DNS Configuration Report

Domain:

Enter the zone apex, such as example.com; URLs are normalized to the hostname.

Resolver:

Switch resolver to compare public-cache answers or timing for the same domain.

TXT preview limit:

Use 60-400 characters to keep SPF, DMARC, and other TXT previews readable.

chars

Lookup	Status	Answer preview	TTL	Time	Copy
{{ row.label }} {{ row.name }}	{{ row.status }}	{{ row.preview }}	{{ row.ttl }}	{{ row.timeLabel }}

Check	Status	Notes	Copy
{{ row.label }}	{{ row.status }}	{{ row.note }}

Lookup	Target	Time	% of total	Copy
{{ row.label }}	{{ row.name }}	{{ row.timeLabel }}	{{ row.shareLabel }}

No TTL values were returned for charting.

No resolver timing values were returned for charting.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

DNS is the public address book and policy directory behind a domain. A single name can point browsers to web servers, send mail to the right provider, publish sender-authentication rules, and limit which certificate authorities may issue certificates. Those jobs are handled by different record families, so a domain can be partly healthy and partly broken at the same time.

Most DNS troubleshooting starts with two views of the same name. The authoritative zone is the source a domain owner intends to publish. A recursive resolver is the public cache that browsers, mail servers, and other systems usually ask first. If the authoritative data changed recently, the resolver view may still show older answers until the relevant time to live, or TTL, has expired.

Several record groups carry most configuration mistakes:

Authority records use NS and SOA to show where the zone is delegated and which zone data is authoritative.
Address records use A and AAAA to connect a name to IPv4 and IPv6 web or service hosts.
Mail records use MX for inbound routing and TXT records for SPF and other sender policy text.
Domain policy records use DMARC TXT and CAA to guide mail receivers and certificate authorities.

DNS configuration path from a domain name through a recursive resolver cache to authoritative records and service use

Registrar screens can be misleading because they show intended settings, not always the answers public resolvers are returning now. A web launch may fail because A and AAAA records are missing. A mail migration may look complete until MX, SPF, and DMARC are checked together. Certificate issuance can still be possible when CAA is absent, but an organization that intends to restrict issuance should notice that absence before renewal day.

A DNS configuration report is a snapshot, not a global propagation verdict. Resolver cache state, TTLs, negative answers, DNS provider changes, and intentionally empty services all affect interpretation. The strongest review compares the public answer with the zone design you expected and repeats the check after changes have had enough time to age out of caches.

How to Use This Tool:

Start with the domain you actually manage or need to diagnose, then use the inventory as the evidence for every follow-up decision.

Enter the zone apex in Domain, such as example.com. A full URL is normalized to its hostname, but paths, spaces, and punctuation can trigger the Enter a valid domain such as example.com. message.
Leave Resolver on Cloudflare DNS for a first pass, or switch to Google Public DNS when you want a second public-cache view of the same name.
Adjust TXT preview limit only when SPF, DMARC, or other TXT values are hard to scan. The field accepts 60 to 400 characters and changes table previews, not the underlying DNS answer kept in exports.
Select Generate report. The summary changes from Ready DNS snapshot to Latest DNS snapshot, and the record-family graphic changes according to found, missing, and review groups.
Read Record Inventory first. Confirm the Lookup, Status, Answer preview, TTL, and Time columns before treating a note as a DNS fix.
Use Posture Notes for action triage, then compare Resolver Timing, DNS TTL Horizon, and Resolver Latency Bars when timing or cache age matters.

If a record appears missing, check the target name before editing DNS. DMARC is looked up at _dmarc for the domain, while SOA, NS, MX, A, AAAA, TXT, and CAA use the normalized domain itself.

Interpreting Results:

Record Inventory is the main evidence for the run. Found means the selected resolver returned one or more answers for that lookup. Missing means no answer was visible in the response. Review means the resolver returned a comment or lookup condition that needs context before you decide whether it is expected.

