTPS`, `SRV`, `NAPTR`	Modern endpoint hints and older service-discovery records when a domain publishes them
DNSSEC visibility	`DNSKEY`, `DS`, `RRSIG`, `NSEC`, `NSEC3`	Whether public resolvers can see the material needed to follow a signed chain
Mail policy checks	`_dmarc`, `_mta-sts`, `_smtp._tls`, and selected `._domainkey` TXT names	SPF, DMARC, MTA-STS, TLS reporting, and DKIM selector visibility around a mail-enabled domain
Host probes	`A` and `AAAA` lookups for selected labels such as `www`, `mail`, or `api`	Whether expected service hostnames resolve cleanly without typing each one by hand

Resolver behavior is explicit rather than hidden. In Auto mode the page tries Cloudflare first and then falls back to Google only after a failed request. Pinning one provider is useful when you want a single recursive view for change review or when you are chasing resolver-specific behavior. Timeout and retry settings control how aggressively the run waits for each answer. The optional DO and CD bits are passed through to the outbound request so DNSSEC-aware lookups can ask for DNSSEC records or request unchecked data from a validating resolver path when needed.

Returned answers are normalized before they reach the tables. TXT records are dequoted, MX rows keep preference plus exchange, SOA rows collapse to the primary server and serial, CAA rows keep the useful tag and value, and SVCB or HTTPS answers are shortened into a more readable form. The ledger always captures the Answer section, and the Authority and Additional toggles decide whether those sections should be recorded too.

How the policy signal radar is built
Radar dimension	Built from	How to read it
Core DNS	Presence of apex `NS`, `SOA`, at least one apex `A` or `AAAA`, and `CAA`	Higher means the basic public zone view looks more complete for a directly resolving domain
Mail Auth	SPF present, DMARC present, DMARC enforcement at `quarantine` or `reject`, `_mta-sts` present, and `_smtp._tls` present	Higher means more of the common outbound and inbound mail-policy signals are visible
DNSSEC	`DNSKEY`, `DS`, `RRSIG`, and whether AD was observed in a response	Higher means the resolver path exposed more of the expected DNSSEC evidence
Reliability	Successful probes divided by total probes	Higher means fewer timeout, refusal, or other failed-query classes in the selected run
Action Debt	Starts at 100, then subtracts 25 points for each High item, 12 for each Medium item, and 6 for each Low item in the queue	Higher means the queue surfaced fewer follow-up actions. It is a local triage score, not a standards grade

Important note about the AD flag

AD is useful evidence from the recursive resolver, but it is still the resolver's claim that returned data was authenticated. Read it together with visible DNSKEY, DS, and RRSIG records rather than treating it as standalone proof of end-to-end DNSSEC validation by your browser.

Everyday Use & Decision Guide:

The fastest way to get useful output is to pick the preset that matches the question instead of turning every switch on at once. That choice changes the query plan, which means it also changes record counts, chart shapes, and the hardening queue. If you are comparing a before-and-after state, keep the same preset, resolver mode, and target format for both runs.

Preset behavior in the DNS record enumerator
Preset	What it turns on	Best use
Fast triage	Core lookups only, no service, DNSSEC, mail, authority, additional, or host probes, with a shorter timeout and no retries	Quick first-pass checks when you only need the broadest public answer set
Balanced	Core, service, DNSSEC, mail, authority, and a short host-probe list	General troubleshooting, change review, and a sensible default for most domain checks
Mail hardening	Mail-policy names and a mail-focused host-probe list, while service and DNSSEC checks are left off	Mail migrations, spoofing-resistance review, and DKIM selector verification
Deep audit	Everything in Balanced plus Additional-section capture and a wider host-probe limit	Broader documentation runs, post-change evidence capture, and deeper hygiene review
Custom	Your current switch and list choices	Targeted follow-up work after the first pass shows what needs closer inspection

For most domains, read the page in this order: summary box, Probe Snapshot, Hardening Queue, then the evidence tabs. That sequence gets you to the highest-value answer quickly without hiding the raw details. The summary badges call out resolver mode, unique record-type count, probe count, average latency, whether AD was seen, and any DMARC or SPF signals that were discovered. The queue then tells you which finding should be handled first.

