dnscheck.tools

Hello! Your public IP addresses are:

detecting...

Your DNS resolvers are:

detecting...

Your DNS security:

testing...

See more tools at addr.tools

ABOUT

dnscheck.tools is a tool to test for DNS leaks, DNSSEC validation, and more.

USAGE

Load dnscheck.tools in any web browser to identify your current DNS resolvers and check DNSSEC validation.

DNS TEST QUERIES

dnscheck.tools is also a custom DNS test server! Make test queries like:

$ dig [SUBDOMAIN.]go[-ALG][-NET].dnscheck.tools TXT

SUBDOMAIN

The SUBDOMAIN is composed of DNS response options, separated by a hyphen. Options may include:

  • any of:
    • <random> - a random number, up to 8 hexadecimal digits; useful for cache busting
    • compress - force the use of DNS message compression in the response
    • [no]truncate - force or disable message truncation for responses over UDP
    • watch - mirror corresponding requests to the /watch/<random> page; requires <random>
  • up to one of:
    • padding<n> - add <n> bytes of EDNS0 padding, up to 4000, to A, AAAA, and TXT responses
    • txtfill<n> - add <n> bytes of padding as TXT data, up to 4000, to TXT responses
  • up to one of:
    • formerr - respond with "format error"
    • servfail - respond with "server failure"
    • notimpl - respond with "not implemented"
    • refused - respond with "query refused"
    • noreply - do not respond
  • up to one of:
    • nosig - do not provide any DNSSEC signature in the response
    • badsig - provide an invalid DNSSEC signature when signing the response
    • expiredsig[<t>] - provide an expired DNSSEC signature when signing the response, <t> seconds in the past (default 1 day)

ALG & NET

The zone, go[-ALG][-NET], sets DNSSEC signing and network options.

  • ALG may be one of:
    • alg13 - sign the zone using ECDSA P-256 with SHA-256 (default)
    • alg14 - sign the zone using ECDSA P-384 with SHA-384
    • alg15 - sign the zone using Ed25519
    • unsigned - do not sign the zone
  • NET may be one of:
    • ipv4 - offer only IPv4 authoritative nameservers
    • ipv6 - offer only IPv6 authoritative nameservers

The zone "go" is equivalent to "go-alg13" and has both IPv4 and IPv6 authoritative nameservers.

EXAMPLES

See some information about your DNS resolvers:

$ dig go.dnscheck.tools TXT

For our Windows friends:

> nslookup -q=TXT go.dnscheck.tools

Getting cached results? Introduce a random number:

$ dig 123456.go.dnscheck.tools TXT

Test if your resolvers are validating DNSSEC. This should produce an error:

$ dig badsig.go.dnscheck.tools TXT

What if the response should have an Ed25519 signature, but doesn't?

$ dig nosig.go-alg15.dnscheck.tools TXT

Want to watch a stream of DNS requests coming from your resolvers?

$ curl -L https://dnscheck.tools/watch

Then specify the watch option and the random number given from the above command:

$ dig watch-654321-truncate.go.dnscheck.tools TXT

SEE ALSO

addr.tools

CONTACT

On reddit, u/dnschecktool

THIRD-PARTY DATA

IP addresses are grouped by their network registrants as discovered by the Registration Data Access Protocol.

Hostnames (pointer records) and authoritative nameservers are discovered by reverse DNS resolution.

IP geolocation data is provided by ipinfo.io.

PRIVACY POLICY

No personal data is collected. This site doesn't use cookies. Cheers!

dns requests: 0