DNS Scanner
DNS Scanner is a free online DNS server testing tool by
CloudFloorDNS. It runs 135+ automated
RFC-compliance and health checks across 18 categories against any authoritative
nameserver or recursive resolver, then grades the results with a 0–100 score
and an A–F letter grade.
Enter a domain (and optionally a target nameserver as a hostname, IPv4, or IPv6 address).
When the target is left blank, the scanner auto-selects an authoritative nameserver for
the domain. The scanner classifies each target as authoritative, recursive, hybrid, or
unknown and adapts which tests it runs — for example, DNSSEC-validation checks via
dnssec-failed.org only run against recursive resolvers, while authoritative servers are
probed for RRSIG and DNSKEY on the target zone instead. Results stream back per-category
as they complete and can be downloaded as JSON or CSV.
Each scan also runs a lightweight vantage probe measuring the things that vary by where
you query from — latency distribution, UDP/TCP reachability per address family,
anycast node identity (NSID), and IPv6 parity. When optional regional probe agents are
deployed, the same probe fans out to multiple geographic locations at once, so latency
and reachability are reported from every region while a single authoritative grade still
comes from the primary.
Test categories
- Delegation Consistency (RFC 1034 / 2181 / 2182, RFC 1912): parent vs. child NS RRset agreement at every zone cut, glue consistency, AA-flag check, NS reachability, NS count ≥ 2, distinct IPs, globally reachable IPs, NS-not-CNAME, PTR / FCrDNS, and ASN diversity.
- DNSSEC (RFC 4033–4035, RFC 6840, RFC 8624, RFC 9276): full chain-of-trust walk from the root down, DS / DNSKEY / RRSIG verification at each zone, SOA RRSIG validation, NSEC / NSEC3 RRSIG validation, NSEC3 parameter sanity, RSA key-size sanity, algorithm completeness, CDS / CDNSKEY presence, DS digest-algorithm strength.
- SOA Serial Consistency: NS delegation discovery, serial consistency, and SOA-parameter agreement across all authoritative nameservers.
- Security: AXFR refusal (TCP + UDP), open-resolver check, version disclosure, amplification potential, DNSSEC validation behavior, NSEC walking, NXDOMAIN hijacking, dynamic update, NOTIFY, upward referral, recursion exposure.
- Protocol (RFC 8482): TCP fallback, 0x20 case randomization, rate limiting, QNAME minimization, truncation, IPv6, minimal-ANY.
- DNS Flags (RFC 1035): QR, AA, RD/RA, TC, AD/CD, and reserved Z-bit compliance.
- EDNS (RFC 6891): EDNS0 support, DO bit, max payload, ECS, padding, NSID, OPT in truncated response.
- DNS Cookies (RFC 7873, RFC 9018): client / server cookie support, diversity across clients, cross-client poisoning resistance, forged-hash rejection, malformed-length FORMERR, TCP cookies.
- EDE (RFC 8914): Extended DNS Errors for DNSSEC failure, NXDOMAIN, REFUSED, BADVERS, and malformed-cookie cases.
- Fragmentation: TCP segmentation, split length prefix, byte-at-a-time, pipelining, UDP large / minimal.
- Malformed: resilience to 16 classes of malformed queries.
- DoT (RFC 7858): DNS over TLS.
- DoH (RFC 8484): DNS over HTTPS.
- DoQ (RFC 9250): DNS over QUIC.
- DDR (RFC 9462): Discovery of Designated Resolvers — SVCB at
_dns.resolver.arpa and the IP-form arpa name, ALPN inventory, TLS-endpoint reachability for every advertised endpoint, and subjectAltName authentication of the original resolver IP per RFC 9462 §7.1 ("Verified Discovery"). Recursive-only; auto-skipped on authoritative servers.
- Consistency: same query, fired N times against the target. Checks RCODE stability, answer-set agreement (anycast split-brain detection), TTL behaviour, and RTT variance — catches partial-outage anycast nodes that single-shot tests cannot see.
- ECH (RFC 9460 §7.5, draft-ietf-tls-esni): Encrypted Client Hello configuration published in HTTPS records — HTTPS RR presence,
ech= SvcParam presence, ECHConfigList structural validity (parsed via a bounded reader that treats every byte as adversarial), version currency (0xfe0d), HPKE KEM and public-key length consistency, cipher_suites non-empty, public_name is a valid DNS hostname, and the HTTPS RRset is DNSSEC-signed so the ECH config can't be forged or stripped in transit.
- Analysis: response-time stats, TTL analysis, record types, SOA consistency, SVCB / HTTPS records (RFC 9460).
Reference pages
- DNSSEC Checker — comprehensive chain-of-trust walker from the root down, with per-nameserver DNSKEY + SOA comparison, NSEC / NSEC3 authenticated-denial proofs, an optional user-supplied trust anchor, both tree and graph views, and JSON / CSV export.
- DNS Auditor — a domain-owner health check across delegation & nameserver redundancy, SOA hygiene, DNSSEC, email authentication (SPF, DKIM, DMARC, MTA-STS), CAA issuance policy, zone-transfer and open-recursion exposure, and a bounded subdomain-takeover sweep; graded 0–100 with a concrete fix for every issue and JSON / CSV export.
- Test Catalog — every test the scanner runs, ordered to mirror the actual execution order, with RFC citations.
- Nameserver Journey — historical timeline of a domain's DNS health across stored scans: score-trend sparkline, derived change events, and a table of every stored scan.
- DNS Return Codes — IANA RCODE values and RFC 8914 Extended DNS Error codes, with linked RFC citations.
- llms.txt — AI-readable site summary.
The tool requires JavaScript to run scans interactively. It is free, requires no account,
and runs scans server-side so it works against any publicly reachable nameserver.