dnscheck.tools - test your dns resolvers

ABOUT

dnscheck.tools is a tool to test for DNS leaks, DNSSEC validation, and more.

USAGE

Load dnscheck.tools in any web browser to identify your current DNS resolvers and check DNSSEC validation.

DNS Test Server

dnscheck.tools is also a custom DNS test server!

Options affect the dns responses to queries for domain names formed from those options.

# dig [OPTIONS.]go.dnscheck.tools txt

Answers are provided for A, AAAA, and TXT queries. Responses are signed with DNSSEC algorithms 13, 14, and 15 by default.

OPTIONS

A hyphen-separated list optionally containing:

any of:
- <random> - any six-character alphanumeric string; useful for cache busting
- watch - mirror corresponding requests to the /watch/<random> page; requires <random>
- truncate - set the message truncation flag in responses over UDP
- compress - force the use of DNS message compression in the response

one of:
- padding<n> - add <n> bytes of EDNS0 padding, up to 4000, to A, AAAA, and TXT responses
- txtfill<n> - add <n> bytes of padding as TXT data, up to 4000, to TXT responses

one of:
- nosig - do not provide any DNSSEC signature in the response
- badsig - provide an invalid DNSSEC signature in the response
- expiredsig[<t>] - provide an expired DNSSEC signature in the response, <t> seconds in the past (default 1 day)

one of:
- alg13 - use only ECDSA P-256 with SHA-256 when signing the response
- alg14 - use only ECDSA P-384 with SHA-384 when signing the response
- alg15 - use only Ed25519 when signing the response

one of:
- tcp - respond only over TCP (including DNS over TLS)
- udp - respond only over UDP; disables automatic message compression and truncation

Examples

Make DNS requests, like...

... while monitoring https://dnscheck.tools/watch/abc123