Check DNS, Urls + Redirects, Certificates and Content of your Website


Info: Problems with 3.048.289 Letsencrypt certificates (378.325 accounts). They must be revoked (revocation starts 2020-03-04 20:00 UTC) - see Revoking certain certificates on March 4. Update 2020-03-07: Good news: Mass-revocation is canceled.

This tool: A check (SerialNumber) is added. Letsencrypt has published a list of critical SerialNumbers, this list is checked. See the part "9. Certificates". If there is a warning, renew that certificate and replace the current certificate.




X

DNS-problem - authoritative Nameserver refused, not defined or timeout

Checked:
22.03.2020 14:39:09


Older results


1. IP-Addresses

HostTypeIP-Addressis auth.∑ Queries∑ Timeout
specko.duckdns.org
A
84.180.137.211
Mehlingen/Rheinland-Pfalz/Germany (DE) - Deutsche Telekom AG
Hostname: p54B489D3.dip0.t-ipconnect.de
yes
1
0

AAAA
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
Kaiserslautern/Rheinland-Pfalz/Germany (DE) - Deutsche Telekom AG

yes


www.specko.duckdns.org
A
84.180.137.211
Mehlingen/Rheinland-Pfalz/Germany (DE) - Deutsche Telekom AG
Hostname: p54B489D3.dip0.t-ipconnect.de
yes
1
0

AAAA
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
Kaiserslautern/Rheinland-Pfalz/Germany (DE) - Deutsche Telekom AG

yes



2. DNSSEC

Info: The Xml-split has triggered some hidden bugs. Now it looks ok.
If root or the top level zone isn't validated, it's buggy.
Both green and your domain is red -> it's your domain.

Zone (*)DNSSEC - Informations

Zone: (root)
(root)
1 DS RR published



Status: Valid because published



3 DNSKEY RR found



Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 8, KeyTag 33853, Flags 256



Public Key with Algorithm 8, KeyTag 48903, Flags 256



1 RRSIG RR to validate DNSKEY RR found



Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 11.04.2020, 00:00:00 +, Signature-Inception: 21.03.2020, 00:00:00 +, KeyTag 20326, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: org
org
2 DS RR in the parent zone found



1 RRSIG RR to validate DS RR found



Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 04.04.2020, 05:00:00 +, Signature-Inception: 22.03.2020, 04:00:00 +, KeyTag 33853, Signer-Name: (root)



Status: Good - Algorithmus 8 and DNSKEY with KeyTag 33853 used to validate the DS RRSet in the parent zone



4 DNSKEY RR found



Public Key with Algorithm 7, KeyTag 9795, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 7, KeyTag 17883, Flags 257 (SEP = Secure Entry Point)



Public Key with Algorithm 7, KeyTag 33209, Flags 256



Public Key with Algorithm 7, KeyTag 37022, Flags 256



3 RRSIG RR to validate DNSKEY RR found



Algorithm: 7, 1 Labels, original TTL: 900 sec, Signature-expiration: 07.04.2020, 15:28:16 +, Signature-Inception: 17.03.2020, 14:28:16 +, KeyTag 9795, Signer-Name: org



Algorithm: 7, 1 Labels, original TTL: 900 sec, Signature-expiration: 07.04.2020, 15:28:16 +, Signature-Inception: 17.03.2020, 14:28:16 +, KeyTag 17883, Signer-Name: org



Algorithm: 7, 1 Labels, original TTL: 900 sec, Signature-expiration: 07.04.2020, 15:28:16 +, Signature-Inception: 17.03.2020, 14:28:16 +, KeyTag 33209, Signer-Name: org



Status: Good - Algorithmus 7 and DNSKEY with KeyTag 9795 used to validate the DNSKEY RRSet



Status: Good - Algorithmus 7 and DNSKEY with KeyTag 17883 used to validate the DNSKEY RRSet



Status: Good - Algorithmus 7 and DNSKEY with KeyTag 33209 used to validate the DNSKEY RRSet



Status: Valid Chain of trust. Parent-DS with Algorithm 7, KeyTag 9795, DigestType 1 and Digest "Nk36s9ryVMq0d7VnWxB2bdqiSYI=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone



