dnscheck.tools is a tool to test for DNS leaks, DNSSEC validation, and more.

Load dnscheck.tools in any web browser to identify your current DNS resolvers and check DNSSEC validation.

dnscheck.tools is also a full-blown DNS resolver test suite!

Form a test by picking options from below. Execute a test by combining options into a hyphen-separated string and making a DNS request using that string as a subdomain of go.dnscheck.tools.

Answers are provided for A, AAAA, and TXT requests. Responses are signed with DNSSEC algorithms 13, 14, and 15 by default.

The dnscheck.tools/watch[/xxxxxx] page displays, in real time, DNS requests received for subdomains containing the "watch" option and matching random string xxxxxx.

Subdomains may contain (hyphen-separated):

• any of:
  • compress - force the use of DNS message compression in the response
  • truncate - set the message truncation flag in responses over UDP
  • watch - display corresponding requests on the watch page; requires the random string option
  • [xxxxxx] - a random 6-character alphanumeric string; matches requests to a user of the watch page; also useful for cache busting

• one of:
  • padding[s] - unless rate limited, add s bytes of EDNS0 padding, up to 4000, only to A, AAAA, and TXT responses
  • txtfill[s] - unless rate limited, add s bytes of padding as TXT, up to 4000, only to TXT responses

• one of:
  • formerr - respond with Format Error
  • servfail - respond with Server Failure
  • notimpl - respond with Not Implemented
  • refused - respond with Query Refused
  • noreply - do not respond at all

• one of:
  • nosig - do not provide any DNSSEC signature in the response
  • badsig - provide an invalid DNSSEC signature in the response
  • expiredsig[t] - provide an expired DNSSEC signature in the response, t seconds in the past; defaults to one day

• one of:
  • alg13 - use only ECDSA P-256 with SHA-256 when signing the response
  • alg14 - use only ECDSA P-384 with SHA-384 when signing the response
  • alg15 - use only Ed25519 when signing the response

• one of:
  • ipv4 - respond only over IPv4
  • ipv6 - respond only over IPv6

• one of:
  • tcp - respond only over TCP (including DNS over TLS)
  • udp - respond only over UDP; disables automatic message compression and truncation

• `dig expiredsig3600-alg13.go.dnscheck.tools txt`
• `dig truncate-zyxw11.go.dnscheck.tools txt`
• `dig ipv6-watch-klx872.go.dnscheck.tools txt`
• `curl https://alg15.go.dnscheck.tools`
• `curl https://badsig-ykf39p.go.dnscheck.tools`

• info.addr.tools - view low-level identifying data for IP addresses and domain names
• ip.addr.tools - construct domain names that resolve to any given IP address
• dnsviz.net - analyze a domain's DNSSEC configuration
• r/dns, r/HomeNetworking - relevant subreddits

On reddit, u/dnschecktool

IP addresses are grouped by their network registrants as discovered by the Registration Data Access Protocol.

Hostnames (pointer records) and authoritative nameservers are discovered by reverse DNS resolution.

IP geolocation data is provided by ipinfo.io.

We don't track or care who you are. We aren't affiliated with any VPN provider. This site doesn't use cookies. Cheers!