What is DNS lookup?

It's a free tool that checks DNS records. You can run over 70 different tests on any domain you want. Since there;s a lot going on and the results can get pretty detailed, we split everything into six groups. Down below, you'll find the full list of tests and which group each one belongs to.

DNS Parent Group checks the parent DNS servers of the domain for 5 things:
  • Missing Direct Parent check -(Does direct parent zone exists? SOA of parent zone?)
  • Glue at parent nameservers - (Is there glue for nameservers or not?)
  • NS records at parent servers - (What NS records are there at the parent servers?)
  • DNS servers have A records - (Do the DNS servers have A records listed on the parent zone?)
  • Parent nameservers have your nameservers listed - (Are the nameservers listed in the parent nameservers?)
  • NS (Nameserver) looks at the nameservers of the domain and runs 18 check:
    • NS records at your nameservers - (What are NS records on your nameserver?)
    • Mismatched NS records - (Are NS records same at all your nameservers?)
    • All nameservers respond - (Are the nameservers responding?)
    • DNS Spoofing / DNS Poisoning - (Do nameservers allow recursive queries or not?)

      If recursive queries are found, there is a high risk of DNS spoofing. That's when visitors and traffic get redirected to the wrong website because the DNS cache got infected with a fake IP address.

      DNS spoofing works by hiding the real IP address that the domain should respond to. It is replaced by a fake, injected IP. Visitors don't notice anything wrong since it all happens behind the scenes.

    • Zone Transfer - (Is Zone Transfer allowed by any of your nameservers or not?)
    • No NS A records at nameservers - (Do nameservers include corresponding A records when asked for your NS records?)
    • Nameserver name validity - (Are the NS records your nameservers report valid or not?)
    • Number of nameservers - (How many nameservers does a domain have? A minimum of two is required. RFC2182 section 5 recommends at least 3 nameservers and no more than seven.)
    • Lame nameservers - (Do the nameservers listed at the parent servers answer authoritatively for domain?)
    • Missing (stealth) nameservers - (Are there stealth nameservers?)
    • Missing nameservers 2 - (Are all nameservers listed at parent servers also listed in your NS records?)
    • Same Glue - (Are the A records from the parent zone the same as the ones got from your nameservers?)
    • No CNAMEs for domain - (Are there CNAMEs for domain or not?)
    • TCP Allowed - (Do your nameservers accept TCP connection?)
    • Stealth NS record leakage - (Do your DNS servers leak NS record in non-NS request?)
    • Nameservers on separate class C - (Are your nameservers on different Class C?)
    • All NS IPs public - (Do your NS records use public IP addresses?)
    • Glue for NS record - (Do your nameservers return A records for the NS records or not?)
  • SOA (Start of Authority) checks and show information from SOA for a given domain for 9 DNS record.
    • SOA record - (Information from the SOA record)
    • SOA MNAME entry - (Is the SOA MNAME listed as the primary nameserver on the parent domain nameserver?)
    • SOA RNAME entry - (Admin email address for the domain's DNS.)
    • NS agreement on SOA Serial # - ( Do all domain nameservers show the same SOA serial number?)
    • SOA Serial - (Is SOA serial number in the recommended format of YYYYMMDDnn?)
    • SOA REFRESH - (What is SOA REFRESH intervar?)
    • SOA RETRY - (What is SOA RETRY interval?)
    • SOA EXPIRE - (What is SOA EXPIRE interval?)
    • SOA MINIMUM TTL - (Is the MINIMUM TTL value set properly?)
  • The MX (Mail Exchanger) test checks everything related to mail exchange for a given domain. (It runs 12 checks and gives a clear overview of how your email setup works.)
    • MX Glue - (Does MX record send glue record or not?)
    • MX records are not CNAMEs - (Are there any CNAMEs in MX records? There shouldn't be.)
    • MX is host name, not IP - (Are All of domain MX records hostnames?)
    • Different MX records at nameservers - ( Do all your domain nameservers have the same set of MX records?)
    • MX Glues match - (Does the MX Glue returned by the nameserver for the MX record match the A record of the hostname's MX?)
    • Duplicate MX records - (Are there duplicate MX records pointing to the same IP address?)
    • MX A lookups have no CNAMEs - (Are CNAMEs returned for the A records lookups for your MX host?)
    • MX Record - (Information about the number of MX records)
    • Multiple MX records - (Does domains have multiple MX records or not?)
    • Reverse MX A records (PTR) - (What are the reverse PTR records for the MX records?)
    • All MX IPs public - (Do all of the MX records use a public IP)
  • MAIL (Email) test how the mail servers works for the domain and have 4 DNS test.
    • SPF record - (Checks the SPF record for your domain)
    • Sender ID record(spfv2.0) - (Is Sender ID framework implemented?)
    • Domain Key Test - (Info about Domain keys - DKIM)
    • DMARC - ( Checks if there's a DMARC policy.)
  • WWW (World Wide Web) test WWW part of given domain. There are 4 DNS & IP test and over 20 security-related ones.
    • WWW A record - (What is domain WWW A record? Then is then easy to find location of the domain?)
    • IPs are public - (Are all WWW IP addresses public?)
    • HTTP Service - (Can connect to http service at port 80 or not?)
    • Server - (http service information about the server, at port 80, used by the domain)
    • Server Header - (Server type information via the http response header)
    • HTTP Connection - (keep-alive or close)
      • Secure Headers (security checks from HTTP response headers):
    • HSTS - (HTTP Strict Transport Security set or not?)
    • X-Frame-Options - (Can the page be embedded in iframes)
    • X-Content-Type-Options - (Enforces correct MIME types.)
    • Content-Security-Policy (CSP) - (Protects against XSS and injections)
    • X-Permitted-Cross-Domain-Policies - (Cross-domain data sharing permissions)
    • Referrer-Policy - (Controls referrer info sent by browser.)
    • Clear-Site-Data - (Clears stored site data when requested)
    • Cross-Origin-Embedder-Policy - (Restricts embedding from other origins.
    • Cross-Origin-Opener-Policy - (Prevents cross-origin sharing of browsing context.)
    • Cross-Origin-Resource-Policy - (Protects resources from cross-origin leaks.)
    • Cache-Control - (Instructions for caching)
    • Permissions-Policy - (Controls who can access features)
    • Feature-Policy - (Keep-alive or close)
    • X-XSS-Protection (Deprecated) - (Sets up a basic XSS filter in the browser.)
    • HTTP Public Key Pinning (Deprecated) - (Certificate pinning check)
    • Expect-CT (Deprecated) - (Certificate Transparency policy check)
    • SSL / HTTPS Service - (Tests if HTTPS is working correctly on port 443 and checks the SSL certificate.)
    • IPv6 - (Does the domain have IPv6 support or not?)


    • Enter a domain to check its DNS records: