Skip to main content

Domain DNS Health Audit

Verify delegation, consistency and accessibility of your DNS zone

A misconfigured domain = random resolutions, SERVFAIL, inaccessible sites. This audit checks the complete chain: parent, zone, NS, SOA, IPv4/IPv6, TCP and DNSSEC.

Parent/Zone Consistency

Compares NS declared at the registry (parent) with those in your zone. Detects discrepancies causing inconsistent resolutions.

Delegation and Glue

Verifies each NS responds authoritatively. Detects lame delegations and obsolete or missing glue records.

IPv4 and IPv6

Tests accessibility of each NS server on IPv4 and IPv6. Flags missing AAAA as a potential improvement.

TCP and Response Size

Verifies TCP is open on NS. Required for DNSSEC or large responses exceeding UDP limits.

SOA and Synchronization

Compares SOA serials across all NS. Detects servers lagging behind and unusual timers.

Why audit your domain's DNS health?

A well-configured domain responds quickly and predictably. When parent delegation is accurate, each server is reachable on IPv4 and IPv6, the SOA is synchronized and settings are clean, failures disappear.

Common issues detected by the audit:

  • Lame delegation → An NS doesn't respond authoritatively, causing intermittent SERVFAIL
  • Stale glue → The NS IP changed but parent still points to the old address
  • Parent/zone mismatch → Declared NS differ, creating inconsistent resolutions
  • Blocked TCP → DNSSEC or large responses are truncated

How to use the DNS audit in 3 steps

Step 1: Enter the domain

Enter your domain name in the search field (example: captaindns.com). The audit starts automatically and queries the complete resolution chain.

Step 2: Analyze the results

The report displays:

  • Errors (red): Blocking issues or resolution degradation
  • ⚠️ Warnings (orange): Recommended improvements
  • Validated (green): Correct configuration

Each item includes an explanation and recommended action.

Step 3: Fix the issues

Follow the recommendations:

  • Delegation → Fix at the registrar
  • Glue → Update NS IPs at the registrar
  • Zone → Fix NS records in your DNS server
  • TCP → Open port 53 TCP in your firewalls

What does the DNS audit analyze exactly?

Delegation and parent/zone consistency

The audit starts at the parent. It reads the NS list published at the registry and compares it with NS declared in your zone. A mismatch = random resolutions.

CheckDescription
NS at parentNS list published at registrar
NS in zoneNS list in your zone's NS record
ComparisonAlert if lists differ

Glue records

Glue are IP addresses published at the parent. They're required when an NS is within the domain it serves (ns1.captaindns.com for captaindns.com).

Detected issues:

  • Missing glue → Resolution loops
  • Stale glue → IP changed, parent points to the old one

NS accessibility

Each NS server is tested:

  • IPv4: UDP and TCP response
  • IPv6: Response if AAAA present
  • Authority: Does the server respond authoritatively?
  • Recursion: Must be disabled on an authoritative

SOA and synchronization

The SOA (Start of Authority) contains the serial and timers. The audit checks:

  • Serial: Identical across all NS (otherwise a server is behind)
  • Refresh: How often secondaries check the primary
  • Retry: Delay before retry after failure
  • Expire: Duration before secondary abandons the zone

DNSSEC (if enabled)

If your domain is signed, the audit verifies:

  • DS at parent: Present and matching DNSKEY
  • DNSKEY: Public keys in the zone
  • Signatures: Valid and not expired

Real-world use cases

Case 1: DNS provider migration

Before migration:

  1. Run the audit, note current state
  2. Lower TTLs of critical records

During migration:

  1. Add new NS
  2. Update delegation at registrar
  3. Declare glue if your NS are in your domain

After migration:

  1. Re-run the audit
  2. Verify parent and zone are aligned
  3. Confirm all NS respond authoritatively

Case 2: Intermittent resolutions

Symptom: Some users see the site, others get random SERVFAIL errors.

Diagnosis with audit:

  • Check parent/zone consistency
  • Look for lame delegation
  • Compare SOA serials across NS

Action: Fix the identified discrepancy, resync NS.

Case 3: NS IP change

Symptom: After changing an NS IP, some traffic goes to the wrong place.

Diagnosis with audit:

  • Check glue at parent
  • Old IP may still be published

Action: Update glue at registrar.

FAQ - Frequently asked questions

Q: What does the DNS audit check exactly?

A: The audit checks consistency between parent (registry) and zone, verifies each NS responds authoritatively, tests IPv4/IPv6, validates TCP, compares SOA serials and detects lame delegations, stale glue and DNSSEC issues.

Q: What is a lame delegation?

A: A lame delegation occurs when the parent points to an NS server that doesn't respond authoritatively for your zone. Resolvers waste time, sometimes fail with SERVFAIL. The term comes from "lame" because the server can't serve the zone it's asked for.

Q: What are glue records?

A: Glue records are IP addresses published at the parent (registry) level. They're required when your NS is within your own domain (e.g., ns1.captaindns.com for captaindns.com). Without them, resolution loops because to resolve ns1.captaindns.com, you'd first need to query... ns1.captaindns.com.

Q: Why check parent/zone consistency?

A: If parent and zone declare different NS, resolvers follow different paths depending on cache. Some users see one response, others see another, or intermittent errors. Always align both.

Q: Is IPv6 mandatory?

A: No, but strongly recommended. More networks prefer IPv6. An NS without AAAA may be unreachable for some visitors, indexing bots or cloud services.

Complementary tools

ToolPurpose
DNS LookupCheck a specific record (A, MX, TXT, etc.)
Propagation TestTrack DNS change propagation
SPF InspectorVerify email authentication
Email TesterTest SPF/DKIM/DMARC in real conditions

Useful resources