Sends small test packets to a server and measures how long they take to come back. Like shouting across a room and timing the echo. If packets don't come back — the server is unreachable or blocking ICMP. Packet loss % tells you how reliable the connection is.

Shows every router ("hop") your traffic passes through on the way to a server. Like tracking a parcel at each delivery stop. A * * * at a hop means that router isn't responding. If hops stop at your ISP — the ISP is the problem. traceroute on Linux/Mac, tracert on Windows.

The best of ping + traceroute combined. Shows every hop in real-time with live packet loss and latency stats. Much better for diagnosing intermittent issues than a one-time traceroute snapshot. Install on Linux/Mac with brew install mtr.

The standard DNS lookup tool. Asks a DNS server "what IP address does this domain point to?" and shows the full response. Much more detailed than nslookup. dig +trace follows the full DNS chain from root servers down — essential for debugging DNS delegation issues.

Simpler DNS lookup tool available on all platforms including Windows. Good for quick checks. You can also specify a DNS server to query — useful to test if a specific resolver (like Google's 8.8.8.8) sees the same records as your default one.

The most powerful command for testing HTTP/HTTPS. Makes actual web requests and shows you everything — headers, status codes, TLS certificates, redirects. -I fetches only headers. -v shows verbose output including the full TLS handshake. -L follows redirects.

Connects directly to a server's SSL/TLS port and shows you the full certificate chain, expiry dates, issuer, and negotiated cipher suite. Indispensable for debugging HTTPS issues, certificate mismatches, and expired certs without needing a browser.

Looks up domain registration information — who registered it, through which registrar, when it expires, and what nameservers it uses. Critical for checking if a domain has expired or been transferred to the wrong registrar.

Tests raw TCP port connectivity — does the port actually accept connections? If telnet example.com 443 connects, the port is open at the network level. If it hangs or refuses, there's a firewall or the service isn't running. nc -zv is the modern alternative.

Network port scanner. Scans a host to find which ports are open, closed, or filtered. Used to verify which services are exposed. Use responsibly — only scan servers you own or have permission to test.

Maps a domain name to an IPv4 address. The most fundamental DNS record. When you visit example.com, your browser first looks up its A record to find the IP address of the server to connect to.

Same as A record but for IPv6 addresses. IPv6 is the newer, longer address format (e.g. 2606:2800:220:1:248:1893:25c8:1946). Many sites have both A and AAAA records. If only AAAA exists and the user's network doesn't support IPv6, the site won't load.

An alias — points one domain name to another domain name (not an IP). Common with CDNs: www.example.com → example.cdn.net. The CDN then resolves to an IP. You can't have a CNAME on an apex/root domain (e.g. bare example.com) — only on subdomains.

Specifies which mail server handles email for the domain. Without correct MX records, email won't be delivered. The number before the hostname is priority — lower number = higher priority. Multiple MX records provide redundancy.

Nameserver records — specifies which DNS servers are authoritative for the domain. These are the servers that hold all other records. If NS records are wrong, nothing else works. Changing NS records (e.g. moving from GoDaddy DNS to Cloudflare) can take up to 48 hours to propagate.

Free-text records used for domain verification and email authentication. Common uses: SPF (email sending rules), DMARC (email policy), DKIM (email signing), Google/Microsoft domain ownership verification, and Cloudflare challenges.

The opposite of an A record — maps an IP address back to a hostname. Critical for email servers (receiving mail servers check PTR records to verify the sender). If a server's IP doesn't have a matching PTR record, emails sent from it are likely to be marked as spam.

Certificate Authority Authorization — specifies which Certificate Authorities are allowed to issue SSL certs for the domain. A security measure to prevent rogue CAs from issuing fake certificates. If no CAA record exists, any CA can issue a cert.

Sender Policy Framework — a TXT record that lists which servers are authorised to send email on behalf of your domain. Prevents spammers from forging your domain as the sender. If a server not listed in SPF sends email claiming to be from your domain, receiving servers can reject it.

Domain-based Message Authentication — tells receiving mail servers what to do with emails that fail SPF/DKIM checks. p=none = monitor only. p=quarantine = send to spam. p=reject = block completely. Without DMARC, your domain can easily be spoofed.

DomainKeys Identified Mail — adds a cryptographic signature to outgoing emails. The public key is stored in DNS. Receiving servers verify the signature to confirm the email genuinely came from your domain and wasn't tampered with in transit.

Every HTTP response has a 3-digit code:

2xx Success — 200 OK (all good)
3xx Redirect — 301 Permanent, 302 Temporary redirect
4xx Client error — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xx Server error — 500 Internal Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout

SSL (now TLS) is the encryption layer behind HTTPS. When you visit https://, your browser and the server do a "TLS handshake" to establish an encrypted connection. A valid SSL certificate proves the server is who it claims to be. Expired or misconfigured certs cause browser warnings and connection failures.

Cross-Origin Resource Sharing — a browser security policy that restricts web pages from making requests to a different domain than the one that served the page. This is why the Run Checks tool can't read actual HTTP response codes — the browser blocks it. Not a network problem, just a browser restriction.

When you change a DNS record, it doesn't update everywhere instantly. Each DNS server caches records for the TTL (Time To Live) duration — often 5 minutes to 48 hours. During propagation, some users see the old IP and some see the new one depending on which DNS server they're using.

A unique number assigned to a network operator (ISP, cloud provider, CDN). AS13335 = Cloudflare, AS16509 = Amazon AWS, AS15169 = Google. When diagnosing routing issues, the ASN tells you exactly which company's network is involved. BGP routing problems often involve specific ASNs.

The routing protocol that connects the internet — it's how networks tell each other which IP addresses they own and how to reach them. BGP hijacking or route leaks can cause traffic to be misdirected to the wrong network, making sites unreachable or insecure.

A network of servers distributed globally that caches and serves content from the location closest to the user. Cloudflare, Fastly, Akamai, and AWS CloudFront are major CDNs. When a CDN is in front of your site, the IP you see in DNS belongs to the CDN, not your actual server.

DNS Security Extensions — adds cryptographic signatures to DNS records to prevent attackers from forging DNS responses (DNS spoofing/cache poisoning). The AD (Authenticated Data) flag in a DNS response means the records have been cryptographically verified. Not all domains use DNSSEC.

Real-time Blackhole List — databases of IP addresses known to send spam or malicious traffic. Mail servers check these to decide whether to accept or reject incoming email. Spamhaus, Barracuda, SORBS, SpamCop are the major ones. If your server IP is listed, email will be blocked or marked as spam.

Two meanings in networking: (1) DNS TTL — how many seconds a DNS record is cached before being re-queried. Lower TTL = faster DNS changes propagate. (2) Packet TTL — how many router hops a packet can traverse before being discarded. traceroute exploits this to map the route.

Latency = how long a round-trip takes (milliseconds). High latency = slow but working. Packet loss = percentage of packets that never arrive. Even 1% packet loss causes significant TCP performance degradation. Both are measured by ping and mtr. Loss at a hop in traceroute doesn't always mean a problem — some routers deprioritise ICMP.

Protocols for querying domain registration information. WHOIS is the older standard; RDAP is the modern JSON-based replacement. Both tell you: registrar, registration date, expiry date, nameservers, and domain status (e.g. clientTransferProhibited = domain is locked against transfer).

Checks DNS propagation from 20+ DNS servers worldwide simultaneously. If you changed a DNS record, this shows you which regions have picked up the new value and which still see the old one.

Deep SSL/TLS analysis tool. Grades your HTTPS configuration A–F and checks: certificate chain, expiry, cipher suites, HSTS, TLS version support, and known vulnerabilities. Free and authoritative — many security audits reference SSL Labs grades.

All-in-one diagnostic tool. Does DNS, MX, blacklist, SMTP, SPF, DKIM, and DMARC checks from one interface. The Domain Health report runs all checks at once and is a great starting point for email deliverability problems.

Hurricane Electric's BGP toolkit. Look up any IP or domain to see its BGP routing data, ASN, prefix, and network paths. Essential for diagnosing routing anomalies, BGP leaks, and understanding which upstream networks carry traffic to a host.

Searches the Certificate Transparency (CT) logs — a public record of every SSL certificate ever issued. Use it to find all subdomains that have had certs issued, verify a cert was correctly issued, check for rogue certificates issued for your domain, or confirm expiry dates.

Internet Archive's historical snapshots of websites. Useful for confirming whether a site was working yesterday before the issue started, recovering content from a site that's now down, or checking what a page looked like before a deployment.