dnscheck.tools - inspect your dns resolvers

ABOUT

DNS resolvers are the servers on the Internet that translate domain names into IP addresses. You may wish to identify these servers to verify your network configuration or to check for dns leaks while using an anonymizing vpn service.

This web tool identifies your dns resolvers by attempting connections to randomly generated subdomains of our domain name in your browser. Our custom dns server receives the requests from your dns resolvers and uses the randomly generated part to link the requests to you.

DNSSEC is a mechanism by which dns responses can be authenticated. You may wish to verify proper DNSSEC usage to protect yourself against dns cache poisoning and similar attacks. This web tool attempts connections to domains which are purposely set up to fail DNSSEC authentication and warns you if one of those connections is successful.

ADVANCED USAGE

DNS

Form a command string by joining options with a hyphen character. Use the command string as a subdomain of "go.dnscheck.tools." Responses are provided for all valid A, AAAA, and TXT queries. Invalid queries are refused. By default, all responses are signed via DNSSEC algorithms 13, 14, and 15.

Options may include:

one of:
- noreply - do not respond at all (the request will time out)
- ipv4 - respond only to requests received over IPv4
- ipv6 - respond only to requests received over IPv6

one of:
- nosig - do not provide any DNSSEC signature in the response
- badsig - provide an invalid DNSSEC signature in the response
- expiredsig[s] - provide an expired DNSSEC signature in the response
  - where s is the number of seconds in the past the signature has expired (default is 86400)

one of:
- alg13 - only use algorithm 13 (ECDSA Curve P-256 with SHA-256) when signing the response
- alg14 - only use algorithm 14 (ECDSA Curve P-384 with SHA-384) when signing the response
- alg15 - only use algorithm 15 (Ed25519) when signing the response

any of:
- compress - force the use of dns message compression in the response
- truncate - set the message truncation flag in the response (force tcp)
- watch - used in conjunction with the watch http service (see below)
- xxxxxx - a 6 to 8 alphanumeric character random string
  - the first 6 characters are used as the client id for the watch http service (see below)
  - can be used for cache busting

Examples:

`dig expiredsig3600.go.dnscheck.tools txt`
`dig truncate-zyxw11.go.dnscheck.tools txt`
`dig watch-badsig-ipv6-klx872.go.dnscheck.tools a`

HTTP

/watch/xxxxxx - watch incoming dns requests (live!)
- where xxxxxx is the client id used in the dns requests (see above)
- the "watch" option must be used in the dns requests (see above)

CONTACT

On reddit, u/dnschecktool

PRIVACY POLICY

We don't track or care who you are. This site doesn't use cookies. Cheers!