Paste a planned DNS change and check for email, SSL, availability, and propagation risks before deploying. Deterministic, rule-based, and read-only — no account needed.
It compares your current public DNS with the proposed state, then runs deterministic rules across email, DNS correctness, certificates, DNSSEC and migration safety — telling you what would break, what's a best-practice gap, and what's just an observation.
Counts SPF DNS lookups recursively (following includes) against the 10-lookup limit, flags +all, detects DMARC — including CNAME delegation — and warns when DMARC is weakened (reject → none) or all MX records are removed.
Catches CNAME-at-apex, CNAME conflicts (a name with a CNAME plus other records), MX targets that are CNAMEs or unresolvable, and NS delegation being removed or reduced before you take the zone offline.
Reads your current certificate's CA and checks it against the proposed CAA records — only raising a high alert when the change would actually block your issuer (or forbids all CAs), not just because CAA exists.
Flags DS records being removed (which breaks the chain at the parent) and DNSKEY changes so you can verify a proper key rollover before deploying.
Detects apex A/AAAA records removed with no replacement, the www host disappearing, and likely CDN/WAF bypass when a name moves from a CDN CNAME to a direct origin.
Warns when records being changed still carry a high TTL (slow propagation) and when many critical record types change at once — a sign to split the change into smaller, verifiable steps.
Three steps, no account, and it never touches your live DNS.
Enter a domain and hit Load current DNS — the editor is pre-filled with the live records as a zone file, so you edit the diff instead of writing one from scratch.
Change what you intend to deploy — or paste a full zone file (BIND format) or a JSON array of records. The reviewer treats the proposed text as your complete intended zone state.
You get a diff (added / removed / modified), an overall risk score, and findings grouped by category. Each finding is labelled breaking, best‑practice, or informational so you know what must be fixed versus what's advisory.
The reviewer is a stateless REST endpoint — nothing is stored. Post the domain and proposed records and get the full report back as JSON.
POST https://api.nslookup.io/v1/dns-change-review
{ "domain": "example.com", "proposed": "<zone-file or JSON>" }
# Returns: diff, riskScore + riskLevel, severity summary,
# and findings (id, severity, kind, evidence, recommendation)Each finding adds severity-weighted points; the total is capped at 100.
| Severity | Weight | Examples |
|---|---|---|
| Critical | 30 points | MX removed, NS removed, CNAME conflict, SPF over the lookup limit |
| High | 20 points | Apex CNAME, DMARC weakened, DS removed, CAA blocks your CA |
| Warning | 10 points | Low TTL, www removed, CDN bypass, slow-propagation risk |
| Info | 3 points | CAA configured and allowed, SOA missing in a zone snippet |
| Score | Level |
|---|---|
| 0–24 | Low |
| 25–49 | Medium |
| 50–74 | High |
| 75–100 | Critical |
Severity tells you how urgent; the kind label tells you what type of issue it is — orthogonal dimensions:
| Kind | Meaning |
|---|---|
| Breaking | Will break resolution, mail, certificates or DNSSEC if deployed |
| Best practice | A security/quality/operational recommendation — not an outage |
| Informational | A neutral observation, no action implied |
The DNS Health Report grades your current DNS. DNS Change Review diffs a proposed change against the current state and tells you what that specific change would break — before you deploy it.
No. The review is read-only and stateless — it fetches your current public DNS, compares it to the records you paste, and returns a report. Nothing is written or saved.
BIND zone-file text (e.g. example.com. 300 IN MX 10 mail.example.com.) or a JSON array of records. The format is auto-detected.
Yes. SPF lookups are counted recursively through include/redirect chains, and DMARC is detected even when _dmarc is a CNAME delegated to a provider.
Yes — no account, no stored data, available via the web and the REST API.
Change review is one layer. These check the rest of the stack.