Product guide
Domain Explorer Guide
Domain Explorer scans a domain’s public DNS records live and summarizes what it finds into a weighted score, findings list, and graph view so you can review posture quickly without leaving the browser.
The short answer
Use Domain Explorer when you want a live, resolver-backed review of a domain’s public DNS posture. It checks the record set, groups findings into categories, and exposes the exact records behind the result so you can move from summary to evidence quickly.
Start here for domain-level DNS investigations, posture reviews, and quick validation of common record and delegation issues before you move into deeper infrastructure troubleshooting.
What the tool does
Domain Explorer resolves public DNS records for the submitted domain and analyzes them for security issues, misconfigurations, and best-practice violations. The interface is designed to keep the top-line answer simple while still preserving enough detail for technical review.
- Resolves the domain live instead of reading from a pasted zone file.
- Groups findings into categories so issues are easier to prioritize.
- Rolls those categories into a weighted numeric score and letter grade.
- Shows a graph view that maps names, record types, values, and optionally findings.
Scan modes
Choose a scan mode based on how much coverage you need and how much time you want to spend collecting signals.
| Mode | Coverage | When to use it |
|---|---|---|
| Standard | Full apex record set plus common derived names such as www and _dmarc | Use for most investigations and general support workflows. |
| Deep | Standard coverage plus certificate-transparency-assisted subdomain discovery, wildcard probing, and extended record types | Use when you need broader discovery and can tolerate the extra work. |
How scoring and grades work
The score runs from 0 to 100 and is a weighted average across six categories. The weighting is meant to keep higher-impact DNS issues from being drowned out by lower-risk observations. The values below reflect the active scoring model.
Category weights
| Category | Weight | What it represents |
|---|---|---|
| Loading… | ||
Letter grades
| Grade | Score range |
|---|---|
| Loading… | |
Severity deductions
Each failing check deducts points from its category score based on severity.
| Severity | Points deducted |
|---|---|
| Loading… | |
Category caps
Total deductions per category are capped so no single issue can erase the entire category score.
| Category | Maximum deduction |
|---|---|
| Loading… | |
Reading the graph
The Sankey graph visualizes the hierarchy of the domain’s DNS records from root, to names, to record types, to values. It is intended to make the structure of the live dataset visible at a glance instead of forcing you to inspect every row individually.
If you enable Show findings, the graph also connects failing checks to the records that triggered them. That view is most useful when you need to explain why the score changed or which specific records should be fixed first.
Privacy and resolver boundaries
Queries are resolved through Cloudflare and Google DNS-over-HTTPS resolvers. The support docs state that domain names and query results are not associated with your IP address, and that results may be cached server-side for up to 30 minutes to reduce resolver load and improve response times.
If you are checking a just-changed record, remember that short-lived caching can delay what you see. Re-run the scan after propagation time if the live result appears stale.
FAQ
Does the graph replace the findings list?
No. The graph is best for structure and traceability. The findings list remains the clearest place to review individual issues and their severity.
Where can I review the full technical scan pipeline?
For engineering and analyst workflows, use the Domain Explorer technical details reference.