Posture Notes separates serious configuration gaps from records that may be intentionally absent. Missing NS or SOA is marked Needs attention because an authoritative zone normally needs both. Missing A or AAAA is Review because some domains do not serve a website at the apex. Missing CAA is also Review; it does not block certificate issuance by itself, but it matters when you intended to restrict issuance.

Read SPF and DMARC count warnings closely. Exactly one SPF record in the apex TXT set and exactly one DMARC record at _dmarc are treated as healthy publication. Multiple SPF or DMARC records become Needs attention because receivers can treat duplicate policies as an error or ignore the intended policy.

Timing numbers are diagnostic clues, not authoritative nameserver benchmarks. A slow row may reflect resolver cache state, the current network path, or a transient public resolver condition. For change planning, compare repeated reports with the same resolver and domain, then use the TTL values to decide how long old answers may remain visible.

Technical Details:

DNS answers are grouped by owner name, record type, answer data, and TTL. The owner name decides where the question is asked, the record type decides which data family is requested, and the TTL tells recursive resolvers how long an answer can be reused from cache. That is why a record can be correct at the DNS provider but still appear stale through a public resolver until the cached answer expires.

The checked record set covers the common apex configuration surface: SOA and NS for zone authority, A and AAAA for address coverage, MX for mail routing, apex TXT for SPF, _dmarc TXT for DMARC, and CAA for certificate-authority authorization. TXT answers can be returned as quoted fragments, so the visible SPF and DMARC checks depend on the joined TXT value rather than the raw fragment boundaries.

Rule Core:

DNS configuration posture rules
Check	Healthy condition	Review or attention condition
Delegation baseline	At least one NS answer and one SOA answer are present.	Missing NS or SOA is Needs attention.
Address coverage	At least one A or AAAA answer is present.	No apex address answer is Review.
Mail routing	At least one MX answer is present.	No MX answer is Review, because the domain may intentionally reject inbound mail.
SPF publication	Exactly one apex TXT value begins with `v=spf1`.	No SPF is Review; more than one SPF record is Needs attention.
DMARC publication	Exactly one TXT value at `_dmarc` begins with `v=DMARC1`.	No DMARC is Review; more than one DMARC record is Needs attention.
CAA publication	At least one CAA answer is visible at the apex.	No CAA answer is Review, not a protocol failure.
TTL consistency	The maximum returned TTL is no more than four times the minimum returned TTL.	A wider spread is Review because coordinated changes can age out unevenly.

Lookup Set:

DNS record lookups included in the report
Lookup	Owner name	What it helps verify
SOA	Domain apex	Zone authority and serial context.
NS	Domain apex	Delegated authoritative name servers.
A / AAAA	Domain apex	IPv4 and IPv6 address coverage.
MX	Domain apex	Inbound mail exchanger publication.
TXT / DMARC TXT	Apex TXT and `_dmarc` TXT	SPF presence and DMARC policy publication.
CAA	Domain apex	Certificate-authority authorization intent.

Formula Core:

Resolver timing share shows how much of the measured report time belonged to one lookup. It is calculated from lookup durations in the current browser run, so the value is useful for comparing rows in the same report rather than comparing unrelated domains or resolver providers.

S = \frac{t_{lookup}}{\sum_{i = 1}^{n} t_{i}} 100 %

Here, S is the displayed share of total, t_lookup is one lookup's measured time in milliseconds, and the denominator is the sum of all measured lookup times in the report. If MX takes 120 ms and the eight lookups total 800 ms, the MX timing share is 120 / 800 * 100 = 15.0%.

TTL tiers are display rules. Values at or below 300 seconds are labeled Change-ready, values above 3600 seconds are labeled Long cache, and values between those bounds are labeled Standard cache. These tiers do not change DNS behavior; they make short-lived and long-lived answers easier to spot during a migration or incident review.

Latency coloring follows a similar diagnostic rule: lookups under 350 ms are shown as the lower band, lookups from 350 ms through 999 ms are the middle band, and lookups at 1000 ms or above are the high-latency band. Treat those bands as report-local signals, because recursive resolvers may answer from cache, forward to authority, or return a negative response at different speeds.

Accuracy and Privacy Notes:

DNS lookups run in the browser against the selected public DNS resolver. The checked domain and derived DNS owner names, including the DMARC owner name, are sent to that resolver. The page does not need registrar credentials and does not read private zone files.

Resolver answers can be cached, stale, blocked, filtered, or different from another public resolver at the same moment.
The TXT preview limit can shorten table text; JSON exports keep the full normalized TXT answers returned to the browser.
SPF and DMARC checks verify publication count and basic prefixes. They do not fully lint mechanisms, alignment, policy strength, or DNS-lookup limits.
The report does not perform DNSSEC validation, authoritative-server comparison, certificate-transparency review, or mail-provider acceptance testing.

Worked Examples:

A domain owner checks example.com after moving DNS providers. Record Inventory shows NS and SOA as Found, but both A and AAAA are Missing. Posture Notes marks Delegation baseline as Healthy and Address coverage as Review. That is acceptable for a mail-only domain, but it is a launch blocker if the apex should serve a website.

During a mail migration, example.com returns one MX answer, two apex TXT values that begin with v=spf1, and one DMARC TXT answer. Mail routing is Healthy, DMARC publication is Healthy, and SPF publication becomes Needs attention. The immediate fix is to merge the SPF policy into one effective record before assuming sender authentication is ready.

A security review finds no CAA answer for example.com. CAA publication appears as Review, not Needs attention, because DNS does not require CAA for a domain to work. If the organization expects only selected certificate authorities to issue certificates, the missing row is still important because the public DNS view is not expressing that restriction.

A propagation check shows DNS TTL Horizon with DMARC at 300 seconds and NS at 86400 seconds. DMARC falls into Change-ready, while NS falls into Long cache. Rechecking after five minutes may be reasonable for DMARC, but delegation-related changes can remain cached for much longer.

FAQ:

Should I enter the root domain or a hostname?

Enter the domain whose apex records you want to review, such as example.com. URLs are normalized to a hostname, but paths and schemes do not add useful DNS context.

Why is missing MX only a review note?

Some domains do not receive mail. If the domain should reject mail explicitly, compare the result with your intended null-MX or provider design before treating the missing MX as harmless.

Why do Cloudflare DNS and Google Public DNS disagree?

Recursive resolvers cache independently and may refresh at different times. Recheck with the same Resolver for trend comparisons, then switch resolvers only when you need a second public-cache viewpoint.

Does this fully validate SPF or DMARC syntax?

No. SPF publication and DMARC publication check for one effective published record with the expected prefix. Use a dedicated policy validator when mechanisms, alignment, reporting addresses, or lookup limits matter.

Why can resolver timing change between runs?

The measured Time depends on cache state, resolver availability, network path, and browser conditions. Use it to compare rows inside one report, not as a permanent speed rating for the domain.

Glossary:

SOA: Start of Authority, the record that identifies core authority and serial information for a DNS zone.
NS: Name server records that identify authoritative servers for a zone.
TTL: Time to live, the number of seconds a resolver may keep an answer in cache.
MX: Mail exchanger records that route inbound mail for a domain.
SPF: Sender Policy Framework, a TXT-based policy that lists systems allowed to send mail for a domain.
DMARC: Domain-based Message Authentication, Reporting, and Conformance, a policy record checked at the _dmarc owner name.
CAA: Certification Authority Authorization, a DNS record that can restrict which certificate authorities may issue certificates for a domain.

References:

RFC 1035: Domain Names - Implementation and Specification, RFC Editor, November 1987.
RFC 7208: Sender Policy Framework (SPF), RFC Editor, April 2014.
RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC), RFC Editor, March 2015.
RFC 7505: A Null MX No Service Resource Record for Domains That Accept No Mail, RFC Editor, June 2015.
RFC 8484: DNS Queries over HTTPS (DoH), RFC Editor, October 2018.
RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record, RFC Editor, November 2019.