For years I kept reaching for the same handful of online tools when debugging email deliverability issues, checking DNS propagation, or diagnosing network problems. Most of the popular ones are fine but ad-heavy, paywalled above basic usage, or just showing their age. So I did what developers do: I built my own and put it at mrdns.com.
It's free, no account required, and covers a fairly wide range of DNS, network, and email tools. Here's what's in it and some of the more interesting technical bits along the way.
What's in the toolbox
DNS
DNS Lookup is the core feature - query any record type (A, AAAA, MX, TXT, NS, SOA, CNAME, PTR, CAA, SRV, TLSA, HTTPS, SVCB, MTA-STS, BIMI, and more) against authoritative resolvers. Results include country flag icons for A/AAAA records using GeoLite2.
DNS Propagation Checker queries 8 global resolvers simultaneously and shows whether your change has propagated. This one was fun to build - more on that below.
DNSSEC Checker walks the chain of trust: checks for DS records, validates DNSKEY digests, and verifies RRSIG records aren't expired.
Whois / RDAP looks up domain and IP registration info. It tries RDAP first (the modern structured replacement for whois) using IANA bootstrap files to find the authoritative server, and falls back to the classic whois binary if needed.
Network
Ping and Traceroute stream results in real-time using Server-Sent Events. Each traceroute hop gets city-level geolocation and is plotted on a Leaflet map.
What is My IP detects your IPv4 and IPv6 addresses separately - by pointing the browser at two different subdomains, one with only an A record and one with only an AAAA record. It's a clean technique that forces the browser down each protocol path without any JS tricks.
Blacklist / RBL Check tests an IP or domain against 15+ DNSBL blocklists in parallel. IPv6 addresses get the nibble-reversed treatment before the query.
SSL Certificate Checker connects directly with stream_socket_client, captures the full chain, and reports expiry, SANs, key type/bits, and SHA-256 fingerprint.
HTTP Headers follows redirects manually (up to 5 hops), shows each hop's status and headers, and flags missing security headers.
Port Checker does a TCP connect with a short timeout and grabs the first 512 bytes of banner if the port is open. Useful for quickly checking whether a service is actually listening.
Email tooling is where the site arguably has the most depth:
- Email Health Check - runs SPF and DMARC together and gives a combined grade
- SPF Checker - recursively expands includes and validates mechanisms
- DMARC Checker - parses and validates every tag
- DKIM Checker - looks up the public key, checks key size (warns below 2048 bits, errors below 1024)
- Email Header Analyzer - paste in raw headers and it reconstructs the relay chain with per-hop delays, authentication results (SPF/DKIM/DMARC), and spam scores
- MTA-STS Checker - validates the DNS record, fetches and parses the policy file, and cross-checks against MX records
- BIMI Checker - validates the DNS record, fetches the SVG logo for preview, and verifies the VMC certificate against known CAs
There's also an SPF Generator and DMARC Generator for building records from scratch with a live preview.
A few interesting implementation details
DNS Propagation: hybrid DoH + UDP
Not all public resolvers support application/dns-json (the DoH JSON API). Cloudflare, Google, Alibaba, NextDNS, and DNS.SB do. Quad9, OpenDNS, and AdGuard don't - at least not from my server. So the propagation checker runs the DoH resolvers in parallel via curl_multi, then queries Quad9/OpenDNS/AdGuard over plain UDP with NetDNS2. You get 8 resolver results, most of them arriving together.
Real-time ping and traceroute with SSE
Both tools use Server-Sent Events - the server opens a process with proc_open, reads output line by line, and streams data: <json>\n\n to the browser. Nginx needs X-Accel-Buffering: no to prevent it from buffering the response. The client uses EventSource and appends rows to a table as they arrive. Traceroute geo-locates each hop and rebuilds the map polyline after each update.
IPv4/IPv6 dual-stack detection
To separately detect both protocol addresses in the browser, I use two subdomains: ipv4.mrdns.com has only an A record, and ipv6.mrdns.com has only an AAAA record. The browser is forced onto the correct protocol purely by DNS - there's no JS protocol negotiation involved. Each returns a tiny JSON blob {"ip":"<remote_addr>"} directly from nginx.
RDAP over legacy whois
The Whois tool uses RDAP as the primary backend. It fetches the IANA bootstrap JSON files (which map IP CIDRs and TLDs to authoritative RDAP servers), caches them for 24 hours, and queries the right server directly. The parsed response gives you structured data - registrar, registrant, status, nameservers, dates - rather than a blob of text to regex apart. The raw whois fallback is there for the edge cases RDAP doesn't cover yet.
Stack
Nothing exotic - PHP 8.5, Bootstrap 5.3, vanilla JS with no framework. NetDNS2 for DNS resolution, GuzzleHTTP for outbound HTTP, and MaxMind GeoLite2 databases for geolocation. Deployed on nginx + PHP-FPM.
Try it
Everything is at mrdns.com - free, no sign-up. If something's broken or you have a tool you'd like to see added, let me know in the comments.
Top comments (0)