Most DNS tools check one thing at a time. This report checks everything at once — 39 checks across 7 categories — and tells you what's broken, what's at risk, and what's fine.
Checks for DNSKEY and DS records, validates the chain of trust between parent and child zones, identifies the NSEC/NSEC3 mode, and flags deprecated algorithms like RSA/SHA-1. With CA/B Forum SC-085v2 mandating DNSSEC validation before SSL certificate issuance (effective March 2026), this is now a hard compliance requirement — not a nice-to-have.
Validates MX records exist and resolve, confirms they point to hostnames (not bare IPs — an RFC violation), checks forward/reverse DNS (PTR match), verifies redundancy across distinct IP ranges, and tests MTA-STS enforcement. A misconfigured MX setup silently drops legitimate email.
Detects duplicate TXT records that cause parsing failures, multiple SPF records (spec violation — only one v=spf1 is allowed), wildcard MX/TXT records that create unintended coverage, CNAME at apex (breaks MX and TXT lookups per RFC), and TXT response size exceeding UDP limits.
Validates TTL ranges for NS (3600–86400), MX (300–86400), and A/AAAA (60–86400) records. Checks SOA refresh, retry, expire, and minimum values against RFC best practices. Flags TTL inconsistencies across record types and identifies SOA serial format as an operational maturity signal.
Ensures at least 2 nameservers (RFC requirement), checks IP range diversity, ASN diversity (single AS = single point of failure), detects lame delegations (NS listed but not authoritative), measures response latency, verifies consistent SOA serials across all NS, and confirms EDNS0 support (required for DNSSEC).
Checks CAA records controlling which CAs can issue certificates, evaluates issuewild restrictions, verifies iodef reporting is configured, tests abuse mailbox reachability, and checks for security.txt presence at the well-known path — signals that indicate mature security operations.
Enter a domain and get a full infrastructure audit in seconds. No account, no configuration.
Type any domain — example.com, mail.example.com, api.example.com. We check the exact zone you specify.
All checks run in parallel — DNSSEC validation, MX infrastructure, record hygiene, TTL analysis, nameserver configuration, CAA records, and operational maturity signals. The whole process takes about 3 seconds.
Each category gets a severity-weighted score. Critical checks (like DNSSEC chain of trust) count more than informational checks (like SOA serial format). The overall score is a weighted average across all categories. Failed checks show their severity level — critical, warning, or info — so you know what to fix first.
If you're building tooling, running automated checks, or using an AI assistant that supports MCP, you can access the DNS health checker programmatically.
GET https://api.nslookup.io/v1/dns-health/example.com # Returns: overall score, 7 category scores, # 39 individual check results with pass/fail/severity
# Add to your MCP config:
{
"mcpServers": {
"nslookup": {
"url": "https://mcp.nslookup.io/mcp"
}
}
}
# Then in Claude, Cursor, or any MCP-compatible client:
# "Run a DNS health check on api.example.com"Each check has a severity level that determines how much it affects the score:
| Severity | Weight | Examples |
|---|---|---|
| Critical | 10 points | DNSSEC chain of trust, SPF conflicts, lame delegation, MX resolution |
| Warning | 5 points | MTA-STS enforcement, TTL ranges, IP diversity, EDNS0 support |
| Info | 2 points | SOA serial format, ASN diversity, security.txt presence |
A domain that passes all critical checks but fails some informational checks still scores high — because the critical infrastructure is solid.
| Score | Rating | What it means |
|---|---|---|
| 90–100 | Excellent | DNS infrastructure is well-configured with no critical issues |
| 80–89 | Good | Solid foundation with minor improvements possible |
| 60–79 | Needs improvement | Some checks failing — review warnings and fix critical items |
| 0–59 | Critical issues | Significant DNS problems that may affect email delivery, security, or certificate issuance |
The CA/Browser Forum passed Ballot SC-085v2, which requires Certificate Authorities to validate DNSSEC before issuing SSL certificates, effective March 2026. This means:
| Issue | Root cause | Impact | Fix |
|---|---|---|---|
| Multiple SPF records | Added new SPF without removing old one | Email auth fails (RFC says only one v=spf1 allowed) | Merge into single SPF record |
| CNAME at apex | Set CNAME on naked domain for CDN | Breaks MX and TXT lookups per RFC | Use ALIAS/ANAME or A record instead |
| Lame delegation | Changed NS at registrar but old NS still listed | Intermittent resolution failures | Update all NS records at registrar |
| No MTA-STS | Never configured | Email can be downgraded to plaintext in transit | Deploy MTA-STS with enforce mode |
| DS/DNSKEY mismatch | Migrated DNS provider without updating DS at registrar | DNSSEC validation fails → SERVFAIL for validating resolvers | Update DS record at registrar to match new DNSKEY |
| Single NS ASN | All nameservers on same provider | Provider outage takes down all DNS | Use secondary DNS on different provider |
A DNS lookup shows you what records exist. The DNS Health Report tells you whether those records are configured correctly — and catches problems that a simple lookup won't show, like DNSSEC chain-of-trust failures, TTL misconfigurations, lame delegations, missing MTA-STS, and conflicting SPF records.
DNS misconfigurations are silent. A missing intermediate in your certificate chain still works in Chrome but breaks on mobile. A duplicate SPF record still lets some email through but causes intermittent failures. A lame delegation only causes problems when that specific nameserver is queried. The health report catches these invisible issues before they become outages.
If you issue SSL certificates (which you almost certainly do), yes — starting March 2026. CA/B Forum Ballot SC-085v2 requires CAs to validate DNSSEC before certificate issuance. If your zone has DNSSEC deployed incorrectly (broken chain of trust), certificate issuance may fail. If you haven't deployed DNSSEC at all, there's no immediate failure, but the industry direction is clear.
MTA-STS (Mail Transfer Agent Strict Transport Security) prevents email from being downgraded to plaintext during delivery. Without it, a man-in-the-middle can strip TLS from your email connections. Deploying MTA-STS with mode: enforce tells sending servers to only deliver over encrypted connections. It requires a DNS TXT record at _mta-sts.yourdomain.com and a policy file served over HTTPS.
A CNAME record at the zone apex (e.g., example.com pointing to a CDN) violates RFC 1034. When a resolver queries the apex for MX or TXT records, the CNAME redirects the entire query — which means your MX records and SPF records may not be found. Some DNS providers offer ALIAS or ANAME records as a standards-compliant alternative.
Yes. The DNS Health Report is completely free — no account required, no data stored. You can also access it via the REST API and MCP for automated checks.
Yes. GET /v1/dns-health/example.com returns the full report as structured JSON — overall score, 7 category scores, and all 39 individual check results with pass/fail status and severity. No API key needed. Also available via MCP for use in AI assistants like Claude and Cursor.
DNS health is one layer. These tools check the rest of the stack.