Use the advanced controls when you have a concrete reason. Turn on service records when you care about endpoint hints or application discovery. Turn on DNSSEC when you are checking a signed zone or parent delegation. Turn on Authority or Additional capture when you want more of the resolver response recorded in the ledger. Edit the DKIM selector list or host probe list when the defaults do not match the environment you are auditing.

Step-by-Step Guide:

Enter one target as a domain, hostname, URL, email address, or IP address.
Choose the preset that best matches the job. Balanced is the normal first pass.
Select Auto if you want fallback behavior, or pin Cloudflare or Google when you need one resolver's exact view.
Enable or disable service records, DNSSEC checks, mail-policy names, Authority capture, Additional capture, and host probes to match the question you are answering.
Edit the DKIM selector list or host probe list if your environment uses non-default labels.
Run the enumeration and read the summary box plus Probe Snapshot first.
Use Hardening Queue to identify the next action, then confirm the evidence in Record Ledger and Resolver Evidence.
Export CSV, DOCX, chart images, chart CSV, or JSON when you need to attach the run to a ticket, audit note, or change record.

If the target is an IP address, keep expectations narrow. The page is answering a reverse-DNS question only in that mode. Run the hostname separately when you also need forward records, mail-policy checks, or DNSSEC visibility for the zone.

Interpreting Results:

The snapshot table is your quick summary of run health. It records the normalized target, resolver mode, successful probe count, total records collected, latency range, TTL range, SPF coverage, DMARC policy, and the first queued action. A high record count is not automatically good, and a low count is not automatically bad. The important question is whether the records you expected for this target and preset are present and consistent.

The hardening queue is opinionated on purpose. Missing apex NS or SOA records are treated as urgent because they undermine normal delegation visibility. Missing SPF or DMARC is also treated as urgent when mail-policy checks are in scope. Missing CAA, absent _mta-sts, missing parent DS, or failed query classes are ranked below that, but they still matter because they often explain why posture looks weaker than expected.

Common result signals in the DNS record enumerator
Signal	What it usually means here	What to check next
High-priority queue item	A core DNS or mail-policy signal is missing, or SPF crossed a hard limit	Confirm the matching rows in Record Ledger and the per-query status in Resolver Evidence
`p=none` in DMARC	DMARC is published, but the record is still monitoring rather than enforcement	Review alignment reports before moving toward `quarantine` or `reject`
SPF lookup count at 9 or higher	The first SPF record found at the apex is close to, or above, the RFC lookup ceiling	Trim `include`, `a`, `mx`, `ptr`, `exists`, or `redirect` usage before receivers start failing evaluation
AD not observed	The selected resolver path did not report authenticated data for the current answers	Check for visible `DNSKEY`, `DS`, and `RRSIG` records, then compare another resolver if needed
`SERVFAIL`, `REFUSED`, or timeout warnings	Some probes failed even though others may have succeeded	Use Resolver Evidence to separate DNS status failures from HTTP or timeout failures

Record Ledger is the right place to inspect exact names, TTLs, normalized data, and whether a row came from Answer, Authority, or Additional. Resolver Evidence shows the query string, status, provider, answer count, AD flag, and response time for each probe. Those two tabs are where you decide whether the hardening advice matches the underlying facts.

Record Constellation is a type-count view, not a severity view. It helps you see whether the run is dominated by TXT-heavy mail records, basic apex records, or a broader service mix. Policy Signal Radar goes a step further and compresses the local rule set into five dimensions. That makes it useful for comparing repeated runs with the same settings, but it should never be mistaken for a compliance certification.

A few absences need context. Some domains do not need to resolve directly at the apex, so missing apex A or AAAA is only a problem when direct apex resolution is expected. Likewise, a missing service-binding record does not mean the service is broken. It may simply mean the domain is using older discovery methods or no service-binding record at all.

