Check DNS, Urls + Redirects, Certificates and Content of your Website


Info: Problems with 3.048.289 Letsencrypt certificates (378.325 accounts). They must be revoked (revocation starts 2020-03-04 20:00 UTC) - see Revoking certain certificates on March 4. Update 2020-03-07: Good news: Mass-revocation is canceled.

This tool: A check (SerialNumber) is added. Letsencrypt has published a list of critical SerialNumbers, this list is checked. See the part "9. Certificates". If there is a warning, renew that certificate and replace the current certificate.





1. IP-Addresses

HostTypeIP-Addressis auth.∑ Queries∑ Timeout
colnbase.design

Server failure
yes
4
0
www.colnbase.design
C
pixie.porkbun.com
yes
1
0

A
44.227.65.245
Portland/Oregon/United States (US) - Amazon.com, Inc.
Hostname: pixie.porkbun.com
yes



2. DNSSEC

Info: The Xml-split has triggered some hidden bugs. Now it looks ok.
If root or the top level zone isn't validated, it's buggy.
Both green and your domain is red -> it's your domain.

Zone (*)DNSSEC - Informations

Zone: (root)
(root)
1 DS RR published



Status: Valid because published



2 DNSKEY RR found



Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 8, KeyTag 33853, Flags 256



1 RRSIG RR to validate DNSKEY RR found



Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 01.04.2020, 00:00:00 +, Signature-Inception: 11.03.2020, 00:00:00 +, KeyTag 20326, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: design
design
2 DS RR in the parent zone found



1 RRSIG RR to validate DS RR found



Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 30.03.2020, 05:00:00 +, Signature-Inception: 17.03.2020, 04:00:00 +, KeyTag 33853, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 33853 used to validate the DS RRSet in the parent zone



3 DNSKEY RR found



Public Key with Algorithm 8, KeyTag 17966, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 8, KeyTag 28770, Flags 256



Public Key with Algorithm 8, KeyTag 45604, Flags 256



1 RRSIG RR to validate DNSKEY RR found



Algorithm: 8, 1 Labels, original TTL: 3600 sec, Signature-expiration: 31.03.2020, 22:49:11 +, Signature-Inception: 02.03.2020, 07:47:56 +, KeyTag 17966, Signer-Name: design



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 17966 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 17966, DigestType 1 and Digest "bLyuOwHYjd3d32AF8D2yWiw873g=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 17966, DigestType 2 and Digest "frSzDdn6Spf7TqSigK0Ghxco575fOHiESQQOCUtsG3Q=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: colnbase.design
colnbase.design
0 DS RR in the parent zone found



DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.Bitmap: NS, DS, RRSIG



0 DNSKEY RR found





Zone: www.colnbase.design
www.colnbase.design
0 DS RR in the parent zone found

Zone: (root)
(root)
1 DS RR published



Status: Valid because published



2 DNSKEY RR found



Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 8, KeyTag 33853, Flags 256



1 RRSIG RR to validate DNSKEY RR found



Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 01.04.2020, 00:00:00 +, Signature-Inception: 11.03.2020, 00:00:00 +, KeyTag 20326, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: com
com
1 DS RR in the parent zone found



1 RRSIG RR to validate DS RR found



Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 30.03.2020, 05:00:00 +, Signature-Inception: 17.03.2020, 04:00:00 +, KeyTag 33853, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 33853 used to validate the DS RRSet in the parent zone



2 DNSKEY RR found



Public Key with Algorithm 8, KeyTag 30909, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 8, KeyTag 56311, Flags 256



1 RRSIG RR to validate DNSKEY RR found



Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 31.03.2020, 18:24:21 +, Signature-Inception: 16.03.2020, 18:19:21 +, KeyTag 30909, Signer-Name: com



Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 31.03.2020, 18:24:21 +, Signature-Inception: 16.03.2020, 18:19:21 +, KeyTag 30909, Signer-Name: com



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 30909 used to validate the DNSKEY RRSet



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 30909 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 30909, DigestType 2 and Digest "4tPJFvbe6scylOgmj7WIUESoM/xUWViPSpGEz8QaV2Y=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: porkbun.com
porkbun.com
0 DS RR in the parent zone found



DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.Bitmap: NS, DS, RRSIG



0 DNSKEY RR found





Zone: pixie.porkbun.com
pixie.porkbun.com
0 DS RR in the parent zone found



0 DNSKEY RR found





3. Name Servers

DomainNameserverNS-IP
colnbase.design
  curitiba.porkbun.com / ip-172-31-2-194
54.149.143.189
Portland/Oregon/United States (US) - Amazon.com, Inc.


