DNS Health Check: Complete Diagnostics of Your DNS Configuration

Why regular DNS Health Checks are essential

DNS configuration is like a building's foundation: when it works, no one notices, but when it fails, everything stops working. A DNS problem can make your website unreachable, block email delivery, prevent APIs from functioning, and compromise access to any service dependent on the domain. The DNS Health Check systematically analyzes every aspect of the DNS configuration, identifying potential problems before they cause visible impact.

DNS problems are often insidious: they can be intermittent (depending on which nameserver is queried), geographically limited (a problem visible only from certain regions), or latent (incorrect configurations that work by coincidence but will manifest at the next change). A regular check, ideally automated and at least monthly, is the best prevention against unexpected DNS outages.

What the DNS Health Check verifies

$ dns-check --domain esempio.com

[NS]     ✓ 3 nameserver attivi, tutti rispondono
[SOA]    ✓ Serial coerente su tutti i NS
[A]      ✓ Record A presente, TTL 3600
[MX]     ✓ 2 mail server, priorità corrette
[SPF]    ✓ Record SPF valido, 6/10 DNS lookup
[DMARC]  ✓ Policy p=reject attiva
[DNSSEC] ✗ DNSSEC non configurato
[GLUE]   ✓ Glue record coerenti
[OPEN]   ✓ Nameserver non sono open resolver

Score: 92/100 — Buono (DNSSEC consigliato)

The check analyzes multiple aspects: it verifies that all nameservers respond and return the same records (consistency), checks that the delegation in the TLD matches the NS records in the zone, verifies the SOA serial number across all NS, checks for the presence of essential records (A, MX, SPF, DMARC), evaluates the DNSSEC configuration, and identifies potentially risky configurations such as nameservers acting as open resolvers.

Resolving identified issues

For nameserver consistency issues, verify that synchronization between primary and secondary is working by checking SOA parameters with SOA Lookup. If the serial number differs between NS, the zone transfer might be blocked by a firewall or an incorrect AXFR/IXFR configuration. For incorrect delegation, update the NS records at the domain registrar and verify that propagation completes with DNS Propagation.

DNSSEC is always flagged as a warning if not configured. DNSSEC adds cryptographic signatures to DNS records, preventing cache poisoning and DNS spoofing. Implementation requires key generation, zone signing, and publishing DS records in the TLD. Many DNS providers handle DNSSEC automatically with a single click. The main risk is a poorly managed key rotation that invalidates the entire zone — which is why many operators prefer not to enable it on non-critical domains.

Integrate the DNS Health Check with Domain Health for a check that covers not only DNS but also email, SSL, security headers, and web performance. A healthy domain needs solid DNS foundations, and the DNS Health Check is the specific tool to ensure them. After every migration, nameserver update, or significant change, run a complete check to confirm everything is in order.