EDNS Checker — Extended DNS Record & Zone Capability Scan
Multi-type DNS zone scan including SRV and CAA — assess extended record visibility on public resolvers
How to Use This Tool
- Enter the domain whose extended DNS visibility you want to check.
- Hostname validation ensures a public DNS name format.
- lookupAllDnsRecords queries nine types including SRV and CAA.
- Successful extended types appear in byType and records arrays.
- summary flags mail, auth, and address targets for context.
- Review note — full EDNS0 UDP tests need dig; this scan confirms RR visibility.
About This Tool
EDNS0 (Extension Mechanisms for DNS) enables larger UDP payloads, client subnet options, and DNSSEC OK bits on the wire — but operators often discover EDNS problems when extended record types fail to resolve or answers truncate. VSPIC EDNS checker runs dns-history with lookupAllDnsRecords, sweeping A through CAA including SRV and CAA that require modern resolver paths, returning records, byType, summary, and queriedAt with a note that true EDNS0 buffer-size and DO bit testing requires dig +subnet or specialized probes beyond this snapshot.
Use results to confirm extended RR types resolve publicly — missing SRV when SIP depends on it, or absent CAA when certificate automation expects restrictions — before blaming EDNS truncation on authoritative hosts.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- SRV and CAA included in extended record sweep.
- Confirms public resolver returns modern RR types.
- byType shows which extended types answer versus empty.
- summary contextualizes zone beyond single-type checks.
- Free scan with queriedAt for change-window evidence.
- dns-history API for repeated EDNS-related monitoring.
What EDNS means for operators
EDNS0 adds an OPT pseudo-RR to DNS messages carrying larger payload sizes, DNSSEC OK, and optional client subnet data. Resolvers and authoritative servers that mishandle EDNS cause timeouts, truncated answers, or fallback to TCP.
Our EDNS checker does not manipulate OPT bits directly. It verifies that extended record types (SRV, CAA) and full multi-type answers return through a modern public resolver — a practical signal that the zone is reachable on contemporary DNS paths.
SRV and CAA as extended-type probes
SRV records power SIP, XMPP, and service discovery. CAA restricts certificate issuance. Both are common EDNS-era operational types. Empty byType.SRV or byType.CAA when you expect records means public path does not see them — check authoritative publish or parent delegation.
Presence of large TXT alongside SRV confirms resolver handled multi-answer responses without silent failure.
When to use dig for true EDNS tests
dig +dnssec +multi @resolver domain tests DO bit and DNSSEC readiness. dig +subnet simulates ECS. dig +bufsize=4096 probes UDP size handling. Use those when EDNS checker snapshot looks healthy yet clients still report SERVFAIL.
This page is the first pass — extended RR visibility — before deep EDNS wire debugging.
Truncation and TCP fallback signals
If byType returns partial types while authoritative panel shows full zone, truncation or lame delegation may exist. Compare against DNS packet analyzer TTL rows and DNS trace for NS issues.
Large TXT SPF chains stress UDP sizes — mail receivers retry with TCP; our JSON API path handles this server-side, so absence here is meaningful.
dns-history backend for EDNS checker
Action dns-history with lookupAllDnsRecords queries Google Public DNS JSON API per type. API uses HTTPS to Google — distinct from your stub resolver's EDNS behavior but validates global public visibility.
queriedAt documents scan instant for compliance evidence.
DNSSEC and EDNS relationship
DNSSEC relies on EDNS0 DO bit for authenticated data. This checker does not validate RRSIG chains — use dnssec-checker for that. Healthy extended type returns are prerequisite, not proof, of DNSSEC success.
Missing DNSKEY in snapshot is normal for most zones — only signed zones publish keys.
Corporate resolver compatibility
Legacy middleboxes strip EDNS and break large responses. Employees may fail while this public scan succeeds. Internal dig from office networks still required when EDNS checker passes but laptops fail.
Document EDNS pass here plus internal fail as middlebox ticket evidence.
API monitoring for extended records
GET /ip-tools/api/extended?action=dns-history&domain=example.com — alert when byType.SRV or byType.CAA disappears after zone edits.
Pair with DNS monitoring tool scheduled snapshots for drift on extended types.
Privacy and scope honesty
We honestly scope this as extended RR visibility scan, not wire-level EDNS0 tester. Set stakeholder expectations before compliance audits require formal EDNS buffer proofs.
Scan domains you operate or audit under authorization.
Important notes & limitations
- Does not send EDNS OPT pseudo-records or measure UDP buffer size.
- Cannot detect DO bit or DNSSEC chain validation here.
- Single resolver path — truncation behavior may vary by resolver.
- Not a replacement for dig +norecurse @authoritative tests.
- EDNS client subnet effects not simulated.
Frequently Asked Questions
Yes. VSPIC offers this EDNS checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It scans extended record type visibility via dns-history. Use dig +bufsize for buffer testing.
dns-history with a domain parameter.
They are modern operational types often involved in extended DNS deployments. Missing answers signal visibility problems worth investigating.
No. Use dnssec-checker. This page confirms multi-type public answers including extended RR classes.
Yes. Corporate filters may strip EDNS while public resolvers succeed. Test from affected networks separately.
Same dns-history backend. EDNS checker emphasizes SRV/CAA extended visibility; packet analyzer emphasizes TTL and RR field breakdown.
Next step for your check
Continue with dnssec checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNSSEC Checker
Check DNSKEY and DS records — detect DNSSEC deployment on a zone
Use Free →DNS Packet Analyzer
DNS Packet Analyzer — free online tool
Use Free →DNS Record History
Current DNS snapshot with change-tracking guidance
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →Hostname Lookup
Resolve a domain name to its hostname and IP addresses
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS