{{ error }}
# Type Answer(s) TTL Query ms
{{ i+1 }} {{ row.type }} {{ row.answer }} {{ row.ttl }} {{ row.time }}
Health Checks
{{ c.label }}
Categories: DNS , Networking
Export to PDF Fullscreen

Domain Name System (DNS) translates human-readable domain names into network addresses by serving authoritative records from globally distributed name servers. Each record type—A, AAAA, MX, NS, SOA, CNAME or TXT—conveys routing, policy, and delegation details that guide browsers, mail exchangers, and other clients toward the correct endpoint and validate administrative control.

This utility queries the authoritative zone via privacy-preserving DNS-over-HTTPS, measures response time per record, and compares results against operational best-practice thresholds. It then synthesises a concise table of answers, Time-to-Live values, and a checklist of pass-or-fail health indicators so you can immediately spot missing records, mismatched serial numbers, or unsafe timing parameters.

Use it before launching a new website, migrating name servers, or auditing DNS after a security incident to confirm redundancy, propagation speed, and policy compliance; then share the report with colleagues to accelerate troubleshooting and change approvals. Personal data is never transmitted to external services; lookups occur entirely in your browser, protecting confidential infrastructure details from unintended disclosure.

Technical Details:

The lookup relies on the hierarchical DNS resolution model defined by RFC 1034/1035. Starting from the authoritative zone apex, individual record sets are requested over an encrypted HTTPS channel that mimics standard UDP queries yet avoids interception. Response packets include answer data, a numeric TTL specifying cache lifetime, and—for SOA sets—control fields such as serial, refresh, retry, expire, and minimum values. These variables drive synchronisation across secondary servers and determine how quickly downstream resolvers see zone changes.

Resolution Sequence:

  1. Build DNS-over-HTTPS URL for each record type.
  2. Request the JSON payload through the encrypted channel.
  3. Extract Answer list, TTL, and measure round-trip time.
  4. Aggregate results for display and downstream health evaluation.

Recommended Thresholds:

CheckPass Criteria
Redundancy≥ 2 name servers
SOA Serial10-digit YYYYMMDDnn format
SOA Refresh1200–43200 s
SOA Retry180–28800 s
SOA Expire604800–2419200 s
SOA Minimum TTL60–86400 s

Green indicators confirm operational resilience; red flags highlight mis-configured values that may slow propagation or cause resolution failures.

Key Parameters:

  • domain – fully-qualified zone tested.
  • record type – NS, SOA, A, AAAA, CNAME, MX, TXT.
  • TTL – cache lifetime in seconds.
  • query time – round-trip latency in milliseconds.

Example (example.com):

query time=48 ms
TTL=3600 s
SOA serial=2025061801

Assumptions & Limitations:

  • Queries target public authoritative servers, not internal split-horizon zones.
  • Latency reflects your network path to the resolver, not the zone’s origin.
  • Health checks use common industry thresholds; providers may enforce stricter values.
  • CNAME chains beyond one hop are not expanded.

Edge Cases & Error Sources:

  • Domains using DNSSEC return unsigned data via some DoH endpoints.
  • Wild-card records may hide absence of explicit host entries.
  • Unresponsive servers yield “—” answer but still increment timing.
  • Temporary network blocks can masquerade as authoritative failures.

Concept rooted in RFC 1034, RFC 1035, and subsequent operational Best Current Practices such as RFC 1912 and RFC 2181.

All lookups execute locally; no personally identifiable information leaves your browser, supporting GDPR-aligned privacy expectations.

Step-by-Step Guide:

Follow these steps to generate a comprehensive report.

  1. Enter your target Domain (for example, example.org).
  2. Select Generate Report.
  3. Review the Records table for answers, TTL, and query time.
  4. Scan the Health Checks list; investigate any red indicator immediately.
  5. Copy the results to share with operations or compliance teams.

FAQ:

Why do some answers display “—”?

The authoritative zone did not return data for that record type, or the resolver encountered a timeout.

Is my data stored?

No. All processing occurs client-side; nothing is logged, uploaded, or persisted beyond your browser session.

How accurate are the timing values?

They measure round-trip latency to the public resolver from your location; values may fluctuate with network congestion and distance.

What does a failed health check mean?

It signals a deviation from best practice—such as too few name servers or an out-of-range SOA parameter—which can impair reliability or propagation.

Can I test internal zones?

Only if they are publicly resolvable; private split-horizon overlays will not respond via public DNS-over-HTTPS endpoints.

Glossary:

DNS
Hierarchical naming system mapping domains to resources.
TTL
Time-to-Live; permitted cache duration in seconds.
SOA
Start-of-Authority record holding zone control data.
Authoritative NS
Server responsible for answering queries about a zone.
DNS-over-HTTPS
Protocol transmitting DNS queries over encrypted HTTP.
Embed this tool into your website using the following code: