DNS Poisoning Checker — Resolver Response Timing Probe
Per-record-type latency probes — timing signals for investigation, not active cache poison detection
How to Use This Tool
- Enter the domain you are investigating for resolver anomalies.
- Six parallel timed DNS queries run for standard record types.
- Probes capture latencyMs, recordCount, and status per type.
- averageMs and slowest summarize timing outliers.
- ERROR status on probes may indicate resolver or authoritative issues.
- Correlate timing with DNS compare and DNSSEC tools — not poison proof alone.
About This Tool
DNS cache poisoning tricks resolvers into storing false answers — historically via birthday attacks on UDP, forged responses, or compromised recursive infrastructure. Detecting poisoning in production requires comparing answers across trusted resolvers, DNSSEC validation, and sometimes packet capture — not a single web lookup. VSPIC DNS poisoning checker runs dns-response-time on your domain: timed parallel queries for A, AAAA, MX, TXT, NS, and SOA returning probes, averageMs, slowest, and summary.
Elevated or erratic latency on specific types can correlate with resolver distress, upstream timeouts, or oversized answers — worth investigating alongside DNSSEC and multi-resolver compares, but not proof of active cache poison. We state this limitation explicitly so security teams use the tool as one hygiene probe, not a definitive poison test.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Quick timing baseline across six record types.
- Isolates slow or failing QTYPE probes for triage.
- Honest limitations — no false poison certification.
- Free read-only measurement through public resolver.
- Structured JSON for incident tickets.
- Same dns-response-time backend as sibling timing tools.
What DNS cache poisoning means
Poisoning inserts attacker-controlled records into a resolver cache so clients receive wrong IPs or mail paths. Modern mitigations include source port randomization, DNSSEC validation, QNAME minimization, and TCP fallback for large responses.
Confirming poison requires evidence of wrong answers persisting across queries or validation failures — not latency alone.
Honest scope of dns-response-time here
This page uses dns-response-time only. It measures how long each record type takes to return and how many answers appear. That helps spot resolver struggles or authoritative timeouts during an incident window.
We do not read cache tables, inject forged packets, or poll dozens of global resolvers. Position results as supplementary timing telemetry.
Interpreting probes during incidents
Sudden ERROR status across types may indicate network loss or authoritative outage — symptoms users confuse with poison. Single-type slowness with high TXT recordCount may reflect SPF bloat rather than attack.
If phishing reports coincide with timing anomalies, immediately run DNS hijacking detector compares and fetch dns-history snapshots for record proof.
DNSSEC as the real poison mitigation check
Validated DNSSEC rejects many forged answers. Use our DNSSEC checker on the same domain when poison is suspected. Bogus validation results outweigh timing probes for escalation decisions.
Poisoning checker timing does not replace DNSSEC deployment — it complements incident triage.
Multi-resolver comparison gap
Classic poison investigations compare answers from corporate resolver, 8.8.8.8, 1.1.1.1, and regional ISP DNS. This tool uses one public resolver path. Repeat tests from different networks locally when possible.
DNS hijacking detector helps when you have two hostnames to diff; poisoning needs answer equality checks our timing handler does not provide.
Relationship to DNS response time test
Identical backend action dns-response-time. DNS response time test targets performance optimization; poisoning checker targets security investigation language with explicit non-guarantee disclaimers.
Security questionnaires should cite limitations when referencing this page.
Operational steps when poison is suspected
Flush corporate resolver caches per runbook. Enable DNSSEC validation on endpoints. Rotate resolver credentials if managed service compromised. Snapshot current records with dns-history for evidence.
Open provider tickets with probes JSON and parallel dig captures from trusted laptops.
API automation
GET /ip-tools/api/extended?action=dns-response-time&domain=example.com during incident bridges. Alert on probe ERROR spikes — may warrant human investigation even if not automatic poison detection.
Do not auto-block traffic on timing alone.
Privacy and responsible use
Query domains you own or investigate with authorization. Read-only DNS timing — no exploit traffic.
Communicate limits to stakeholders to avoid overconfidence in negative results.
Important notes & limitations
- Does NOT inspect resolver cache contents or KSK trust anchors.
- Does not compare answers across multiple geographic resolvers.
- Single sample — not statistical poison detection.
- Cannot detect forged responses without multi vantage compares.
- Timing anomalies have many causes beyond poisoning.
Frequently Asked Questions
Yes. VSPIC offers this DNS poisoning checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It reports per-type response timing via dns-response-time. Definitive poison detection needs answer comparison across trusted resolvers and often DNSSEC validation.
dns-response-time with a domain parameter.
Timing anomalies can be one incident signal among many. This page gives fast structured probes while you run deeper multi-resolver tests.
DNSSEC decisions are policy-driven. Use DNSSEC checker for validation status — not latency from this page.
A, AAAA, MX, TXT, NS, and SOA.
Same backend. Amplification page emphasizes answer size hygiene; poisoning page emphasizes incident investigation framing and cache poison limitations.
Next step for your check
Continue with dns response time test on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNS Response Time Test
Measure resolver latency per record type — A, MX, TXT, NS, SOA
Use Free →DNSSEC Checker
Check DNSKEY and DS records — detect DNSSEC deployment on a zone
Use Free →DNS Hijacking Detector
DNS Hijacking Detector — free online tool
Use Free →DNS Amplification Vulnerability Test
DNS Amplification Vulnerability Test — free online tool
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS