DNS Scanner
DNS Scanner is a free online DNS server testing tool by
CloudFloorDNS. It runs 87+ automated
RFC-compliance and health checks against any authoritative nameserver or recursive
resolver, then grades the results with a 0–100 score and an A–F letter grade.
Enter a nameserver (hostname, IPv4, or IPv6) and an optional target domain. The scanner
classifies each target as authoritative, recursive, hybrid, or unknown and adapts which
tests it runs — for example, DNSSEC-validation checks via dnssec-failed.org only run
against recursive resolvers, while authoritative servers are probed for RRSIG and DNSKEY
on the target zone instead. Results stream back per-category as they complete.
Test categories
- EDNS (RFC 6891): EDNS0 support, buffer-size negotiation, unknown-option handling, flag-day compliance.
- Cookies (RFC 7873): client / server cookie support, diversity across clients, cross-client poisoning resistance.
- Security: AXFR refusal, open-resolver check, amplification potential, DNSSEC validation behavior, recursion exposure.
- DNSSEC: full chain-of-trust walk from the root down, DS / DNSKEY / RRSIG verification at each zone, algorithm-strength check per RFC 8624.
- Protocol: TCP support, truncation handling, case-insensitive qname matching, unknown qtype handling.
- Analysis: response times, TTL sanity, additional-section behavior.
- Fragmentation: TCP segmentation, split length prefix, byte-at-a-time, pipelining, UDP large / minimal.
- EDE (RFC 8914): Extended DNS Errors for DNSSEC failure, NXDOMAIN, REFUSED.
- DoQ (RFC 9250): DNS over QUIC.
- DoT (RFC 7858): DNS over TLS.
- DoH (RFC 8484): DNS over HTTPS.
- Flags (RFC 1035): header-flag compliance (QR, AA, TC, RD, RA, AD, CD, Z).
- Malformed: resilience to 16 classes of malformed queries.
- SOA: serial consistency across all authoritative nameservers for a zone.
Reference pages
- DNSSEC Checker — comprehensive chain-of-trust walker from the root down, with per-nameserver DNSKEY + SOA comparison, NSEC / NSEC3 authenticated-denial proofs, an optional user-supplied trust anchor, and both tree and graph views.
- Test Catalog — every test the scanner runs, with RFC citations.
- DNS Return Codes — IANA RCODE values and RFC 8914 Extended DNS Error codes.
- llms.txt — AI-readable site summary.
The tool requires JavaScript to run scans interactively. It is free, requires no account,
and runs scans server-side so it works against any publicly reachable nameserver.