Status: Valid Chain of trust. Parent-DS with Algorithm 7, KeyTag 9795, DigestType 2 and Digest "OSKzG286TqkrGet7UhIPAx/Y4F/wsDuvz5+JG/5/+OU=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

Zone: duckdns.org
duckdns.org
0 DS RR in the parent zone found



DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.Bitmap: NS, DS, RRSIG



0 DNSKEY RR found





Zone: specko.duckdns.org
specko.duckdns.org
0 DS RR in the parent zone found



0 DNSKEY RR found





Zone: www.specko.duckdns.org
www.specko.duckdns.org
0 DS RR in the parent zone found


3. Name Servers

DomainNameserverNS-IP
www.specko.duckdns.org
U  ns1.duckdns.org


U  ns2.duckdns.org


U  ns3.duckdns.org

specko.duckdns.org
U  ns1.duckdns.org
54.187.92.222
Portland/Oregon/United States (US) - Amazon.com, Inc.


U  ns2.duckdns.org
54.191.117.119
Portland/Oregon/United States (US) - Amazon.com, Inc.


U  ns3.duckdns.org
52.26.169.94
Portland/Oregon/United States (US) - Amazon.com, Inc.

duckdns.org
U  ns1.duckdns.org


U  ns2.duckdns.org


U  ns3.duckdns.org

org
  a0.org.afilias-nst.info / ns000b.app21.ams2.afilias-nst.info


  a2.org.afilias-nst.info / 2.fra.pch


  b0.org.afilias-nst.org / ns000b.app8.ams2.afilias-nst.info


  b2.org.afilias-nst.org / 4.fra.pch


  c0.org.afilias-nst.info / app15.iad1.hosts.meta.redstone.afilias-nst.info-2


  d0.org.afilias-nst.org / ns000b.app6.ams2.afilias-nst.info


4. SOA-Entries


Domain:org
Zone-Name:
Primary:a0.org.afilias-nst.info
Mail:noc.afilias-nst.info
Serial:2013865691
Refresh:1800
Retry:900
Expire:604800
TTL:86400
num Entries:5


Domain:org
Zone-Name:
Primary:a0.org.afilias-nst.info
Mail:noc.afilias-nst.info
Serial:2013865692
Refresh:1800
Retry:900
Expire:604800
TTL:86400
num Entries:1


Domain:duckdns.org
Zone-Name:
Primary:ns1.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:duckdns.org
Zone-Name:
Primary:ns2.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:duckdns.org
Zone-Name:
Primary:ns3.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:specko.duckdns.org
Zone-Name:
Primary:ns1.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:specko.duckdns.org
Zone-Name:
Primary:ns2.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:specko.duckdns.org
Zone-Name:
Primary:ns3.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:www.specko.duckdns.org
Zone-Name:
Primary:ns1.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:www.specko.duckdns.org
Zone-Name:
Primary:ns2.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


Domain:www.specko.duckdns.org
Zone-Name:
Primary:ns3.duckdns.org
Mail:hostmaster.duckdns.org
Serial:2019170803
Refresh:6000
Retry:120
Expire:2419200
TTL:600
num Entries:1


5. Screenshots

Startaddress: https://www.specko.duckdns.org, address used: https://www.specko.duckdns.org/, Screenshot created 2020-03-22 14:43:27 +00:0 url is insecure, certificate invalid

Mobil (412px x 732px)

729 milliseconds

Screenshot mobile - https://www.specko.duckdns.org/
Mobil + Landscape (732px x 412px)

749 milliseconds

Screenshot mobile landscape - https://www.specko.duckdns.org/
Screen (1280px x 1680px)

7227 milliseconds

Screenshot Desktop - https://www.specko.duckdns.org/

Mobile- and other Chrome-Checks

widthheight
visual Viewport412732
content Size412732

Good: No horizontal scrollbar. Content-size width = visual Viewport width.

Chrome-Connection: secure. secure connection settings. The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM.

Chrome-Resources : secure. all served securely. All resources on this page are served securely.

