DNS Health Check

Diagnose potential DNS issues, verify proper configuration, and get actionable recommendations

Health Check Options

Security Checks Availability Configuration Performance Email Config

Test Settings

Include Advanced Checks Generate Detailed Report Email Results

example.com

Last updated: Just now

Overall DNS Health Score

Your domain has a good DNS health score but has some minor issues that could be improved.

Category Scores

Security

Availability

Configuration

Performance

Email Config

DNS Health Issues

DNSSEC Not Enabled

Your domain does not have DNSSEC enabled, making it potentially vulnerable to DNS spoofing or cache poisoning attacks. DNSSEC adds cryptographic signatures to DNS records to ensure their authenticity.

Recommendation: Enable DNSSEC with your domain registrar and DNS provider.

Improve TTL Settings

Your domain's TTL (Time To Live) values are set to 300 seconds (5 minutes), which is quite low for normal operation. While low TTL values are helpful during DNS migrations, they can increase DNS query load.

Recommendation: Consider increasing TTL values to 3600-14400 seconds (1-4 hours) for better caching and performance.

MX Record Issues

Your MX records configuration has issues that could impact email delivery. The primary mail server (mail.example.com) has no corresponding A record, which might cause email delivery problems.

Recommendation: Add an A record for mail.example.com or update MX records to point to a valid mail server.

Multiple Nameservers Properly Configured

Your domain is using 4 nameservers, which provides good redundancy. The nameservers are properly configured and have correct glue records.

Your nameserver configuration meets best practices for redundancy and reliability.

Detailed Health Check Results

Test	Status	Details
DNSSEC	Warning	DNSSEC not enabled. Domain vulnerable to cache poisoning attacks.
DNS Query Response Validation	Pass	DNS responses are properly formatted and validated.
Zone Transfer Security	Pass	Zone transfers are properly restricted.
CAA Records	Warning	CAA records not configured. Recommended for controlling certificate issuance.
SPF Records	Pass	SPF record properly configured to protect against email spoofing.
DKIM Records	Pass	DKIM records properly configured for email signing.
DMARC Records	Info	DMARC policy is set to 'none'. Consider a stricter policy.

Test	Status	Details
Nameserver Redundancy	Pass	4 nameservers found. Recommended minimum is 2.
Nameserver Geolocation	Pass	Nameservers distributed across multiple geographic locations.
Nameserver Responsiveness	Pass	All nameservers respond within acceptable time (avg: 42ms).
Nameserver Network	Warning	2 nameservers are on the same network. Consider diversifying providers.
Glue Records	Pass	Glue records properly configured for all nameservers.

Test	Status	Details
A Records	Pass	A records properly configured for domain and www subdomain.
AAAA Records	Warning	No IPv6 (AAAA) records found. Consider adding for IPv6 support.
MX Records	Fail	Primary mail server has no corresponding A record.
TXT Records	Pass	TXT records properly configured for SPF, DKIM, and verification.
NS Records	Pass	NS records match nameservers at registrar.
SOA Record	Pass	SOA record properly configured with reasonable values.

Test	Status	Details
TTL Settings	Info	TTL values set to 300 seconds. Consider increasing for better caching.
DNS Query Response Time	Pass	Average response time: 42ms (excellent: <100ms).
DNS Record Count	Pass	Total DNS records: 15 (within recommended limits).
Anycast DNS	Pass	Nameservers use Anycast for better performance.
CDN Integration	Pass	Domain appears to use a CDN for improved performance.

Test	Status	Details
MX Records	Fail	Primary mail server has no corresponding A record.
SPF Record	Pass	SPF record properly configured with all mail servers included.
DKIM Records	Pass	DKIM records present for primary mail domains.
DMARC Record	Info	DMARC policy set to 'none' (monitoring only).
Mail Server Responsiveness	Pass	Mail servers respond within acceptable time.
Reverse DNS	Warning	Mail server IP does not have proper reverse DNS (PTR) record.

Recommended Actions

Enable DNSSEC for Enhanced Security

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to your DNS records to protect against DNS spoofing, cache poisoning, and other DNS-based attacks. This helps ensure that users reach your legitimate website rather than a malicious impersonator.

Contact your domain registrar or DNS provider to enable DNSSEC.

Generate DNSSEC key pairs and sign your DNS zone.

Upload DS (Delegation Signer) records to your domain registrar.

Verify DNSSEC setup using online validation tools (e.g., dnsviz.net).

Fix MX Record Configuration

Your primary mail server (mail.example.com) lacks a corresponding A record, which can cause email delivery issues. Email servers need to resolve the MX target to an IP address to deliver mail.

Add an A record for mail.example.com pointing to your mail server's IP address.

Alternatively, update your MX records to point to a valid hostname with an existing A record.

Consider adding a corresponding AAAA record for IPv6 support if applicable.

Verify mail server configuration by sending test emails after changes.

Optimize TTL Settings

Your current TTL (Time To Live) values are set to 300 seconds (5 minutes), which is quite low for normal operation. While low TTL values are helpful during DNS changes, they increase DNS query load and can affect performance.

Increase TTL values to 3600-14400 seconds (1-4 hours) for standard records.

Consider a higher TTL (86400 seconds/24 hours) for stable records like NS records.

Only lower TTL values temporarily before planned DNS changes.

Remember to increase TTL values again after DNS changes are complete.

Understanding DNS Health

What is DNS Health?

DNS health refers to the overall stability, security, performance, and correct configuration of your domain's DNS infrastructure. A healthy DNS setup ensures that your domain and services remain accessible, secure, and optimized for users around the world.

Regular DNS health checks help identify potential issues before they lead to downtime, security vulnerabilities, or performance problems. They examine various aspects of your DNS configuration, from basic record setup to advanced security measures like DNSSEC.

Common DNS Issues

Many websites suffer from DNS issues that can impact availability, security, and performance:

Misconfigured Records: Incorrect DNS records leading to service unavailability.
Single Points of Failure: Insufficient nameserver redundancy causing outages.
Security Vulnerabilities: Missing DNSSEC, SPF, DKIM, or DMARC records.
Performance Issues: Poor TTL settings or nameserver distribution.
Email Delivery Problems: Improperly configured MX, SPF, or reverse DNS records.
Outdated Records: Stale DNS entries pointing to decommissioned servers.

DNS Health Best Practices

Follow these DNS best practices to maintain a healthy domain infrastructure:

Use at least 2-4 nameservers from different providers and networks.
Enable DNSSEC to protect against DNS spoofing attacks.
Implement SPF, DKIM, and DMARC for email security.
Use appropriate TTL values (1-4 hours for standard operation).
Regularly audit DNS records to remove outdated entries.
Monitor DNS health and performance with regular checks.
Document DNS changes and maintain a record of configurations.
Follow a careful process for DNS migrations to minimize downtime.