Rescuetime.com DNS record lookup check

DNS record types tested in our free DNS record lookup test are divided into 6 large groups with a total of 71 tests:

  • DNS Parent Group - 5 tests
  • NS (Nameserver) - 17 tests
  • SOA (Start of Authority) - 9 tests
  • MX (Mail Exchanger) - 12 tests
  • MAIL (Email) - 4 tests
  • WWW (World Wide Web) - 24 tests

For ease of summarization, review and understanding, we have divided the test results of our DNS lookup record check in four statuses:

  • PASS status - No problem was found in the DNS record
  • FAIL status - We found a DNS record error that requires your attention
  • WARN status - We found a minor DNS record error
  • INFO status - Only information about a given DNS record for educational purposes without any detected errors



Below is an overview of the record results of our comprehensive DNS lookup check for a domain Rescuetime.com:

DNS Record DNS Check DNS Test Name DNS Record Information
PARENT
PASS Missing Direct Parent check OK. Your direct parent zone exists, SOA of parent zone com is a.gtld-servers.net which is good. Some domains (usually third or fourth level domains, such as example.co.us or subdomain.example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names
INFO NS records at parent servers Your NS record at parent servers are:
dns1.Rescuetime.com[IP Address=52.23.100.9][TTL=172800]
dns2.Rescuetime.com[IP Address=52.6.53.44][TTL=172800]