 
2600:1f14:35:3002:a3d9:9189:c51b:a79d
Portland/Oregon/United States (US) - Amazon.com, Inc.


  fortaleza.porkbun.com / ip-172-31-28-107
34.204.59.100
Ashburn/Virginia/United States (US) - Amazon.com, Inc.


 
2600:1f18:678f:4600:416:31fd:d6c9:5f13
Ashburn/Virginia/United States (US) - Amazon.com, Inc.


T  maceio.porkbun.com / ip-172-31-2-194
54.187.15.31
Portland/Oregon/United States (US) - Amazon.com, Inc.


 
2600:1f14:35:3002:92ed:24e2:a98d:dfb2
Portland/Oregon/United States (US) - Amazon.com, Inc.


  salvador.porkbun.com / ip-172-31-8-92
44.226.226.6
Portland/Oregon/United States (US) - Amazon.com, Inc.


 
2600:1f18:678f:4600:79ba:ec95:1bb3:5214
Ashburn/Virginia/United States (US) - Amazon.com, Inc.

design
  a.nic.design / NRDT-75SODK-AB8TIQ


  b.nic.design / FMCL-UEZCAO-YJSSPL


  c.nic.design / FMCL-UEZCAO-YJSSPL


  d.nic.design / NRDT-75SODK-AB8TIQ


pixie.porkbun.com
  ns-199.awsdns-24.com / 2d48f79e9daad54027f3eabd6f139bb0 -
205.251.192.199
Seattle/Washington/United States (US) - CenturyLink Communications, LLC


 
2600:9000:5300:c700::1
Seattle/Washington/United States (US) - Amazon.com

porkbun.com
  ns-1328.awsdns-38.org / 1b29eec228bf4b8881e88674b7952740 -


  ns-1982.awsdns-55.co.uk / da369b61976f44f749170702b4350392 -


  ns-199.awsdns-24.com / 2d48f79e9daad54027f3eabd6f139bb0 -


  ns-586.awsdns-09.net / b33157678086050c280887d0af1b9b24 -

com
  a.gtld-servers.net


  b.gtld-servers.net


  c.gtld-servers.net


  d.gtld-servers.net


  e.gtld-servers.net


  f.gtld-servers.net


  g.gtld-servers.net


  h.gtld-servers.net


  i.gtld-servers.net


  j.gtld-servers.net


  k.gtld-servers.net


  l.gtld-servers.net


  m.gtld-servers.net


4. SOA-Entries


Domain:design
Zone-Name:
Primary:ns0.centralnic.net
Mail:hostmaster.centralnic.net
Serial:262771
Refresh:900
Retry:1800
Expire:6048000
TTL:3600
num Entries:4


Domain:colnbase.design
Zone-Name:
Primary:maceio.porkbun.com
Mail:support.porkbun.com
Serial:1
Refresh:10800
Retry:3600
Expire:604800
TTL:3600
num Entries:8



Domain:com
Zone-Name:
Primary:a.gtld-servers.net
Mail:nstld.verisign-grs.com
Serial:1584446878
Refresh:1800
Retry:900
Expire:604800
TTL:86400
num Entries:12


Domain:com
Zone-Name:
Primary:a.gtld-servers.net
Mail:nstld.verisign-grs.com
Serial:1584446893
Refresh:1800
Retry:900
Expire:604800
TTL:86400
num Entries:1


Domain:porkbun.com
Zone-Name:
Primary:ns-199.awsdns-24.com
Mail:awsdns-hostmaster.amazon.com
Serial:1
Refresh:7200
Retry:900
Expire:1209600
TTL:86400
num Entries:4


Domain:pixie.porkbun.com
Zone-Name:
Primary:ns-199.awsdns-24.com
Mail:awsdns-hostmaster.amazon.com
Serial:1
Refresh:7200
Retry:900
Expire:1209600
TTL:86400
num Entries:2


5. Screenshots

No Screenshot listed, because no url-check with https + http status 200-299, 400-599 + not-ACME-check found.

