# DNS Scanner > Free online DNS server testing tool by CloudFloorDNS. Runs 120+ automated RFC-compliance and health checks across 15 categories against any authoritative nameserver or recursive resolver, then grades the results with a 0–100 score and an A–F letter grade. DNS Scanner is a web front-end for an open-source Python scanner. A user enters a domain and an optional target nameserver (hostname, IPv4, or IPv6) — when the target is left blank the scanner auto-selects an authoritative nameserver for the domain. The server runs a streamed scan against that nameserver. Results come back grouped into categories with per-test pass / fail / warn findings, a numeric score, and a letter grade. Results can be downloaded as JSON or CSV. The scanner classifies each target as authoritative, recursive, hybrid, or unknown and adapts which tests it runs (e.g. DNSSEC-validation checks via `dnssec-failed.org` only run against recursive resolvers; authoritative servers are probed for RRSIG / DNSKEY on the target zone instead). Tests are grouped into 15 categories (executed in this order — foundational checks first, informational analysis last): - **Delegation Consistency** (RFC 1034/2181/2182, RFC 1912): parent vs. child NS RRset agreement at every zone cut from root → TLD → SLD → target, glue consistency, AA-flag check, NS reachability, NS count ≥ 2, distinct IPs, globally reachable IPs, NS-not-CNAME, PTR / FCrDNS, and ASN diversity. - **DNSSEC** (RFC 4033–4035, RFC 6840, RFC 8624, RFC 9276): full chain-of-trust walk from the root down to the target zone, DS / DNSKEY / RRSIG verification at each zone, SOA RRSIG validation, NSEC / NSEC3 RRSIG validation, NSEC3 parameter sanity (RFC 9276), RSA key-size sanity, algorithm-completeness check, CDS / CDNSKEY presence, DS digest-algorithm strength. - **SOA Serial Consistency**: NS delegation discovery, serial consistency, and SOA-parameter agreement across all authoritative nameservers for the zone. - **Security**: AXFR refusal (TCP + UDP), open-resolver check, version disclosure, amplification potential, DNSSEC validation behavior, NSEC walking, NXDOMAIN hijacking, dynamic update, NOTIFY, upward referral, recursion exposure. - **Protocol** (RFC 8482): TCP fallback, 0x20 case randomization, rate limiting, QNAME minimization, truncation, IPv6, minimal-ANY (RFC 8482). - **DNS Flags** (RFC 1035): QR, AA, RD/RA, TC, AD/CD, and reserved Z-bit compliance. - **EDNS** (RFC 6891): EDNS0 support, DO bit, max payload, ECS, padding, NSID, OPT in truncated response. - **DNS Cookies** (RFC 7873, RFC 9018): cookie generation, handling, persistence, format, RFC 9018 v01 bytes, timestamp freshness, forged-hash rejection, malformed-length FORMERR, server-cookie diversity, cross-client poisoning resistance, TCP cookie support. - **EDE** (RFC 8914): Extended DNS Errors for DNSSEC failure, NXDOMAIN, REFUSED, BADVERS, and malformed-cookie cases. - **Fragmentation**: TCP segmentation, split length prefix, byte-at-a-time, pipelining, UDP large / minimal. - **Malformed**: resilience to 16 classes of malformed queries (oversized labels, null bytes, truncated headers, compression attacks, etc.). - **DoT** (RFC 7858): TLS connectivity, version / cipher, EDNS, DNSSEC over TLS. - **DoH** (RFC 8484): HTTPS POST/GET, TLS version, EDNS, multi-query over HTTPS. - **DoQ** (RFC 9250): QUIC connectivity, EDNS, DNSSEC, multi-query over QUIC. - **Analysis**: response-time stats, TTL analysis, record types, SOA consistency, SVCB / HTTPS records (RFC 9460). The tool is free, requires no account, and runs scans server-side so it works against any publicly reachable nameserver. It is maintained by CloudFloorDNS, a managed-DNS provider. ## Pages - [Scanner](https://dnsscanner.net/): Main scan interface. Enter a domain (and optionally a target nameserver), watch streamed per-category results, receive a 0–100 score and letter grade, export results as JSON or CSV. - [DNSSEC Checker](https://dnsscanner.net/dnssec): Walks the full DNSSEC chain of trust from the root down to the target domain. Verifies every DNSKEY / DS / RRSIG along the way; queries every authoritative nameserver for each zone and diffs their DNSKEY key-tag set *and* SOA serial to catch multi-NS replication or key-rollover bugs; probes the target zone with a random non-existent name to validate the NSEC / NSEC3 authenticated-denial proofs (with RFC 9276 warnings when NSEC3 iterations > 0 or opt-out is set); supports a user-supplied DS trust anchor to validate the root DNSKEY against. Reports the overall chain status as SECURE / INSECURE / BOGUS / INDETERMINATE, with both a vertical tree view and a compact node-and-edge graph view. Results can be exported as JSON or CSV. Accepts a permalink form `/dnssec/` so a check can be shared directly. - [Test Catalog](https://dnsscanner.net/tests): Description of every test the scanner runs, ordered to mirror the actual execution order (delegation first, analysis last), with the RFC each test references. - [DNS Return Codes](https://dnsscanner.net/rcodes): Reference list of DNS RCODE values (NOERROR, SERVFAIL, NXDOMAIN, REFUSED, NOTIMP, YXDOMAIN, etc.) and RFC 8914 Extended DNS Error codes, with linked RFC citations. ## About - [CloudFloorDNS](https://www.cloudfloordns.com/): The managed-DNS provider that publishes DNS Scanner.