DnsQuery
DNS queries with DNSSEC
Free
DNS query debugger with DNSSEC support
DnsQuery — inspect DNS, verify DNSSEC
DnsQuery is a wire-level DNS tool for engineers, sysadmins, and curious network nerds. Send a query to any resolver — public, private, or your router — and see the full response: parsed answer
sections, every flag, the raw bytes annotated by region, and an independent, end-to-end DNSSEC chain-of-trust walk that doesn't just take the resolver's word for it.
Query and inspect
- Hand-picked list of public resolvers (Cloudflare, Google, Quad9, OpenDNS, AdGuard) with IPv4 and IPv6 addresses, plus your configured system resolver on macOS, plus custom resolvers you
define yourself.
- Send over UDP, TCP, DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), or DNS-over-QUIC (DoQ).
- Control the individual query flags that matter: Recursion Desired (RD), DNSSEC OK (DO) for RRSIG / DNSKEY / NSEC records, and Checking Disabled (CD) to bypass upstream validation.
- 18+ record types including A, AAAA, MX, SRV, CAA, SSHFP, TLSA, DNSKEY, DS, RRSIG, NSEC, NSEC3.
- Color-coded hex dump of query and response bytes with a legend — see at a glance where the header, labels, compression pointers, and RDATA live.
- Extended DNS Errors (RFC 8914) surfaced prominently when the upstream resolver tells you why something failed.
Validate DNSSEC yourself
- Full chain-of-trust walk from the IANA root trust anchors (KSK-2017 and KSK-2024) down to your answer, step by step. Every DS match, DNSKEY verification, and RRSIG check is shown with the key
tag and algorithm.
- Handles positive answers, NXDOMAIN and NODATA via full RFC 5155 NSEC3 three-proofs (closest encloser + next closer + wildcard), CNAME chains, insecure delegations, and NSEC3 opt-out.
- Enforces RFC 6840 algorithm-downgrade protection and RFC 5011 key-revoke rules — won't silently accept a stripped-stronger-algo response.
- Split-horizon aware: when a zone publishes both internal and external KSKs with two DS records in the parent, validation succeeds for whichever view your chosen resolver sees, helping you
troubleshoot internal zones without fighting the tool.
- Clear verdict at the top: Secure, Insecure (unsigned delegation), Bogus (with the specific zone and failure reason), or Indeterminate.
Sync and share
- Query history and your custom resolver list sync across your Mac, iPad, and iPhone through iCloud Key-Value storage (signed into the same Apple ID). No servers, no accounts, no tracking.
Who it's for
If you know what an RRSIG is, you're the target audience. Use it to debug a DNSSEC rollover that went sideways, verify a new resolver's behaviour, inspect what a malicious DNS rebinding might
look like, or just satisfy curiosity about what actually travels over port 53.
Privacy
No analytics, no telemetry, no account required. All queries go directly from your device to the resolver you chose. History is stored in your own iCloud, not ours.
From the maker of DnsEditor
Ratings & Reviews
- This app has not received enough ratings or reviews to display an overview.
Added support for selecting system resolver for querying the same resolver as the rest of the OS uses
The developer, Ivar Hosteng, indicated that the app’s privacy practices may include handling of data as described below. For more information, see the developer’s privacy policy .
Data Not Collected
The developer does not collect any data from this app.
Accessibility
The developer has not yet indicated which accessibility features this app supports. Learn More
Information
- Size
- 5.9 MB
- Category
- Utilities
- Compatibility
Requires iOS 17.0 or later.
- iPhone
Requires iOS 17.0 or later. - iPad
Requires iPadOS 17.0 or later. - Mac
Requires macOS 14.0 or later. - Apple Vision
Requires visionOS 1.0 or later.
- iPhone
- Languages
- English
- Age Rating
4+
- 4+
- Provider
Ivar Hosteng
- Ivar Hosteng has not identified itself as a trader for this app. If you are a consumer in the European Economic Area, consumer rights do not apply to agreements between you and the provider.
- Copyright
- © Ivar Hosteng