DNS Scanner
DNS Scanner is a free online DNS server testing tool by
CloudFloorDNS. It runs 135+ automated
RFC-compliance and health checks across 18 categories against any authoritative
nameserver or recursive resolver, then grades the results with a 0–100 score
and an A–F letter grade.
Enter a domain (and optionally a target nameserver as a hostname, IPv4, or IPv6 address).
When the target is left blank, the scanner auto-selects an authoritative nameserver for
the domain. The scanner classifies each target as authoritative, recursive, hybrid, or
unknown and adapts which tests it runs — for example, DNSSEC-validation checks via
dnssec-failed.org only run against recursive resolvers, while authoritative servers are
probed for RRSIG and DNSKEY on the target zone instead. Results stream back per-category
as they complete and can be downloaded as JSON or CSV.
Each scan also runs a lightweight vantage probe measuring the things that vary by where
you query from — latency distribution, UDP/TCP reachability per address family,
anycast node identity (NSID), and IPv6 parity. When optional regional probe agents are
deployed, the same probe fans out to multiple geographic locations at once, so latency
and reachability are reported from every region while a single authoritative grade still
comes from the primary.
Test categories
- Delegation Consistency (RFC 1034 / 2181 / 2182, RFC 1912): parent vs. child NS RRset agreement at every zone cut, glue consistency, AA-flag check, NS reachability, NS count ≥ 2, distinct IPs, globally reachable IPs, NS-not-CNAME, PTR / FCrDNS, and ASN diversity.
- DNSSEC (RFC 4033–4035, RFC 6840, RFC 8624, RFC 9904, RFC 9276): full chain-of-trust walk from the root down, DS / DNSKEY / RRSIG verification at each zone, SOA RRSIG validation, NSEC / NSEC3 RRSIG validation, NSEC3 parameter sanity, RSA key-size sanity, algorithm completeness, CDS / CDNSKEY presence, DS digest-algorithm strength.
- SOA Serial Consistency: NS delegation discovery, serial consistency, and SOA-parameter agreement across all authoritative nameservers.
- Security: AXFR refusal (TCP + UDP), open-resolver check, version disclosure, amplification potential, DNSSEC validation behavior, NSEC walking, NXDOMAIN hijacking, dynamic update, NOTIFY, upward referral, recursion exposure.
- Protocol (RFC 3597, RFC 8482): TCP fallback, 0x20 case randomization, rate limiting, QNAME minimization, truncation, IPv6, minimal-ANY.
- DNS Flags (RFC 1035): QR, AA, RD/RA, TC, AD/CD, and reserved Z-bit compliance.
- EDNS (RFC 6891): EDNS0 support, DO bit, max payload, ECS, padding, NSID, OPT in truncated response.
- DNS Cookies (RFC 7873, RFC 9018): client / server cookie support, diversity across clients, cross-client poisoning resistance, forged-hash rejection, malformed-length FORMERR, TCP cookies.
- EDE (RFC 8914): Extended DNS Errors for DNSSEC failure, NXDOMAIN, REFUSED, BADVERS, and malformed-cookie cases.
- Fragmentation: TCP segmentation, split length prefix, byte-at-a-time, pipelining, UDP large / minimal.
- Malformed: resilience to 16 classes of malformed queries.
- DoT (RFC 7858): DNS over TLS.
- DoH (RFC 8484): DNS over HTTPS.
- DoQ (RFC 9250): DNS over QUIC.
- DDR (RFC 9462): Discovery of Designated Resolvers — SVCB at
_dns.resolver.arpa and the IP-form arpa name, ALPN inventory, TLS-endpoint reachability for every advertised endpoint, and subjectAltName authentication of the original resolver IP per RFC 9462 §4.2 ("Verified Discovery"). Recursive-only; auto-skipped on authoritative servers.
- Consistency: same query, fired N times against the target. Checks RCODE stability, answer-set agreement (anycast split-brain detection), TTL behaviour, and RTT variance — catches partial-outage anycast nodes that single-shot tests cannot see.
