Gadget DNS

myip / ip

Your client's IP address. Recommend using TXT so you always get the real address. A/AAAA return both record types for DNSSEC; if the packet came via IPv6, A is 0.0.0.0 (placeholder), and if via IPv4, AAAA is :: (placeholder). Aliases: ip.dnssrc.fibrecat.org.

dig +short myip.dnssrc.fibrecat.org TXT
dig +short ip.dnssrc.fibrecat.org TXT
dig +short myip.dnssrc.fibrecat.org A
dig +short myip.dnssrc.fibrecat.org AAAA

myport / port

Your client's source port (TXT). Alias: port.dnssrc.fibrecat.org.

dig +short myport.dnssrc.fibrecat.org TXT
dig +short port.dnssrc.fibrecat.org TXT

myaddr / addr

Your client's address and port (TXT, two strings). Alias: addr.dnssrc.fibrecat.org.

dig +short myaddr.dnssrc.fibrecat.org TXT
dig +short addr.dnssrc.fibrecat.org TXT

connection / myconnection

URL-like representation of how the client connected (TXT): doh://<ip4>:<port>, dot://[<ipv6>]:<port>, doq://, udp://, or tcp://.

dig +short connection.dnssrc.fibrecat.org TXT
dig +short myconnection.dnssrc.fibrecat.org TXT

counter

Per-server incrementing counter (TXT).

dig +short counter.dnssrc.fibrecat.org TXT

random

Random value (A, AAAA, or TXT).

dig +short random.dnssrc.fibrecat.org A
dig +short random.dnssrc.fibrecat.org AAAA
dig +short random.dnssrc.fibrecat.org TXT

protocol

Transport used: UDP, TCP, DoT, DoH, or DoQ (TXT).

dig +short protocol.dnssrc.fibrecat.org TXT

timestamp-N

Current time in milliseconds (TXT), with TTL = N seconds (0–86400). Example: timestamp-60, timestamp-0.

dig +short timestamp-60.dnssrc.fibrecat.org TXT
dig +short timestamp-0.dnssrc.fibrecat.org TXT

ttl-N

Current Unix time in seconds, with TTL = N (0–86400). Example: ttl-60, ttl-0.

dig +short ttl-60.dnssrc.fibrecat.org TXT
dig +short ttl-0.dnssrc.fibrecat.org TXT

edns

EDNS options present on the request (TXT).

dig +short edns.dnssrc.fibrecat.org TXT

edns-cs / ecs

EDNS Client Subnet from the request (TXT).

dig +short edns-cs.dnssrc.fibrecat.org TXT
dig +short ecs.dnssrc.fibrecat.org TXT

cookie

EDNS Cookie (RFC 7873) from the request, echoed as TXT. Use +cookie with dig to send a cookie.

dig +short +cookie cookie.dnssrc.fibrecat.org TXT

size-N

Response wire size approximately N bytes (128–4096). Uses EDNS padding (TXT).

dig +short size-256.dnssrc.fibrecat.org TXT

delay-N / delay-X-Y

Delay the response by N milliseconds, or by a random number of milliseconds between X and Y (inclusive). Useful for timeout and latency testing. Example: delay-500, delay-100-500.

dig +short delay-500.dnssrc.fibrecat.org TXT
dig +short delay-100-500.dnssrc.fibrecat.org TXT

qname-min

QNAME minimization testing (RFC 7816). Query any name under *.qname-min.dnssrc.fibrecat.org (e.g. a.b.c.d.zzzzzzz.qname-min.dnssrc.fibrecat.org). The TXT response includes the QNAME received and the sequence of qnames the server saw from that resolver (oldest first), with the number of requests—e.g. qname-min.dnssrc.fibrecat.org, then zzzzzzz.qname-min.dnssrc.fibrecat.org, then d.zzzzzzz.qname-min.dnssrc.fibrecat.org. Because all names are in the same zone on this server, the full sequence is visible.

dig +short zzzzzzz.qname-min.dnssrc.fibrecat.org TXT
dig +short a.b.c.d.zzzzzzz.qname-min.dnssrc.fibrecat.org TXT

DNSSEC fail tests (dnssec-failed subdomain)

These names deliberately break DNSSEC so you can check that your resolver validates (you should get SERVFAIL or no answer when validation is on). All fail-case names live under dnssec-failed.dnssrc.fibrecat.org.

• sig-fail.dnssec-failed.dnssrc.fibrecat.org — invalid RRSIG (corrupted signature)
• rrsig-expired.dnssec-failed.dnssrc.fibrecat.org — RRSIG validity in the past (expired)
• rrsig-future.dnssec-failed.dnssrc.fibrecat.org — RRSIG validity in the future (not yet valid)
• nsec-missing.dnssec-failed.dnssrc.fibrecat.org — NODATA without NSEC
• nsec-wrong-next.dnssec-failed.dnssrc.fibrecat.org — NSEC with wrong NextDomain (chain broken)
• rrsig-wrong-alg.dnssec-failed.dnssrc.fibrecat.org — RRSIG claims wrong algorithm
• rrsig-wrong-rrset.dnssec-failed.dnssrc.fibrecat.org — RRSIG signed over wrong RRset
• rrsig-missing.dnssec-failed.dnssrc.fibrecat.org — RRset with no RRSIG
• nsec3-instead.dnssec-failed.dnssrc.fibrecat.org — NSEC3 in response (zone is NSEC-only)

dig +short sig-fail.dnssec-failed.dnssrc.fibrecat.org A
dig +short rrsig-expired.dnssec-failed.dnssrc.fibrecat.org A
dig +short nsec-missing.dnssec-failed.dnssrc.fibrecat.org A

entropy

Port and transaction ID entropy check. The browser triggers DNS lookups; results show source port and ID randomness (GREAT/GOOD/POOR).

Open /entropy to run the check.

DoT and DoH with dig

You need a modern dig (BIND 9.17+ for +https, BIND 9.19+ for +tls). Query directly at this server (@dnssrc.fibrecat.org), not via a recursive resolver.

DoT (port 853):

dig +tls @dnssrc.fibrecat.org myip.dnssrc.fibrecat.org A
dig +short +tls @dnssrc.fibrecat.org counter.dnssrc.fibrecat.org TXT

DoH (port 443, path /dns-query):

dig +https @dnssrc.fibrecat.org myip.dnssrc.fibrecat.org A
dig +short +https @dnssrc.fibrecat.org counter.dnssrc.fibrecat.org TXT

DoQ (port 8853): dig doesn't support DNS over QUIC. Use the doggo client (install: go install github.com/mr-karan/doggo/cmd/doggo@latest or brew install doggo). Query directly at this server:

doggo myip.dnssrc.fibrecat.org @quic://dnssrc.fibrecat.org:8853
doggo TXT counter.dnssrc.fibrecat.org @quic://dnssrc.fibrecat.org:8853 --short

Recursive–to–authority security: Today, stub→recursive and recursive→authority are often unencrypted. The DELEG (Extensible Delegation for DNS) internet draft aims to allow delegation records to carry server capabilities (e.g. DoT/DoH), so recursive resolvers can securely reach authoritative servers in the future.

token.diag

Record a query for a token, then open the dashboard in a browser. Replace mytoken with any label.

dig +short mytoken.diag.dnssrc.fibrecat.org TXT

Then open https://diag.dnssrc.fibrecat.org/ to enter your token, or go directly to https://diag.dnssrc.fibrecat.org/<token> to view recorded queries for that token.