These were obtained from e.gtld-servers.net. However these were obtained from authority section and not answer section. It is better if they were obtained from answer section.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
DNS Group DNS Status DNS Test Name DNS Record Information
NS
INFO NS records at your nameservers Your NS records at your nameservers are:
dns1.rescuetime.com[IP Address=52.23.100.9][TTL=3600]
dns2.rescuetime.com[IP Address=52.6.53.44][TTL=3600]
PASS Mismatched NS records OK. NS records at all your nameservers are identical.
PASS All nameservers respond All your nameservers responding.
PASS Recursive queries None of your nameservers allow recursive queries
PASS Zone Transfer Zone transfer not allowed by any of your nameservers
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers You have no stealth servers.
PASS Missing nameservers 2 All nameservers listed at parent servers are listed as NS records at your nameservers
PASS No CNAMEs for domain OK. There are no CNAMEs for Rescuetime.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS TCP Allowed All your nameservers allow TCP connection
PASS Stealth NS record leakage Your DNS servers doesn't leak NS record in non-NS request.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS Glue for NS record OK. When we asked your nameservers for your NS records they also returned the A records for the NS records. This is a good thing as it will spare an extra A lookup needed to find those A records.
DNS Group DNS Status DNS Test Name DNS Record Information
SOA
INFO SOA record Your SOA record [TTL=3600] is:
Primary Name server: dns-master.Rescuetime.com
Hostmaster E-mail address: ops.Rescuetime.com
Serial #:2024051600
Refresh: 10800
Retry: 3600
Expire: 604800
Default: 3600
FAIL SOA MNAME entry SOA MNAME dns-master.Rescuetime.com is not listed as a primary nameserver at your parent nameserver
PASS SOA RNAME entry OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: [email protected] (techie note: we have changed the initial '.' to an '@' for display purposes).
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 2009050102. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS report only checks the NS records listed at the parent servers (not any stealth servers).
PASS SOA Serial Your SOA serial number is: 2024051600. This appears to be in the recommended format of YYYYMMDDnn.
INFO SOA REFRESH OK. Your SOA REFRESH interval is: 10800. RFC 1912 recommends 1200 to 43200 seconds, low (1200) if the data is volatile or 43200 (12 hours) if it's not. If you are using NOTIFY you can set for much higher values, for instance, 1 or more days (> 86400 seconds).
WARN SOA RETRY OK. Your SOA RETRY interval is: 3600. Typical values would be 180 (3 minutes) to 900 (15 minutes) or higher.
WARN SOA EXPIRE OK. Your SOA EXPIRE interval is: 604800 .RFC 1912 recommends 1209600 to 2419200 seconds (2-4 weeks) to allow for major outages of the zone master.
PASS SOA MINIMUM TTL OK. Your SOA MINIMUM TTL is: 3600. That is OK
DNS Group DNS Status DNS Test Name DNS Record Information
MX
FAIL MX Glue MX record look up did not send glue record for atleast 1 MX server:
aspmx.l.google.com, alt1.aspmx.l.google.com, alt2.aspmx.l.google.com, aspmx2.googlemail.com, aspmx3.googlemail.com
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX name validity Good. We did not detect any invalid chars in hostnames for your MX records.
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
PASS Different MX records at nameservers Good. Looks like all your nameservers have the same set of MX records. This tests to see if there are any MX records not reported by all your nameservers
FAIL MX Glues match MX Glue returned by nameserver for MX record doesn't match with A record of MX hostname
aspmx.l.google.com > 64.233.177.27;///// X
alt1.aspmx.l.google.com > 172.217.197.26;///// X
alt2.aspmx.l.google.com > 108.177.12.27;///// X
aspmx2.googlemail.com > 172.217.197.26;///// X
aspmx3.googlemail.com > 108.177.12.27;///// X
FAIL Duplicate MX records You have duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
INFO MX Record Your 5 records:
10    aspmx.l.google.com    [IP Address=64.233.177.27]  [TTL=604800]
20    alt1.aspmx.l.google.com    [IP Address=172.217.197.26]  [TTL=604800]
30    alt2.aspmx.l.google.com    [IP Address=108.177.12.27]  [TTL=604800]
40    aspmx2.googlemail.com    [IP Address=172.217.197.26]  [TTL=604800]
50    aspmx3.googlemail.com    [IP Address=108.177.12.27]  [TTL=604800]
PASS Multiple MX records OK. You have multiple MX records. This means that if one is down or unreachable, the other(s) will be able to accept mail for you.
PASS Reverse MX A records (PTR) The reverse (PTR) record for your MX records:
64.233.177.27 -> yx-in-f27.1e100.net
172.217.197.26 -> qa-in-f26.1e100.net
108.177.12.27 -> ua-in-f27.1e100.net
172.217.197.26 -> qa-in-f26.1e100.net
108.177.12.27 -> ua-in-f27.1e100.net
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
DNS Group DNS Status DNS Test Name DNS Record Information
MAIL
PASS SPF record v=spf1 a mx include:amazonses.com include:_spf.google.com include:servers.mcsv.net -all
MS=1775CD7F2C4771500CFC85FFF9278255CC023D77
MS=ms12032021
y8qyvy6ds3ldmmwlvsq66sswzrb5r8k4
this domain sends email from following domains/subdomains:amazonses.com, _spf.google.com, servers.mcsv.net
domain sends mail through its MX servers
this domain is used to send mail
WARN Sender ID record(spfv2.0) SenderID framework not implemented
WARN Domain Key Test Domain keys not implemenetd for _domainkey.Rescuetime.com. Separate domainkey records may exist for subdomains and selectors under this domain. this cannot be tested.
PASS DMARC v=DMARC1;p=none;pct=100;rua=mailto:[email protected]
DNS Group DNS Status DNS Test Name DNS Record Information
WWW
INFO WWW A record Your WWW A record is:
www.Rescuetime.com > v3-1087880848.us-east-1.elb.amazonaws.com > 44.205.229.201
Your WWW is CNAME record and your CNAME entry returns A record which is good.
PASS IPs are public OK. All of your WWW IP addresses appear to be public IP addresses.
PASS HTTP Service OK: We can connect to http service on port 80.
INFO Server http service on port 80 returns server information as
Nginx
PASS Server Header http response header returns information about server as:
Nginx
PASS Connection http connection header return connection as: Keep-alive
PASS Secure Header HSTS The server implemented the HSTS (HTTP Strict Transport Security) policy by adding a header over the HTTPS connection as: Max-age=31536000
PASS Secure Header X-Frame-Options XFO response header that protects against clickjacking is found as: DENY
XFO enables content to be found or not within iframes via the browser.
