dnscheck.tools is a tool to test for DNS leaks, DNSSEC validation, and more.

Load dnscheck.tools in any web browser to identify your current DNS resolvers and check DNSSEC validation.

dnscheck.tools is also a custom DNS test server!

Options affect the dns responses to queries for domain names formed from those options.

$ dig [OPTIONS.]go[-ALG][-NET].dnscheck.tools txt

Answers are provided for A, AAAA, and TXT queries.

A hyphen-separated list optionally containing:

• any of:
  • <random> - a random number, up to six digits; useful for cache busting
  • watch - mirror corresponding requests to the /watch/<random> page; requires <random>
  • truncate - set the message truncation flag in responses over UDP
  • compress - force the use of DNS message compression in the response

• one of:
  • padding<n> - add <n> bytes of EDNS0 padding, up to 4000, to A, AAAA, and TXT responses
  • txtfill<n> - add <n> bytes of padding as TXT data, up to 4000, to TXT responses

• one of:
  • formerr - respond with "format error"
  • servfail - respond with "server failure"
  • notimpl - respond with "not implemented"
  • refused - respond with "query refused"
  • noreply - do not respond

• one of:
  • nosig - do not provide any DNSSEC signature in the response
  • badsig - provide an invalid DNSSEC signature when signing the response
  • expiredsig[<t>] - provide an expired DNSSEC signature when signing the response, <t> seconds in the past (default 1 day)

• one of:
  • ipv4 - respond only over IPv4
  • ipv6 - respond only over IPv6

• one of:
  • tcp - respond only over TCP
  • udp - respond only over UDP; disables automatic message compression and truncation
  • dot - respond only over TLS

The zone, go[-ALG][-NET], sets DNSSEC signing and network options.

• ALG may be one of:
  • alg13 - sign the zone using ECDSA P-256 with SHA-256 (default)
  • alg14 - sign the zone using ECDSA P-384 with SHA-384
  • alg15 - sign the zone using Ed25519
  • unsigned - do not sign the zone

• NET may be one of:
  • ipv4 - offer only IPv4 authoritative nameservers
  • ipv6 - offer only IPv6 authoritative nameservers

The zone "go" is equivalent to "go-alg13" and has both IPv4 and IPv6 authoritative nameservers.

Make DNS requests, like...

• $ dig watch-123456.go-alg15.dnscheck.tools txt
• $ dig badsig-watch-123456.go-alg15.dnscheck.tools txt
• $ dig noreply-watch-123456.go.dnscheck.tools txt

... while monitoring https://dnscheck.tools/watch/123456

• addr.tools
• r/dns, r/HomeNetworking

On reddit, u/dnschecktool

IP addresses are grouped by their network registrants as discovered by the Registration Data Access Protocol.

Hostnames (pointer records) and authoritative nameservers are discovered by reverse DNS resolution.

IP geolocation data is provided by ipinfo.io.

We don't track or care who you are. We aren't affiliated with any VPN provider. This site doesn't use cookies. Cheers!