DNS Tools
Sandboxed DNS diagnostics: dig, propagation, DNSSEC, reverse, zone health, AXFR, CT/crt.sh, WHOIS, bulk WHOIS, typosquat, rndc flush.
The tabs, one sentence each
- Dig — single query against a chosen resolver, with the common flags exposed as clickable chips.
- Propagation — the same A/AAAA/MX/NS/TXT query against 16 public resolvers in parallel; highlights divergence.
- DNSSEC — walks the chain of trust (DNSKEY → DS at parent → root) and flags missing/weak links.
- Reverse — PTR lookup for an IP, optionally against a specific resolver.
- Zone Health — SOA agreement, lame-NS detection, MX/apex sanity.
- AXFR — tries a zone transfer against each authoritative NS. A refusal is the expected healthy answer.
- CT / crt.sh — certificate-transparency history for a domain (passive subdomain discovery).
- WHOIS — registrar, registrant, creation/expiry, name servers, DNSSEC flag, status codes.
- Bulk WHOIS — paste up to 200 domains; concurrency capped at 4 to avoid upstream rate-limits; export as CSV.
- Typosquat — homoglyph / omission / transposition / insertion / TLD-swap permutations, resolved in parallel.
- rndc flush (admin only) — flush the local BIND9 recursive cache, optionally targeted to one zone.
Deep-linkable
Every tab is bookmarkable: /ui/dns-tools#propagation, /ui/dns-tools#axfr, etc. The URL hash updates as you click tabs.
Scope guardrails
Each target is checked against the Scope Manager. If your install is set to internal, queries against public IPs are rejected before they leave the host — and vice versa for external. If you need both, set scope to both.
Gotchas
- AXFR that succeeds is a finding. The whole point is that most NSes refuse — a success means someone misconfigured their authoritative server.
- crt.sh 404 = no results. We render it as an empty table rather than an error.
- Propagation latency is dominated by the slowest resolver. Expect 3-8 seconds end-to-end.