Worked Examples:

Change review after a DNS migration

A team has moved a domain to new authoritative hosting and wants to confirm the public recursive view without testing every record manually. Running the Balanced preset gives a broad apex snapshot plus a small host-probe set. The most useful review order is summary box, Probe Snapshot, then Record Ledger for NS, SOA, apex A or AAAA, and CAA. If host probes for www or api fail while the apex looks correct, the migration may be incomplete at the hostname layer rather than at the zone apex.

Mail hardening review before a cutover

A mail administrator wants to verify that the published policy set is strong enough before routing changes are finalized. The Mail hardening preset keeps focus on SPF, DMARC, DKIM selectors, _mta-sts, _smtp._tls, and a mail-heavy probe list. Here the queue matters because it flags missing SPF, missing DMARC, a DMARC policy stuck at none, a missing MTA-STS identifier, and an SPF lookup count that approaches or exceeds the RFC ceiling. The ledger then gives the exact TXT content you need for the change record.

DNSSEC visibility check after signing a zone

After publishing DNSKEY material and requesting a parent DS record, a deeper run helps confirm that public resolvers can see the chain. Use Balanced or Deep audit with DNSSEC enabled, then look first for DNSKEY, DS, and RRSIG rows in the ledger. If AD is still absent, that does not automatically mean the signing failed, but it is a reason to compare resolver behavior and verify the parent-side delegation step.

PTR confirmation for a public IP address

An administrator has an address and needs to know whether reverse DNS is published. Entering the IP makes the page construct the reverse name and query only the PTR path. That gives a quick answer to the reverse-DNS question, but nothing more. If the address maps back to a hostname and you want to inspect that hostname's forward records, mail TXT names, or DNSSEC signals, run the hostname as a separate target.

FAQ:

Why was my internationalized domain rejected?

The current validator accepts ASCII host labels only. Enter the A-label form of the name instead of the Unicode spelling.

Why did the page ignore extra pasted lines?

Each run accepts one target only. The first nonblank line is used, and additional lines are dropped with a warning so the query plan stays predictable.

Does AD mean DNSSEC is fully working?

No. AD is still a resolver-reported signal. Treat it as supporting evidence alongside visible DNSKEY, DS, and RRSIG records.

Why are there no records even though the domain exists?

The selected query family may not include the record type you expected, the resolver may have returned a failure or timeout, or the target may have been an IP address in PTR-only mode. Resolver Evidence is the quickest way to separate those cases.

Can this prove that my website or mail service is working?

No. It shows DNS visibility and policy clues from public resolvers. Reachability, TLS handshakes, mailbox acceptance, and application health need separate checks.

Does the page keep my target private?

No. The browser sends the requests to public DNS-over-HTTPS providers, and the current target plus options are mirrored into the page URL.

Glossary:

TTL: Time to live, the cache hint attached to a DNS record in seconds.
PTR: The reverse-DNS record type that maps an IP address back to a hostname.
DO bit: A DNSSEC-related query flag used to request DNSSEC records in a response path.
CD bit: A query flag that asks a validating resolver path to return data without enforcing its own signature-validation result on that response.
AD flag: A resolver-reported indicator that the returned data was considered authentic by that recursive resolver.
CAA: A DNS record that lets a domain publish which certificate authorities are allowed to issue certificates for that name.
DKIM selector: The label placed before ._domainkey when looking up a domain's DKIM public key record.
SVCB and HTTPS records: Service-binding DNS records that can advertise preferred endpoints or connection parameters for clients that understand them.

References:

RFC 8484: DNS Queries over HTTPS (DoH), RFC Editor.
RFC 4035: Protocol Modifications for the DNS Security Extensions, RFC Editor.
RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1, RFC Editor.
RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC), RFC Editor.
RFC 8461: SMTP MTA Strict Transport Security (MTA-STS), RFC Editor.
RFC 8460: SMTP TLS Reporting, RFC Editor.
RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record, RFC Editor.
RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records), RFC Editor.