dnscheck.toolsDNS resolvers are the servers on the Internet that translate domain names into IP addresses. This tool identifies your dns resolvers so you can verify your network configuration and check for dns leaks.
DNSSEC is a mechanism by which dns responses can be authenticated. You may wish to verify proper DNSSEC usage to protect yourself from attacks such as dns cache poisoning. This tool attempts connections to domain names which are purposely configured to fail DNSSEC authentication and warns you if any of those connections is successful.
Load https://dnscheck.tools in any web browser to identify your current dns resolvers and check DNSSEC validation.
Combine options into a hyphen-separated string. Then make a dns request using that string as a subdomain of go.dnscheck.tools.
Answers are provided for A, AAAA, and TXT requests. Responses are signed with DNSSEC algorithms 13, 14, and 15 by default.
The https://dnscheck.tools/watch[/xxxxxx] page displays, in real time, dns requests received for subdomains containing the "watch" option and 6-character alphanumeric string xxxxxx.
Subdomains may contain (hyphen-separated):
- any of:
- watch - display corresponding requests on the watch page
- noreply - do not respond at all (the request will time out)
- compress - force the use of dns message compression in the response
- truncate - set the message truncation flag in the response
- xxxxxx - a random 6-character alphanumeric string
- matches requests to a visitor of the watch page
- useful for cache busting
- one of:
- nosig - do not provide any DNSSEC signature in the response
- badsig - provide an invalid DNSSEC signature in the response
- expiredsig[t] - provide an expired DNSSEC signature
in the response
- the signature expiration is set to t seconds in the past
- t defaults to 86400 seconds
- one of:
- alg13 - use only ECDSA P-256 with SHA-256 when signing the response
- alg14 - use only ECDSA P-384 with SHA-384 when signing the response
- alg15 - use only Ed25519 when signing the response
- one of:
- ipv4 - respond only over IPv4
- ipv6 - respond only over IPv6
- one of:
- udp - respond only over UDP
- tcp - respond only over TCP
- `dig expiredsig3600-alg13.go.dnscheck.tools txt`
- `dig truncate-zyxw11.go.dnscheck.tools txt`
- `dig watch-ipv6-klx872.go.dnscheck.tools txt`
- https://alg15.go.dnscheck.tools
- https://badsig-ykf39p.go.dnscheck.tools
- ip.addr.tools - construct domain names that resolve to any given IP address, with free TLS certificate support
- info.addr.tools - view low-level identifying data for IP addresses and domain names
- dnsviz.net - analyze a domain's DNSSEC configuration
- r/dns, r/HomeNetworking - relevant subreddits
- 1.1.1.1, Google Public DNS, Quad9 - public dns resolvers
On reddit, u/dnschecktool
We don't track or care who you are. This site doesn't use cookies. Cheers!