DNS Scanner

DNS Scanner is a free online DNS server testing tool by CloudFloorDNS. It runs 120+ automated RFC-compliance and health checks across 15 categories against any authoritative nameserver or recursive resolver, then grades the results with a 0–100 score and an A–F letter grade.

Enter a domain (and optionally a target nameserver as a hostname, IPv4, or IPv6 address). When the target is left blank, the scanner auto-selects an authoritative nameserver for the domain. The scanner classifies each target as authoritative, recursive, hybrid, or unknown and adapts which tests it runs — for example, DNSSEC-validation checks via dnssec-failed.org only run against recursive resolvers, while authoritative servers are probed for RRSIG and DNSKEY on the target zone instead. Results stream back per-category as they complete and can be downloaded as JSON or CSV.

Test categories

Delegation Consistency (RFC 1034 / 2181 / 2182, RFC 1912): parent vs. child NS RRset agreement at every zone cut, glue consistency, AA-flag check, NS reachability, NS count ≥ 2, distinct IPs, globally reachable IPs, NS-not-CNAME, PTR / FCrDNS, and ASN diversity.
DNSSEC (RFC 4033–4035, RFC 6840, RFC 8624, RFC 9276): full chain-of-trust walk from the root down, DS / DNSKEY / RRSIG verification at each zone, SOA RRSIG validation, NSEC / NSEC3 RRSIG validation, NSEC3 parameter sanity, RSA key-size sanity, algorithm completeness, CDS / CDNSKEY presence, DS digest-algorithm strength.
SOA Serial Consistency: NS delegation discovery, serial consistency, and SOA-parameter agreement across all authoritative nameservers.
Security: AXFR refusal (TCP + UDP), open-resolver check, version disclosure, amplification potential, DNSSEC validation behavior, NSEC walking, NXDOMAIN hijacking, dynamic update, NOTIFY, upward referral, recursion exposure.
Protocol (RFC 8482): TCP fallback, 0x20 case randomization, rate limiting, QNAME minimization, truncation, IPv6, minimal-ANY.
DNS Flags (RFC 1035): QR, AA, RD/RA, TC, AD/CD, and reserved Z-bit compliance.
EDNS (RFC 6891): EDNS0 support, DO bit, max payload, ECS, padding, NSID, OPT in truncated response.
DNS Cookies (RFC 7873, RFC 9018): client / server cookie support, diversity across clients, cross-client poisoning resistance, forged-hash rejection, malformed-length FORMERR, TCP cookies.
EDE (RFC 8914): Extended DNS Errors for DNSSEC failure, NXDOMAIN, REFUSED, BADVERS, and malformed-cookie cases.
Fragmentation: TCP segmentation, split length prefix, byte-at-a-time, pipelining, UDP large / minimal.
Malformed: resilience to 16 classes of malformed queries.
DoT (RFC 7858): DNS over TLS.
DoH (RFC 8484): DNS over HTTPS.
DoQ (RFC 9250): DNS over QUIC.
Analysis: response-time stats, TTL analysis, record types, SOA consistency, SVCB / HTTPS records (RFC 9460).

Reference pages

DNSSEC Checker — comprehensive chain-of-trust walker from the root down, with per-nameserver DNSKEY + SOA comparison, NSEC / NSEC3 authenticated-denial proofs, an optional user-supplied trust anchor, both tree and graph views, and JSON / CSV export.
Test Catalog — every test the scanner runs, ordered to mirror the actual execution order, with RFC citations.
DNS Return Codes — IANA RCODE values and RFC 8914 Extended DNS Error codes, with linked RFC citations.
llms.txt — AI-readable site summary.

The tool requires JavaScript to run scans interactively. It is free, requires no account, and runs scans server-side so it works against any publicly reachable nameserver.