6. Url-Checks


:

:
DomainnameHttp-StatusredirectSec.G
• http://specko.duckdns.org/
84.180.137.211
302
https://specko.duckdns.org/
Html is minified: 100.00 %
0.057
A
Date: Sun, 22 Mar 2020 13:41:47 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Location: https://specko.duckdns.org/
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

• http://www.specko.duckdns.org/
84.180.137.211
302
https://www.specko.duckdns.org/
Html is minified: 100.00 %
0.080
A
Date: Sun, 22 Mar 2020 13:41:47 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Location: https://www.specko.duckdns.org/
Content-Length: 215
Connection: close
Content-Type: text/html; charset=iso-8859-1

• http://specko.duckdns.org/
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.043
T
Timeout - The operation has timed out

• http://www.specko.duckdns.org/
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.037
T
Timeout - The operation has timed out

• https://specko.duckdns.org/
84.180.137.211
302
https://specko.duckdns.org/index.php/login
2.756
N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Date: Sun, 22 Mar 2020 13:42:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-MXFHVUdGcTFLREgvWWU1cEU1MGFkNmFYcnRjNytVaDhNZWpGSHJ1TWpoQT06anNYRlN4TEFYMzJJVG9OZWZ1MUpMc0w5NUx0VG15c3ZZdCtBYkpEKzF5Zz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
Set-Cookie: oc0l54h6fc4e=utg72em60b8li25216l8naca9v; Path=/; Domain=specko.duckdns.org; HttpOnly; Secure,oc_sessionPassphrase=h4ioe9i%2FaJV14mSucTOH9CTavLAXzNLtr2jyjWl5MPoq6ftsnK1rjM0P3Srwy2LKVr%2B3igRIX2I%2F19vRTOQ2NFFSdUPcS4pifKYQlgdQzIBj9LGiOUKF074yxjb%2FEnjg; Path=/; Domain=specko.duckdns.org; HttpOnly; Secure,__Host-nc_sameSiteCookielax=true; Path=/; Domain=specko.duckdns.org; Expires=2101-01-01 00:59:59; HttpOnly; Secure,__Host-nc_sameSiteCookiestrict=true; Path=/; Domain=specko.duckdns.org; Expires=2101-01-01 00:59:59; HttpOnly; Secure
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Upgrade: h2,h2c
Connection: Upgrade, close
Location: https://specko.duckdns.org/index.php/login
Content-Length: 0
Content-Type: text/html; charset=UTF-8

• https://specko.duckdns.org/
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.016
T
Timeout - The operation has timed out

• https://www.specko.duckdns.org/
84.180.137.211
400

Html is minified: 106.88 %
2.610
N
Bad Request
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Date: Sun, 22 Mar 2020 13:42:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-T2dvQ0dDYk9OYVA1SFRkTFQwTVlKaTRHeTNQdlNJTUVVdVZwM08vQnlIVT06ZEU5VWRrcjRXcE9VU2dRQkEzUlFmSHBjaUJ1NkVMSjFONWNnaEpXUW5FUT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
Set-Cookie: oc0l54h6fc4e=g9qtbpe8nq9hlmfhdqo4rrqucr; Path=/; Domain=www.specko.duckdns.org; HttpOnly; Secure,oc_sessionPassphrase=aBGUWWAcKchdWGMv3tV7EofKGgf8frAnV9AkMu%2BRXgYQMkkX5iaNVzt3hKcOyKwZwWiqm8teUWcLPajmBnAPugOTkv1ctVbedPj1B5ZR2VOhLqCnM8zjglOYmyhTG96Q; Path=/; Domain=www.specko.duckdns.org; HttpOnly; Secure,__Host-nc_sameSiteCookielax=true; Path=/; Domain=www.specko.duckdns.org; Expires=2101-01-01 00:59:59; HttpOnly; Secure,__Host-nc_sameSiteCookiestrict=true; Path=/; Domain=www.specko.duckdns.org; Expires=2101-01-01 00:59:59; HttpOnly; Secure
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Upgrade: h2,h2c
Connection: Upgrade, close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

• https://www.specko.duckdns.org/
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.027
T
Timeout - The operation has timed out

• https://specko.duckdns.org/index.php/login

-14

10.037
T
Timeout - The operation has timed out

• http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.180.137.211
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0
302
https://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Html is minified: 100.00 %
0.066
A
Visible Content: Found The document has moved here .
Date: Sun, 22 Mar 2020 13:42:33 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Location: https://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Content-Length: 280
Connection: close
Content-Type: text/html; charset=iso-8859-1

• http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.180.137.211
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0
302
https://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Html is minified: 100.00 %
0.053
A
Visible Content: Found The document has moved here .
Date: Sun, 22 Mar 2020 13:42:33 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Location: https://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Content-Length: 284
Connection: close
Content-Type: text/html; charset=iso-8859-1

• http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.007
T
Timeout - The operation has timed out
Visible Content:

• http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

10.034
T
Timeout - The operation has timed out
Visible Content:

• https://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

-14

10.023
T
Timeout - The operation has timed out
Visible Content:

• https://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

-14

10.023
T
Timeout - The operation has timed out
Visible Content:

7. Comments


1. General Results, most used to calculate the result

Aname "specko.duckdns.org" is domain, public suffix is "duckdns.org", top-level-domain-type is "generic", tld-manager is "Public Interest Registry (PIR)"
Agood: All ip addresses are public addresses
Agood: every cookie sent via https is marked as secure
Agood: every https has a Strict Transport Security Header
Agood: HSTS has includeSubdomains - directive
Agood: HSTS has preload directive
Warning: HSTS preload sent, but not in Preload-List. Never send a preload directive if you don't know what preload means. Check https://hstspreload.org/ to learn the basics about the Google-Preload list. If you send a preload directive, you should **immediately** add your domain to the HSTS preload list via https://hstspreload.org/ . If Google accepts the domain, so the status is "pending": Note that new entries are hardcoded into the Chrome source code and can take several months before they reach the stable version. So you will see this message some months. If you don't want that or if you don't understand "preload", but if you send a preload directive and if you have correct A-redirects, everybody can add your domain to that list. Then you may have problems, it's not easy to undo that. So if you don't want your domain preloaded, remove the preload directive.
HSTS-Preload-Status: unknown. Domain never included in the Preload-list. Check https://hstspreload.org/ to learn some basics about the Google-Preload-List.
Ahttp://specko.duckdns.org/ 84.180.137.211
302
https://specko.duckdns.org/
correct redirect http - https with the same domain name
Ahttp://www.specko.duckdns.org/ 84.180.137.211
302
https://www.specko.duckdns.org/
correct redirect http - https with the same domain name
Bwarning: HSTS max-age is too short - minimum 31536000 = 365 days required, 15768000 seconds = 182 days found
CError - no version with Http-Status 200
Hfatal error: No https - result with http-status 200, no encryption
Khttp://specko.duckdns.org/ 84.180.137.211, Status 302

http://specko.duckdns.org/ 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Khttp://www.specko.duckdns.org/ 84.180.137.211, Status 302

http://www.specko.duckdns.org/ 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Khttps://specko.duckdns.org/ 84.180.137.211, Status 302

https://specko.duckdns.org/ 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Khttps://www.specko.duckdns.org/ 84.180.137.211, Status 400

https://www.specko.duckdns.org/ 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Khttp://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.180.137.211, Status 302

http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Khttp://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.180.137.211, Status 302

http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14
configuration problem - different ip addresses with different status
Mhttps://www.specko.duckdns.org/ 84.180.137.211
400

Misconfiguration - main pages should never send http status 400 - 499
Nhttps://specko.duckdns.org/ 84.180.137.211
302
https://specko.duckdns.org/index.php/login
Error - Certificate isn't trusted, RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Nhttps://www.specko.duckdns.org/ 84.180.137.211
400

Error - Certificate isn't trusted, RemoteCertificateNameMismatch, RemoteCertificateChainErrors
XFatal error: Nameserver isn't defined or has timeout
XFatal error: Nameserver doesn't support TCP connection: ns1.duckdns.org: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 54.187.92.222:53
XFatal error: Nameserver doesn't support TCP connection: ns1.duckdns.org / 54.187.92.222: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 54.187.92.222:53
XFatal error: Nameserver doesn't support TCP connection: ns2.duckdns.org: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 54.191.117.119:53
XFatal error: Nameserver doesn't support TCP connection: ns2.duckdns.org / 54.191.117.119: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 54.191.117.119:53
XFatal error: Nameserver doesn't support TCP connection: ns3.duckdns.org: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 52.26.169.94:53
XFatal error: Nameserver doesn't support TCP connection: ns3.duckdns.org / 52.26.169.94: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 52.26.169.94:53

2. DNS- and NameServer - Checks

AGood: Consistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone. Ordered list of name servers: ns1.duckdns.org,ns2.duckdns.org,ns3.duckdns.org
AGood: Nameserver supports Echo Capitalization: 3 good Nameserver
AGood: Nameserver supports EDNS with max. 512 Byte Udp payload, message is smaller: 3 good Nameserver
Nameserver doesn't pass all EDNS-Checks: ns1.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns1.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns1.duckdns.org / 54.187.92.222: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns2.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns2.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns2.duckdns.org / 54.191.117.119: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns3.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns3.duckdns.org: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
Nameserver doesn't pass all EDNS-Checks: ns3.duckdns.org / 52.26.169.94: OP100: ok. FLAGS: ok. V1: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. V1OP100: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found, no OPT100 expected, no OPT100 found. V1FLAGS: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. DNSSEC: ok. V1DNSSEC: SOA NOT expected, but found, BADVER expected, NOERR found, Version 0 expectend and found. NSID: ok. COOKIE: ok. CLIENTSUBNET: ok.
AGood: All SOA have the same Serial Number
Warning: No CAA entry with issue/issuewild found, every CAA can create a certificate. Read https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization to learn some basics about the idea of CAA. Your name server must support such an entry. Not all dns providers support CAA entries.

3. Content- and Performance-critical Checks

http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6
-14

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
https://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
-14

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
https://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
-14

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14

http://specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.180.137.211, Status 302
Fatal: Check of /.well-known/acme-challenge/random-filename has different answers checking ipv6 / ipv4. Ipv6 doesn't have the expected result http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 validation may not work. Checking the validation file in /.well-known/acme-challenge Letsencrypt prefers ipv6. Two options: Remove your ipv6 / AAAA DNS entry or (better) fix your ipv6, so your webserver handles ipv6 correct. Perhaps add "Listen [::]:80". Don't use <VirtualHost ip-address:80>, switch to <VirtualHost *:80>. If you use IIS, check your bindings. Don't select a single ip address. Use this tool to check your raw ipv6 address. Add your domain name in the "Hostname" - field. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2003:c2:17ff:3a43:464e:6dff:fedc:6bf6, Status -14

http://www.specko.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.180.137.211, Status 302
Fatal: Check of /.well-known/acme-challenge/random-filename has different answers checking ipv6 / ipv4. Ipv6 doesn't have the expected result http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 validation may not work. Checking the validation file in /.well-known/acme-challenge Letsencrypt prefers ipv6. Two options: Remove your ipv6 / AAAA DNS entry or (better) fix your ipv6, so your webserver handles ipv6 correct. Perhaps add "Listen [::]:80". Don't use <VirtualHost ip-address:80>, switch to <VirtualHost *:80>. If you use IIS, check your bindings. Don't select a single ip address. Use this tool to check your raw ipv6 address. Add your domain name in the "Hostname" - field. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
AGood: All checked attribute values are enclosed in quotation marks (" or ').
AInfo: No img element found, no alt attribute checked
AGood: Domainname is not on the "Specially Designated Nationals And Blocked Persons List" (SDN). That's an US-list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them. So if a domain name is on that list, it's impossible to create a Letsencrypt certificate with that domain name. Check the list manual - https://www.treasury.gov/resource-center/sanctions/sdn-list/pages/default.aspx
http://specko.duckdns.org/ 84.180.137.211
302

Warning: HSTS header sent via http has no effect
http://www.specko.duckdns.org/ 84.180.137.211
302

Warning: HSTS header sent via http has no effect
ADuration: 262454 milliseconds, 262.454 seconds