6. Url-Checks


:

:
DomainnameHttp-StatusredirectSec.G
• http://www.colnbase.design/
44.227.65.245
307
http://colnbase.design
Html is minified: 109.09 %
0.424
D
Server: openresty
Date: Tue, 17 Mar 2020 12:09:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 168
Connection: close
Location: http://colnbase.design
X-Frame-Options: sameorigin

• http://colnbase.design

-1

0.047
R
NameResolutionFailure - The remote name could not be resolved: 'colnbase.design'

• https://www.colnbase.design/
44.227.65.245
-10

0.374
P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.

• http://www.colnbase.design/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
44.227.65.245
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0
307
http://colnbase.design
Html is minified: 109.09 %
0.376
D
Visible Content: 307 Temporary Redirect openresty
Server: openresty
Date: Tue, 17 Mar 2020 12:09:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 168
Connection: close
Location: http://colnbase.design
X-Frame-Options: sameorigin

7. Comments


1. General Results, most used to calculate the result

Aname "colnbase.design" is domain, public suffix is "design", top-level-domain-type is "generic", tld-manager is "Top Level Design, LLC"
Agood: All ip addresses are public addresses
HSTS-Preload-Status: unknown. Domain never included in the Preload-list. Check https://hstspreload.org/ to learn some basics about the Google-Preload-List.
CError - no version with Http-Status 200
Dhttp://www.colnbase.design/ 44.227.65.245
307
http://colnbase.design
Wrong redirect one domain http to other domain http. First redirect to https without changing the domain, so no new dns query is required. So the server can send the HSTS header. That's fundamental using HSTS (Http Strict Transport Security). First step: Add correct redirects http ⇒ https. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop. Then recheck your domain, should be Grade C. There is the rule to select one https version as preferred version.
Dhttp://www.colnbase.design/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 44.227.65.245
307
http://colnbase.design
Wrong redirect one domain http to other domain http. First redirect to https without changing the domain, so no new dns query is required. So the server can send the HSTS header. That's fundamental using HSTS (Http Strict Transport Security). First step: Add correct redirects http ⇒ https. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop. Then recheck your domain, should be Grade C. There is the rule to select one https version as preferred version.
Hfatal error: No https - result with http-status 200, no encryption
Phttps://www.colnbase.design/ 44.227.65.245
-10

Error creating a TLS-Connection: IANA TLS Alert No. 40, handshake_failure. Receipt of a "handshake_failure" alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. SSL_ERROR_NO_CYPHER_OVERLAP (Mozilla) / ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome)
Rhttp://www.colnbase.design/ 44.227.65.245
307
http://colnbase.design
redirect to not existing domain
Rhttp://www.colnbase.design/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 44.227.65.245
307
http://colnbase.design
redirect to not existing domain
XFatal error: Nameserver doesn't support TCP connection: curitiba.porkbun.com / 54.149.143.189: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: curitiba.porkbun.com / 2600:1f14:35:3002:a3d9:9189:c51b:a79d: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: fortaleza.porkbun.com / 34.204.59.100: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: fortaleza.porkbun.com / 2600:1f18:678f:4600:416:31fd:d6c9:5f13: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: maceio.porkbun.com / 54.187.15.31: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: maceio.porkbun.com / 2600:1f14:35:3002:92ed:24e2:a98d:dfb2: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: salvador.porkbun.com / 44.226.226.6: ServerFailure
XFatal error: Nameserver doesn't support TCP connection: salvador.porkbun.com / 2600:1f18:678f:4600:79ba:ec95:1bb3:5214: ServerFailure

