Version 1.1.0 • macOS / iOS / iPadOS

DnsQuery

Wire-level DNS inspector with DNSSEC validation. Query any resolver, watch the bytes, and walk the chain of trust from the IANA root all the way to your answer — on your Mac, iPhone, or iPad.

Download on App Store See features DNSSEC walk-through Support: support@dnsedit.au

Free companion to DnsEditor

DnsQuery is a free debugging tool built by the team behind DnsEditor. Use it to answer the question every DNS operator asks at some point: does the signed answer my resolver just gave me actually verify, and if not, where exactly does it break?

DNSSECNSEC / NSEC3 DoTDoHDoQ Split-horizonIPv6

5 transports UDP, TCP, DoT, DoH, DoQ

Full chain walk IANA root anchor to final answer

Modern algorithms RSA/SHA-256/512, ECDSA P-256/384, Ed25519

NSEC / NSEC3 Full RFC 5155 three-proof for NXDOMAIN

Split-horizon aware Dual-DS zones validate for the view you're on

iCloud history Queries + presets sync across your devices

Coloured hex dump Every byte annotated by region

Extended DNS errors RFC 8914 reasons surfaced from the OPT record

Features

Built for engineers, sysadmins, and anyone who has ever stared at a SERVFAIL and wondered why.

Pick any resolver

Built-in presets for Cloudflare, Google, Quad9, OpenDNS, and AdGuard — IPv4 and IPv6. Your system resolver on macOS. Custom resolvers you define once and sync across devices.

Every transport worth having

UDP, TCP, DNS-over-TLS (853), DNS-over-HTTPS (443), and DNS-over-QUIC (853). Switch with one tap — useful when you want to see how your network treats each.

Flag-level control

Set RD (Recursion Desired), DO (DNSSEC OK), and CD (Checking Disabled) independently so you can see exactly what each bit changes in the response.

Wire bytes, colour-coded

Expand the raw-bytes view and every byte lights up by region: header, labels, compression pointers, TYPE/CLASS/TTL, RDATA. Legend right below.

Full DNSSEC chain walk

Anchor on the IANA root KSK-2017 + KSK-2024, descend through every zone cut, match DS to DNSKEY, verify each RRSIG. Every step visible with its key tag and algorithm.

Denial-of-existence proofs

NSEC and NSEC3 proofs validated in full. NXDOMAIN gets the three-part closest-encloser + next-closer + wildcard proof; NODATA gets bitmap checks; signed-parent DS-absence gets downgrade-attack protection.

Split-horizon aware

When a zone publishes both internal and external KSKs with two DS records in the parent, validation succeeds for whichever view your chosen resolver sees — no manual key juggling.

Attack detection

Enforces RFC 6840 §5.11 algorithm-downgrade protection and RFC 5011 revoked-key rules. A stripped RRSIG or retired KSK turns the step red with a specific reason, not a generic pass.

CNAME chase

Follows CNAME chains up to 10 hops, re-running the full chain walk for each target zone. No more "chain stops at CNAME" dead-ends.

Extended DNS errors

RFC 8914 reasons (DNSSEC Bogus, Signature Expired, Filtered, Blocked, …) pulled out of the OPT record and shown prominently whenever the resolver tells you why it's unhappy.

iCloud history + presets

The last 15 queries and every custom resolver you save sync across every device signed into the same Apple ID — via iCloud Key-Value storage. No accounts, no servers, no tracking.

Mac, iPhone, iPad

One universal app. Sidebar + detail split on Mac and iPad; tidy stack navigation on iPhone. All three share the same history.

A real DNSSEC walk

What you see when you query a signed name — every step cryptographically verified, not just taken on faith.

✓ Root KSK matches IANA trust anchor Anchored via d.root-servers.net; matched key tag(s) 20326, 38696. ✓ . DNSKEY (via KSK) verified Signed by key tag 20326 (RSASHA256). ✓ au. DS (signed by .) verified Signed by key tag 54393 (RSASHA256). ✓ DS matches DNSKEY for au. Matched key tag(s) 32902 out of 1 DS record(s) in parent. ✓ au. DNSKEY (via KSK) verified ✓ ivar.au. DS (signed by au.) verified ✓ DS matches DNSKEY for ivar.au. Matched key tag(s) 57981 out of 2 DS record(s) in parent. ✓ ivar.au. DNSKEY (via KSK) verified Signed by key tag 57981 (ECDSAP256SHA256). ⓘ No DS for sirius.ivar.au. Parent ivar.au. cryptographically proved no DS exists; chain stops here. ✓ sirius.ivar.au. A verified Signed by key tag 17290 (ECDSAP256SHA256). Secure — chain verified from IANA root to the answer

In use

A few shots from the iPhone and iPad versions.

DnsQuery on iPad: cloudflare.com A query with the DNSSEC validation chain starting to unfold

Full DNSSEC chain on iPad

Querying cloudflare.com A through 1.1.1.1 — the validation panel walks from the IANA root trust anchor down through the ., com., and cloudflare.com. zones with every key tag and algorithm shown.

Colour-coded hex dump

Expand the Raw bytes disclosure and every byte of the query and response is tinted by region — header, labels, compression pointers, TYPE/CLASS/TTL, RDATA — with the legend right underneath.

DnsQuery on iPhone showing an Insecure outcome for google.com because the zone isn't DNSSEC-signed

Insecure delegation, detected

On iPhone: google.com A via 1.1.1.1. The chain walks cleanly to com., then reports Insecure — google.com has no DS in parent. That's not a failure; it's the correct DNSSEC semantics for an unsigned zone.

DnsQuery on iPhone sidebar showing a list of recent queries with per-entry status icons

History, synced over iCloud

Up to 15 recent queries with at-a-glance outcome icons: green seal for a usable answer, orange triangle for a DNSSEC-confirmed denial, red octagon for a failure or bogus chain. Synced across every Apple device signed into the same ID.

Who it's for

If you know what an RRSIG is, you're the target audience.

Operators mid-rollover

Debug a KSK rollover that stalled, verify the new DS landed, catch a parent/child mismatch before clients do.

Network engineers

Confirm a resolver behaves correctly on DoT/DoH/DoQ, compare what a public resolver sees versus your internal one, trace split-horizon surprises.

Security researchers

Observe NSEC3 opt-out ranges, check for algorithm-downgrade vulnerabilities, inspect wildcard synthesis proofs on real zones.

DNS-curious developers

Learn the protocol by watching it happen — the coloured hex dump and step-by-step chain walk make DNSSEC concrete instead of abstract.

From the makers of DnsEditor

DnsQuery is free. If you manage the zones you're querying, DnsEditor is the paid companion that handles the other half of DNSSEC: automated key policies, safe DS rollovers with registrar alerts, multi-provider zone editing (Cloudflare, Route 53, Google Cloud, BIND9), and a hidden-primary + secondary propagation pipeline via the dnseditd daemon.