8. Connections

DomainIPPortCert.ProtocolKeyExchangeStrengthCipherStrengthHashAlgorithmOCSP stapling
Domain/KeyExchangeIP/StrengthPort/CipherCert./StrengthProtocol/HashAlgorithmOCSP stapling
specko.duckdns.org
84.180.137.211
443
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok
specko.duckdns.org
84.180.137.211
443
Certificate/chain invalid and wrong name
Tls12

ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok
http/2 via ALPN supported 
Tls.1.2
Tls.1.1
Tls.1.0
http/2 via ALPN supported
Tls.1.2
Tls.1.1
Tls.1.0
Self signed certificate
1CN=localhost


www.specko.duckdns.org
84.180.137.211
443
Certificate/chain invalid and wrong name
Tls12
ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok

www.specko.duckdns.org
84.180.137.211
443
Certificate/chain invalid and wrong name
Tls12

ECDH Ephermal
255
Aes128
128
Sha256
error checking OCSP stapling
ok
http/2 via ALPN supported 
Tls.1.2
Tls.1.1
Tls.1.0
http/2 via ALPN supported
Tls.1.2
Tls.1.1
Tls.1.0
Self signed certificate
1CN=localhost


9. Certificates

1.
1.
CN=localhost
13.03.2020
11.03.2030
expires in 3572 days
localhost - 1 entry
1.
1.
CN=localhost
13.03.2020

11.03.2030
expires in 3572 days
localhost - 1 entry

KeyalgorithmRSA encryption (2048 bit)
Signatur:SHA256 With RSA-Encryption
Serial Number:6B1188764FDD1624FB1447F92F30F115E7A607FD
Thumbprint:2BCBD2500B4483F6E5F48BD4D31C3104D9F22917
SHA256 / Certificate:TuGGo8cSKdS3chCSXeeTxDFga1ZcR0druaBTY0UoTMI=
SHA256 hex / Cert (DANE * 0 1):e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA256 hex / PublicKey (DANE * 1 1):
SHA256 hex / Subject Public Key Information (SPKI):706648323946b94a7802e9cd635fb551dc8030657a2a080fb67457954ad69896
SPKI checked via https://v1.pwnedkeys.com/spki-hash:Good: Key isn't compromised
OCSP - Url:
OCSP - must staple:no
Certificate Transparency:no

UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.


10. Last Certificates - Certificate Transparency Log Check

1. Source CertSpotter - active certificates (one check per day)

No CertSpotter - CT-Log entries found


2. Source crt.sh - old and new certificates, sometimes very slow - only certificates with "not after" > 2019 are listed

No CRT - CT-Log entries found


11. Html-Content - Entries

No Html-Content entries found. Only checked if https + status 200/401/403/404


12. Nameserver - IP-Adresses (alpha)

Required Root-climbing DNS-Queries to find ip addresses of all Name Servers:

No NameServer - IP address informations found. The feature is new (2020-05-07), so recheck this domain.


13. CAA - Entries

DomainnameflagNameValue∑ Queries∑ Timeout
www.specko.duckdns.org



1
0
specko.duckdns.org



1
0
duckdns.org
0

no CAA entry found
1
0
org
0

no CAA entry found
1
0


14. TXT - Entries

DomainnameTXT EntryStatus∑ Queries∑ Timeout
specko.duckdns.org

ok
1
0
www.specko.duckdns.org

ok
1
0
_acme-challenge.specko.duckdns.org

missing entry or wrong length
1
0
_acme-challenge.www.specko.duckdns.org

missing entry or wrong length
1
0
_acme-challenge.specko.duckdns.org.specko.duckdns.org

perhaps wrong
1
0
_acme-challenge.www.specko.duckdns.org.specko.duckdns.org

perhaps wrong
1
0
_acme-challenge.www.specko.duckdns.org.www.specko.duckdns.org

perhaps wrong
1
0


15. Portchecks

No Port checks



Permalink: https://check-your-website.server-daten.de/?i=7da9a614-bdfe-4d10-a773-77a612824037


Last Result: https://check-your-website.server-daten.de/?q=specko.duckdns.org - 2020-03-22 14:39:09


Do you like this page? Support this tool, add a link on your page:

<a href="https://check-your-website.server-daten.de/?q=specko.duckdns.org" target="_blank">Check this Site: specko.duckdns.org</a>