PASS Secure Header X-Content-Type-Options The secure X-Content-Type-Options header is set as: Nosniff
The browser must interpret the file exactly as it is specified in the Content-Type HTTP header
PASS Secure Header Content-Security-Policy The return secure header sends feedback that the CSP has been found and specified. CSP is defined in the policy as: Default-src 'none'; base-uri 'self' docs.helpscout.net; block-all-mixed-content; child-src 'self' assets.braintreegateway.com assets.rescuetime.com assets-dev.rescuetime.com c.paypal.com www.youtube.com player.vimeo.com fast.wistia.net moz-extension://* chrome-extension://*; connect-src 'self' d3ccrbqtj64zhq.cloudfront.net support-media.rescuetime.com d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.sandbox.braintreegateway.com client-analytics.braintreegateway.com *.braintree-api.com *.paypal.com www.google-analytics.com connect.facebook.net www.facebook.com ysxtsrzt2b4s.statuspage.io rescuetime.helpscoutdocs.com secure.helpscout.net api.ipify.org beaconapi.helpscout.net chatapi.helpscout.net d3hb14vkzrxvla.cloudfront.net stats.g.doubleclick.net *.sumologic.com sentry.io *.ingest.sentry.io *.sentry-cdn.com wss: wss://*.pusher.com slack.com *.asana.com trello.com *.atlassian.com github.com *.google.com exist.io *.visualwebsiteoptimizer.com app.vwo.com logo.clearbit.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.gist.build blog.rescuetime.com *.fontawesome.com *.getharvest.com; font-src 'self' data: d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com fonts.gstatic.com app.vwo.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.gist.build *.fontawesome.com; form-action 'self' community.rescuetime.com blog.rescuetime.com *.welltory.com slack.com *.asana.com trello.com *.atlassian.com github.com *.github.com google.com *.google.com *.microsoftonline.com twitter.com *.twitter.com facebook.com *.facebook.com linkedin.com *.linkedin.com spotify.com *.spotify.com getharvest.com *.getharvest.com; frame-ancestors moz-extension://* chrome-extension://*; frame-src 'self' d3ccrbqtj64zhq.cloudfront.net support-media.rescuetime.com d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com assets.braintreegateway.com *.paypal.com djtflbt20bdde.cloudfront.net beacon-v2.helpscout.net platform.twitter.com www.googletagmanager.com www.google.com bid.g.doubleclick.net *.facebook.com tst.kaptcha.com ssl.kaptcha.com www.youtube.com moz-extension://* chrome-extension://* ifttt.com *.vimeo.com app.vwo.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.userreport.com *.gist.build; img-src 'self' data: d3ccrbqtj64zhq.cloudfront.net support-media.rescuetime.com d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com assets.braintreegateway.com *.paypal.com platform.twitter.com pbs.twimg.com www.google-analytics.com connect.facebook.net *.facebook.com d33v4339jhl8k0.cloudfront.net moz-extension://* chrome-extension://* via.placeholder.com ifttt.com api.producthunt.com zapier.com cdn.zapier.com www.google.com googleads.g.doubleclick.net *.adsymptotic.com *.visualwebsiteoptimizer.com *.ads.linkedin.com app.vwo.com track.customer.io secure.gravatar.com logo.clearbit.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.scdn.co *.userreport.com *.gist.build; manifest-src 'self'; media-src 'self' beacon-v2.helpscout.net support-media-storage.s3.amazonaws.com d3ccrbqtj64zhq.cloudfront.net support-media.rescuetime.com d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com; object-src 'self' djtflbt20bdde.cloudfront.net beacon-v2.helpscout.net assets.rescuetime.com assets-dev.rescuetime.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com js.braintreegateway.com assets.braintreegateway.com www.paypalobjects.com *.paypal.com d12wqas9hcki3z.cloudfront.net d33v4339jhl8k0.cloudfront.net djtflbt20bdde.cloudfront.net beacon-v2.helpscout.net cdn.ravenjs.com platform.twitter.com www.google-analytics.com www.googletagmanager.com www.google.com www.googleadservices.com googleads.g.doubleclick.net www.gstatic.com zapier.com connect.facebook.net dev.visualwebsiteoptimizer.com app.vwo.com cdn.rawgit.com player.vimeo.com assets.customer.io *.licdn.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.sentry-cdn.com *.gist.build gist-queue-consumer-api.cloud.gist.build ajax.googleapis.com blog.rescuetime.com *.userreport.com *.fontawesome.com; style-src 'self' 'unsafe-inline' d1tc833ex4oc93.cloudfront.net assets.rescuetime.com assets-dev.rescuetime.com fonts.googleapis.com beacon-v2.helpscout.net d12wqas9hcki3z.cloudfront.net djtflbt20bdde.cloudfront.net app.vwo.com *.ubembed.com *.userleap.com *.sprig.com *.usersnap.com *.gist.build *.fontawesome.com; upgrade-insecure-requests; worker-src blob:; report-uri https://www.rescuetime.com/csp-report
CSP prevents various types of attacks, such as cross-site scripting and other types of cross-site injection
PASS Secure Header X-Permitted-Cross-Domain-Policies X-Permitted-Cross-Domain-Policies is found in the response header as: None
X-Permitted-Cross-Domain-Policies is an XML file that gives a web client permission to handle data across domains.
PASS Secure Header Referrer-Policy Referrer-Policy is found in response header as: Origin-when-cross-origin, strict-origin-when-cross-origin
The Referrer-Policy HTTP header determines what information will be sent in the Referrer header.
INFO Secure Header Clear-Site-Data Clear-Site-Data was not found in the response header
INFO Secure Header Cross-Origin-Embedder-Policy COEP response header was not found in the HTTP request
INFO Secure Header Cross-Origin-Opener-Policy COOP response header was not found in the HTTP request
WARN Secure Header Cross-Origin-Resource-Policy CORP policy not found in response header
PASS Secure Header Cache-Control Cache-Control policy header is found in HTTP responses as: No-store
Cache-Control belongs to the security header group that contains instructions for cashing
WARN Secure Header Permissions-Policy Permissions-Policy header was not found in the HTTP responses.
INFO Secure Header Feature-Policy Feature-Policy header was not found in the HTTP responses.
PASS Secure Header X-XSS-Protection (Deprecated) X-XSS-Protection header is found in the HTTP response.as: 1; mode=block
X-XSS-Protection sets up a scripting filter in your browser.
INFO Secure Header HTTP Public Key Pinning (Deprecated) HPKP header was not found in the HTTP responses.
INFO Secure Header Expect-CT (Deprecated) Expect-CT header was not found in the HTTP responses.
PASS SSL / HTTPS Protocol Domain use encrypted SSL / HTTPS connection on port 443.
Check SSL Certificate.
FAIL IPv6 Your domain has no IPv6 support

Click below to Copy url to clipboard for easy sharing of results: