DNS record lookup check

DNS record types tested in our free DNS record lookup test are divided into 6 large groups with a total of 71 tests:

  • DNS Parent Group - 5 tests
  • NS (Nameserver) - 17 tests
  • SOA (Start of Authority) - 9 tests
  • MX (Mail Exchanger) - 12 tests
  • MAIL (Email) - 4 tests
  • WWW (World Wide Web) - 24 tests

For ease of summarization, review and understanding, we have divided the test results of our DNS lookup record check in four statuses:

  • PASS status - No problem was found in the DNS record
  • FAIL status - We found a DNS record error that requires your attention
  • WARN status - We found a minor DNS record error
  • INFO status - Only information about a given DNS record for educational purposes without any detected errors

Below is an overview of the record results of our comprehensive DNS lookup check for a domain

DNS Record DNS Check DNS Test Name DNS Record Information
PASS Missing Direct Parent check OK. Your direct parent zone exists, SOA of parent zone com is which is good. Some domains (usually third or fourth level domains, such as or do not have a direct parent zone ('' in this example), which is legal but can cause confusion.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names
INFO NS records at parent servers Your NS record at parent servers are:[IP Address=][TTL=172800][IP Address=][TTL=172800]

These were obtained from However these were obtained from authority section and not answer section. It is better if they were obtained from answer section.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
DNS Group DNS Status DNS Test Name DNS Record Information
INFO NS records at your nameservers Your NS records at your nameservers are:
PASS Mismatched NS records OK. NS records at all your nameservers are identical.
PASS All nameservers respond All your nameservers responding.
PASS Recursive queries None of your nameservers allow recursive queries
PASS Zone Transfer Zone transfer not allowed by any of your nameservers
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers You have no stealth servers.
FAIL Missing nameservers 2 ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:,
PASS No CNAMEs for domain OK. There are no CNAMEs for RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS TCP Allowed All your nameservers allow TCP connection
PASS Stealth NS record leakage Your DNS servers doesn't leak NS record in non-NS request.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS Glue for NS record OK. When we asked your nameservers for your NS records they also returned the A records for the NS records. This is a good thing as it will spare an extra A lookup needed to find those A records.
DNS Group DNS Status DNS Test Name DNS Record Information
INFO SOA record Your SOA record [TTL=] is:
Primary Name server:
Hostmaster E-mail address:
Serial #:
FAIL SOA MNAME entry SOA MNAME is not listed as a primary nameserver at your parent nameserver
FAIL SOA RNAME entry OK. valid SOA rname record not found
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 2009050102. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS report only checks the NS records listed at the parent servers (not any stealth servers).
FAIL SOA Serial Your SOA serial number is: . This doesn't appears to be in the recommended format of YYYYMMDDnn.
FAIL SOA REFRESH Your SOA REFRESH interval is: . That is not right
FAIL SOA RETRY OK. Your SOA RETRY interval is: . That is not right
FAIL SOA EXPIRE Your SOA EXPIRE interval is: . That is not right
PASS SOA MINIMUM TTL Your SOA MINIMUM TTL is: . That is not right
DNS Group DNS Status DNS Test Name DNS Record Information
FAIL MX Record No MX records found. You may ignore results of any other MX tests.
FAIL Reverse MX A records (PTR) There are no A records for your MXs, so the test cannot be performed.
DNS Group DNS Status DNS Test Name DNS Record Information
PASS SPF record v=spf1 -all
v=DMARC1; p=reject; adkim=s; aspf=s;
this domain never sends out email
WARN Sender ID record(spfv2.0) SenderID framework not implemented
PASS Domain Key Test v=spf1 -all
The interim sending domain policy
this domain may sign some email with DomainKeys available under selectors
  • The public key certificate is not tested
  • Separate domainkey records may exist for subdomains and selectors under this domain. this cannot be tested.
  • PASS DMARC v=DMARC1; p=reject; adkim=s; aspf=s;
    PASS DMARC v=spf1 -all
    DNS Group DNS Status DNS Test Name DNS Record Information
    INFO WWW A record Your WWW A record is: >
    You have separate A record for www
    PASS IPs are public OK. All of your WWW IP addresses appear to be public IP addresses.
    PASS HTTP Service OK: We can connect to http service on port 80.
    INFO Server http service on port 80 returns server information as
    Nginx/1.18.0 (Ubuntu)
    PASS Server Header http response header returns information about server as:
    PASS Connection http connection header return connection as: Close
    WARN Secure Header HSTS The server did not implement the HSTS (HTTP Strict Transport Security) policy. The header over the HTTPS connection was not found.
    PASS Secure Header X-Frame-Options XFO response header that protects against clickjacking is found as: SAMEORIGIN
    XFO enables content to be found or not within iframes via the browser.
    WARN Secure Header X-Content-Type-Options The X-Content-Type-Options secure header is not set
    WARN Secure Header Content-Security-Policy CSP is not defined in the policy. The return secure header does not send any feedback that the CSP has been set
    WARN Secure Header X-Permitted-Cross-Domain-Policies X-Permitted-Cross-Domain-Policies was not found in the response header
    PASS Secure Header Referrer-Policy Referrer-Policy is found in response header as: Same-origin
    The Referrer-Policy HTTP header determines what information will be sent in the Referrer header.
    INFO Secure Header Clear-Site-Data Clear-Site-Data was not found in the response header
    PASS Secure Header Cross-Origin-Embedder-Policy COEP response header is found in the HTTP request as: Require-corp
    COEP with express permission decides whether a document can be retrieved from multiple sources or not
    PASS Secure Header Cross-Origin-Opener-Policy COOP response header is found in the HTTP request as: Same-origin
    COOP allows you to secure a document by not sharing its browsing context group with documents from multiple sources
    PASS Secure Header Cross-Origin-Resource-Policy CORP policy is found in the response header as: Same-origin
    CORP specifies a policy that protects against certain requests for img and script elements and against XSSI (cross-site scripting injection) attacks.
    PASS Secure Header Cache-Control Cache-Control policy header is found in HTTP responses as: Private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Cache-Control belongs to the security header group that contains instructions for cashing
    PASS Secure Header Permissions-Policy Permissions-Policy header is found in the HTTP response. as: Accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    The Permissions-Policy header grants permission and controls who can access features
    INFO Secure Header Feature-Policy Feature-Policy header was not found in the HTTP responses.
    INFO Secure Header X-XSS-Protection (Deprecated) X-XSS-Protection header was not found in the HTTP responses.
    INFO Secure Header HTTP Public Key Pinning (Deprecated) HPKP header was not found in the HTTP responses.
    INFO Secure Header Expect-CT (Deprecated) Expect-CT header was not found in the HTTP responses.
    PASS SSL / HTTPS Protocol Domain use encrypted SSL / HTTPS connection on port 443.
    Check SSL Certificate.
    FAIL IPv6 Your domain has no IPv6 support

    Click below to Copy url to clipboard for easy sharing of results: