What DNS checkers should people use?


I see people making horrible mistakes with mx, cname, aaaa additions they make : I have to agree that this output - altho nice! - will completely overwhelm the people targeted. This will leave them with more questions than answers, or completely freeze them in fear :slight_smile:


Thank you for the url ! :slight_smile: Nice for in the web-based toolbelt :slight_smile:


One idea might be to have a form letter reply where we say that we won’t proceed with answering the question unless the user either shares the domain name or pastes the result of some kind of diagnostic tool that did check the DNS setup. (These results could redact the domain name but might say “Yes, the DNS settings are OK for Let’s Encrypt issuance” or “No, the DNS settings have a problem that would prevent Let’s Encrypt issuance”.)


You’re providing a free (and valuable) service, and then providing free support for that service.

My opinion is that users asking for help should be required, at minimum, to complete a diagnostics tool that would start with entering the domain name. If any DNS issues can be automatically detected, the user should be directed to a very simple guide on correcting that issue. I might even consider requiring a minimum wait time for posting after completion.

In summary, you folks are providing so much for free, don’t hesitate to say “no” every once in a while :slight_smile:


I’ve always been in favour of a method like this and still like it most. “Forcing” the users gently gets them support but not before support gets the information needed. One could chose form of delivery, once is decided which output support wants, since it is/can be sensitive data… pdf to certain mailbox which is accessible to support comes to mind. Users generally like that, even not knowing how many people are “in support” :slight_smile:


Why post tools that are nothing to do with DNS on a discussion about DNS tools

They are great tools but Windows users are a minority for let’s encrypt and ssllabs is well known about. In fact certbot points you to ssllabs as a way of checking your configurations after obtaining certificates

not trying to be a downer but curious



Check out DNS Spy.


That looks like a nice tool, but most of the problems that it identifies are not relevant at all to Let’s Encrypt issuance and so I think it would confuse users in this context.


This new tool is more about security, but it checks common DNS configuration issues: https://www.hardenize.com/


Without blabbing too much, I had one Mac OS X Server some time ago but I was running into some limitation issues. So, I decided to build my own server from scratch out of two Mac OS Client computer (hardware). As many of you know, to have a server you need (but you do not have to) have a static ip address.

We all know how ip addresses become a capitalized luxury by the ISPs and it was not cheap to order some. I tried once and that end up to be very expensive. I drop the services in the following month. ISP presumes that anyone that has a server is a start-up multimillion dollar company.

So I resolved this issue by running my server on a dynamic ip address using the free services like OpenDNS and DNSUpdate. Not a perfect situation but it worked. Then ATT offered to give us one static ip address with their new U/Verse service. So I got one static ip address in which I used to update my server and start first to serve one FQDN domain.

Later, I expanded to two domains. Now, I am running three domains + one with an e-commerce store shop using the open source software Prestashop.

Therefore, the server runs mainly on Bind, (Bitnami Mamp) Apache, and MySQL. I could just manage the server using the terminal but Webmin showed to be very helpful to manage the many aspects of the server. Besides, with Webmin (also open source) and Letsencrypt, any one can have their own cloud server. You might think I am talking too much but I want you to understand that are some limitations here.

  1. The number one limitation is that U/verse will not reverse your domain so you are eternally plagued with the issue of NXDomain (Nonexistent domain). Not even with CNames, one will be able to resolve that issue. That is because the ISP is the main delegator of the ip address and therefore have the first authority on something that will take 2-3 minutes to do. But I understand, it would take extra work and that is not something they are looking for.

  2. The second limitation is that one cannot properly configure their NS (name servers) because to configured a real authoritative DNS domain you need at least 3 delegated static ip addresses and I have only one ( without a delegated reverse map). It is also highly advisable to have a slave server on another network just in case your own network goes down like those blackouts situation.

So, what did I do? Well, I just build my configuration out of my own limitations. Does that work? Yes, everything works. All my websites have been served with one single IP address and my server pretends that it has it own NS servers but relies on other NS servers to work properly. The software I use to troubleshooting the server are:

  1. Dig
    (Native OS X terminal)

  2. Ping
    (Native OS X terminal)

  3. Tcpdump with flags -v or -vv
    (Native OS X terminal)

  4. Networksetup
    (Native OS X terminal)

  5. ifconfig
    (Native OS X terminal)

  6. Whois
    (Native OS X terminal)

  7. Zenmap

  8. Wireshark

  9. Namebench (to check what NS servers are the fastest one)

  10. IntoDNS (To check some notorious misconfiguration.)

Ha, there is one more limitation I left out.

  1. The third limitation has to do with the Mac OS X Client System Preferences > Network. I had a real hard time to configure the internal IPv6 addresses with that. The external IPv6 works fine without that but I still need to perform slaves updates on the intranet. I am working on the issue and seems like I found a solution. It is too early to tell because it is in testing mode and the internal IPv6 that I configured needs to stick to the network. We will see!

PS: Ha, one more thing! Like Columbo (The actor) used to say; - Do you remember that I said I had ordered some IP addresses from ATT at some time ago? Well, they never deleted the IP delegation. So, if you check, (Dig) bonsi.org it will return 2 IPs. One of the IPs is the ATT delegated IP that will reverse to the domain. Since I just recently found out that they never deleted the delegation, Ha, ha, ha, I am using it! But the delegated IP will never resolve because it is blocked by a firewall at their gateway machine. So I am doing just for fun for a little time to see if they get the issue. But I will delete that soon and before the next Letsencrypt renew.
*** Update! The old ATT delegated IP Zone has been deleted at the “Parent” and in my end.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.