ranjan@ranjan.info:~$ dig +short @8.8.8.8 any

DNS Health Report

Full DNS analysis — nameservers, SOA, mail configuration, web records, and security checks.

Domain analysis Powered by Google DNS

What is a DNS health check?

A DNS health check audits every layer of a domain's DNS configuration: nameserver redundancy, SOA record sanity, mail records (MX, SPF, DKIM, DMARC, PTR), web records, and security features like DNSSEC and CAA. Misconfigured DNS causes problems that masquerade as other failures — mail landing in spam, intermittent outages, slow first connections — which is why a 30-second check is the right first step in most diagnoses.

Built and maintained by Ranjan Chatterjee, Infrastructure Consultant · Linux Server Specialist · free to use, no signup, no tracking

ranjan@ranjan.info:~$ faq --tool dns-lookup

Common questions

Which DNS records should every domain have?

At minimum: two or more nameservers on separate networks, an A (or AAAA) record for the site, MX records if the domain receives mail, and an SPF record even if it doesn't — "v=spf1 -all" on a no-mail domain stops spammers from forging it. Domains sending mail should add DKIM and DMARC; security-conscious ones add CAA and DNSSEC.

What are SPF, DKIM, and DMARC?

The three records that authenticate your email. SPF lists servers allowed to send for your domain; DKIM cryptographically signs each message; DMARC tells receivers what to do when the first two fail — and sends you reports about forgery attempts. Missing or broken, they're the most common reason legitimate business mail lands in spam.

How long do DNS changes take to propagate?

Exactly as long as your record's TTL — the caching time you set. A record with a 3600-second TTL takes up to an hour to update everywhere; lower the TTL to 300 in advance and changes complete in minutes. "DNS takes 24–48 hours" is a myth left over from an era of ignored TTLs.

What is DNSSEC and do I need it?

DNSSEC signs your DNS records so resolvers can verify they weren't tampered with in transit — protection against cache-poisoning and hijacking. For banks, SaaS, and anywhere trust matters, it's worth enabling; the main caution is operational: expired signatures take a domain fully offline, so it belongs with disciplined DNS management.

Why do mail servers check reverse DNS (PTR)?

A PTR record proves the sending IP maps back to a real hostname — spammers on hijacked machines usually can't set one. Receiving servers treat a missing or generic PTR as a spam signal, so mail from such servers gets filtered or rejected. It's set by whoever controls the IP, typically your hosting provider.