2. DNS- and NameServer - Checks

XNameserver Timeout checking Echo Capitalization: maceio.porkbun.com / 54.187.15.31
AGood: Nameserver supports EDNS with max. 512 Byte Udp payload, message is smaller: 8 good Nameserver
Nameserver doesn't pass all EDNS-Checks: maceio.porkbun.com / 54.187.15.31: OP100: ok. FLAGS: ok. V1: ok. V1OP100: ok. V1FLAGS: ok. DNSSEC: ok. V1DNSSEC: fatal timeout. NSID: ok (ip-172-31-2-194). COOKIE: ok. CLIENTSUBNET: ok.
AGood: All SOA have the same Serial Number
Agood: CAA entries found, creating certificate is limited: amazon.com is allowed to create wildcard-certificates
Agood: CAA entries found, creating certificate is limited: godaddy.com is allowed to create wildcard-certificates

3. Content- and Performance-critical Checks

Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
AInfo: No img element found, no alt attribute checked
AGood: Domainname is not on the "Specially Designated Nationals And Blocked Persons List" (SDN). That's an US-list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them. So if a domain name is on that list, it's impossible to create a Letsencrypt certificate with that domain name. Check the list manual - https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx
ADuration: 138116 milliseconds, 138.116 seconds


8. Connections

No connection informations found. Perhaps only http - connections.


9. Certificates

No certificate informations found. Perhaps only http - connections.


10. Last Certificates - Certificate Transparency Log Check

1. Source CertSpotter - active certificates (one check per day)

No CertSpotter - CT-Log entries found


2. Source crt.sh - old and new certificates, sometimes very slow - only certificates with "not after" > 2019 are listed

No CRT - CT-Log entries found


11. Html-Content - Entries

No Html-Content entries found. Only checked if https + status 200/401/403/404


12. Nameserver - IP-Adresses (alpha)

Required Root-climbing DNS-Queries to find ip addresses of all Name Servers:

No NameServer - IP address informations found. The feature is new (2020-05-07), so recheck this domain.


13. CAA - Entries

DomainnameflagNameValue∑ Queries∑ Timeout
www.colnbase.design



1
0
pixie.porkbun.com
0

no CAA entry found
1
0
colnbase.design
-2

Server failure - The name server was unable to process this query due to a problem with the name server
4
0
porkbun.com
9
issuewild
amazon.com
1
0

9
issuewild
godaddy.com
1
0
design
0

no CAA entry found
1
0
com
0

no CAA entry found
1
0


14. TXT - Entries

DomainnameTXT EntryStatus∑ Queries∑ Timeout
colnbase.design

Server failure - The name server was unable to process this query due to a problem with the name server
4
0
colnbase.design

Server failure - The name server was unable to process this query due to a problem with the name server
4
0
colnbase.design

Server failure - The name server was unable to process this query due to a problem with the name server
4
0
colnbase.design

Server failure - The name server was unable to process this query due to a problem with the name server
4
0
pixie.porkbun.com

ok
1
0
www.colnbase.design


1
0
_acme-challenge.colnbase.design


4
4
_acme-challenge.pixie.porkbun.com

missing entry or wrong length
1
0
_acme-challenge.www.colnbase.design


1
0
_acme-challenge.colnbase.design.colnbase.design


1
0
_acme-challenge.www.colnbase.design.colnbase.design


1
0
_acme-challenge.pixie.porkbun.com.pixie.porkbun.com

perhaps wrong
1
0
_acme-challenge.www.colnbase.design.www.colnbase.design


1
0


15. Portchecks

No Port checks



Permalink: https://check-your-website.server-daten.de/?i=39ed648a-095f-4633-bd8a-87769807d177


Last Result: https://check-your-website.server-daten.de/?q=colnbase.design - 2020-03-26 02:21:48


Do you like this page? Support this tool, add a link on your page:

<a href="https://check-your-website.server-daten.de/?q=colnbase.design" target="_blank">Check this Site: colnbase.design</a>