Web & DNS diagnostics, in your browser.
A small set of fast, private utilities for engineers — inspect HTTP headers, query DNS records, audit email auth, and troubleshoot domain issues. No sign-up, no install.
// tools
10 of 10 liveTLS Grader
SSL Labs-style A+ to F grading — probes every protocol version + cipher suite, analyzes the cert chain, audits HSTS/CAA, and detects POODLE, BEAST, ROBOT, Heartbleed, etc.
$ tls.connect / cipher probeHTTP Headers Checker
Inspect HTTP response headers and grade security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy.
$ GET / HEADDNS Lookup
Query A, AAAA, CNAME, MX, NS, TXT, SOA, and CAA records for any domain across multiple public resolvers.
$ dig +shortDNS Propagation
Check DNS propagation across 24 public resolvers worldwide and visualize the rollout on a world map.
$ dig @1.1.1.1 / @8.8.8.8 …Email Records
Audit MX, SPF, DKIM, and DMARC records to diagnose email deliverability and spoofing risk.
$ TXT _dmarcWHOIS Lookup
Look up domain registration, registrar, expiry dates, and ownership info via the WHOIS protocol.
$ whois example.comSubdomain Finder
Passive subdomain enumeration via Certificate Transparency, the Wayback Machine, and a DNS wordlist — with live resolution, provider fingerprinting, and subdomain-takeover risk flags.
$ crt.sh + wayback + dnsPort Scanner
TCP connect scan over ~95 well-known ports — web, dev, mail, remote, databases, queues, containers, monitoring. Live banner-grab + TLS handshake + service fingerprinting.
$ nmap -sV (top 95)IP Lookup
Full IP intelligence sheet — paste an IP, a domain (example.com), or a URL. Geolocation, ASN via Team Cymru, reverse DNS with FCrDNS, RIR WHOIS, DNSBL across 9 blocklists, cloud-provider attribution.
$ geo + asn + ptr + dnsblVulnerability Scanner
Passive Light-scan with CVE lookup via OSV.dev, multi-page crawl with per-route diff, 266 tech fingerprints. Catches header / CSP misconfig, sensitive file exposure (.env, .git/config), OpenAPI / GraphQL / Actuator endpoints, admin panels. Mapped to CWE + OWASP Top 10 with fix snippets.
$ owasp passive scan + cveWhy dns-tools
- Instant
- Server-side fetches, no install required.
- Private
- No accounts, no ads, no paywall.
- Engineer-grade
- Raw output, copyable values, monospace everything.
Frequently asked questions
- What is dnsverifier.com?
- dnsverifier.com is a free, no-sign-up suite of eight web and DNS diagnostic tools for engineers: TLS Grader, HTTP Headers Checker, DNS Lookup, DNS Propagation Checker, SPF / DKIM / DMARC checker, WHOIS / RDAP lookup, Subdomain Finder, and Online Port Scanner.
- Is dnsverifier.com free?
- Yes — every tool is free with no usage cap, no account, no API key, and no advertising. The service is funded by its operator; bulk endpoints have generous limits (50 domains for DNS bulk, 30 for email and WHOIS bulk).
- Do I need to install anything?
- No. dnsverifier.com runs entirely in the browser. The tools perform their checks server-side (Vercel Node.js runtime) and stream results back as newline-delimited JSON, so you see findings live as they arrive.
- Does dnsverifier.com store my queries?
- Tool inputs are not persisted server-side beyond standard hosting-provider request logs. Recent-host history is kept only in your browser's localStorage and never leaves your device. We run Google Analytics 4 to measure aggregate pageviews and country — see the Privacy Policy for the cookies it sets and how to opt out.
- How does dnsverifier.com compare to SSL Labs, whatsmydns.net, or MXToolbox?
- SSL Labs grades TLS but only one host at a time and slowly. whatsmydns.net checks DNS propagation from about 25 locations. MXToolbox audits email records. dnsverifier.com bundles equivalents of all three (plus subdomain enumeration and port scanning) with live streaming results, broader resolver coverage (85 instead of 25), and copy-paste DNS / server-config fix snippets.
- Can I use the scanning tools against any host?
- Only against hosts you own or have written authorization to test. The Port Scanner, Subdomain Finder DNS bruteforce, and TLS Grader active probes are dual-use. The API refuses RFC 1918 private addresses, loopback, link-local, CGNAT, IPv6 ULA, and cloud-metadata addresses. See the Acceptable Use Policy for the full rules.