- ECH (RFC 9460, RFC 9848 §3, RFC 9849): Encrypted Client Hello configuration published in HTTPS records — HTTPS RR presence,
ech= SvcParam presence, ECHConfigList structural validity (parsed via a bounded reader that treats every byte as adversarial), version currency (0xfe0d), HPKE KEM and public-key length consistency, cipher_suites non-empty, public_name is a valid DNS hostname, and the HTTPS RRset is DNSSEC-signed so the ECH config can't be forged or stripped in transit.
- Analysis: response-time stats, TTL analysis, record types, SOA consistency, SVCB / HTTPS records (RFC 9460).
Reference pages
- DNSSEC Checker — comprehensive chain-of-trust walker from the root down, with per-nameserver DNSKEY + SOA comparison, NSEC / NSEC3 authenticated-denial proofs, an optional user-supplied trust anchor, both tree and graph views, and JSON / CSV export.
- DNS Auditor — a domain-owner health check across delegation & nameserver redundancy, SOA hygiene, DNSSEC, email authentication (SPF, DKIM, DMARC, MTA-STS), CAA issuance policy, zone-transfer and open-recursion exposure, and a bounded subdomain-takeover sweep; graded 0–100 with a concrete fix for every issue and JSON / CSV export.
- Test Catalog — every test the scanner runs, ordered to mirror the actual execution order, with RFC citations.
- Nameserver Journey — historical timeline of a domain's DNS health across stored scans: score-trend sparkline, derived change events, and a table of every stored scan.
- DNS Return Codes — IANA RCODE values and RFC 8914 Extended DNS Error codes, with linked RFC citations.
- llms.txt — AI-readable site summary.
Frequently asked questions
- What does DNS Scanner check?
- DNS Scanner runs 135+ automated checks across 18 categories against any publicly reachable DNS server: delegation consistency at every zone cut, full DNSSEC chain-of-trust validation from the root, EDNS compliance, encrypted transports (DoH, DoT, DoQ, DDR, ECH), DNS cookies, security exposure (zone transfer, open resolver, amplification), protocol compliance, and response consistency. Results are graded 0–100 with an A–F letter grade.
- Is DNS Scanner free?
- Yes — free, with no account or signup. Scans run server-side, so it works against any publicly reachable nameserver. It is built and maintained by CloudFloorDNS.
- What is the difference between the Scanner, the DNSSEC Checker, and the DNS Auditor?
- The Scanner tests a specific DNS server (a nameserver or resolver) for RFC compliance and health. The DNSSEC Checker walks a domain's full chain of trust from the root servers down. The DNS Auditor audits a domain's overall DNS configuration — delegation, email authentication (SPF, DKIM, DMARC, MTA-STS), CAA, DNSSEC, and subdomain-takeover risk — from the domain owner's perspective.
- How is the 0–100 score calculated?
- Every check carries a severity weight (critical 10, high 5, medium 2, low 1). A pass earns the full weight, a warning half, a failure zero; informational findings never affect the score. The resulting percentage maps to an A+ through F letter grade.
- Can it test recursive resolvers as well as authoritative servers?
- Yes. The scanner classifies the target as authoritative, recursive, hybrid, or unknown and adapts which tests run: DNSSEC-validation behavior is only tested against recursive resolvers, while authoritative servers are probed for RRSIG and DNSKEY on the target zone instead.
- Are my scan results stored?
- Results are kept in a history store to power the Nameserver Journey timeline; uncheck "Store to history" before scanning to opt out. Standard access logging still applies.
- Can I export results?
- Yes — the Scanner, the DNSSEC Checker, and the DNS Auditor all export results as JSON or CSV.
- What do the multi-region results mean?
- Every scan runs a vantage probe measuring latency, UDP/TCP reachability, anycast node identity (NSID), and IPv6 parity. When regional agents are deployed, the same probe fans out to multiple geographic locations at once, while the authoritative grade always comes from the primary vantage.
The tool requires JavaScript to run scans interactively. It is free, requires no account,
and runs scans server-side so it works against any publicly reachable nameserver.