DNS Response Integrity Calculator

Validate response flags, DNSSEC status, and record matches. Tune thresholds, weight factors, and export evidence. Strengthen trust in lookups across every network path today.

Input signals

Fill what you observed from your resolver, logs, or capture.
Reset
Example: example.com
What your client intended to retrieve.
What the response actually contained.
Encrypted transport improves integrity on hostile paths.
Used only for your notes and exports.
Use resolver logs or the AD bit outcome.
AD indicates validated data by a validating resolver.
AA bit suggests direct authority; not a guarantee.
Non-success codes reduce integrity confidence.
Set to 0 if the answer section was empty.
Helps detect excessive staleness or churn.
Measured from client or resolver logs.
Larger responses can trigger truncation and fallbacks.
Truncation may indicate size pressure or retries.
Count of CNAME hops in the resolution path.
Set “No” if IP/target differs from baseline.
Unexpected glue/extra records can be suspicious.
High retries often correlate with instability.

Scoring controls

Use these to reflect your environment’s expectations. Defaults are sane for typical enterprise monitoring.

Below this, churn and manipulation risk increases.
Above this, staleness can hide unwanted changes.
Used for performance scoring only.
If “Yes”, weights auto-normalize to 100%.
Cryptographic + authority signals.
Record matching + answer coherence.
TTL compliance with your thresholds.
Latency and retries.
Encrypted versus plaintext transit.
Press Submit to calculate the report above.
Reset

Example dataset

Use these rows to understand how inputs influence the score. Replace them with your own observations.

Domain Transport DNSSEC RCODE TTL Latency Integrity Notes
example.com DoH Valid NOERROR 3600 32ms 92 Validated, stable TTL, fast response.
login.example.net UDP Not Supported NOERROR 60 120ms 63 Low TTL churn, plaintext transport.
cdn.example.org TCP Indeterminate NOERROR 86400 85ms 74 Acceptable but validation unclear.
api.example.io DoT Valid NOERROR 172800 48ms 83 High TTL can hide changes.
unknown.tld UDP Unknown NXDOMAIN 0 210ms 41 Negative answer; verify the query.

Formula used

The calculator produces an overall integrity score from five dimensions. Each dimension is scored from 0 to 100, then combined using weights.

Overall integrity score
Overall = Σ( DimensionScoreᵢ × Weightᵢ ) ÷ Σ(Weightᵢ)

Authenticity (0–100)

  • DNSSEC validation is the primary contributor.
  • AD and AA bits improve confidence when present.
  • Non-success RCODE values reduce authenticity.
  • Truncation slightly reduces trust in large responses.

Consistency (0–100)

  • Penalizes mismatched record types and unexpected answers.
  • Long CNAME chains reduce the score per extra hop.
  • Empty answer sets score 0 for this dimension.

Freshness (0–100)

  • Scores 100 when TTL is within your min/max range.
  • Very low TTL is penalized for churn and manipulation exposure.
  • Very high TTL is penalized for staleness and delayed rollbacks.

Performance (0–100)

  • Latency above target reduces the score gradually.
  • Each retry subtracts additional points for instability.

Transport (0–100)

  • DoH/DoT score highest for integrity on hostile networks.
  • TCP scores higher than UDP due to reduced spoofing surface.
  • UDP scores lowest because it is easiest to spoof in transit.

How to use this calculator

  1. Collect DNS response signals from your resolver logs, client metrics, or packet capture.
  2. Enter the domain, record types, DNSSEC status, TTL, and response time.
  3. Set TTL and latency thresholds to match your environment and policy.
  4. Optionally enable custom weights to emphasize critical dimensions.
  5. Press Submit to view the report above the form.
  6. Download CSV or PDF to attach evidence to tickets and audits.

Integrity score bands and what they mean

The calculator outputs a 0–100 integrity score and assigns risk bands that map to operational urgency. Scores ≥85 are “Low” risk, 70–84 are “Moderate”, 50–69 are “High”, and <50 is “Critical”. Use these bands to triage incidents, prioritize investigations, and decide when to capture packets or pull resolver logs. Overall scoring blends five dimensions with default weights: Authenticity 30%, Consistency 25%, Freshness 15%, Performance 15%, and Transport 15%. If you enable custom weights, the tool normalizes your entries to 100% so comparisons remain consistent. This makes scores comparable across teams while still reflecting local policy and threat models. Export results to support audits, tickets, and postmortems.

Cryptographic and authority signals

Authenticity is weighted toward cryptographic proof. DNSSEC validation drives 70% of the authenticity subscore, with the authoritative-answer bit contributing 15% and the response code contributing 15%. If the AD flag is present, the DNSSEC signal is boosted by 10 points (capped at 100). Truncation applies an 8‑point penalty because it can force fallbacks that attackers sometimes exploit.

Consistency indicators that detect tampering

Consistency checks whether the response matches what your client expects. A mismatched record type subtracts 40 points, but a CNAME-related mismatch subtracts 20 because CNAMEs are common in real deployments. Selecting “Matches expected answer: No” subtracts 40, and “Unexpected additional data: Yes” subtracts 15. Long CNAME chains increase exposure: after depth 2, each extra hop subtracts 10 points.

TTL and freshness policy tuning

Freshness uses your TTL minimum and maximum to detect churn or staleness. When TTL falls below the minimum, the score drops quickly, reflecting higher cache turnover and easier redirection attempts. When TTL exceeds the maximum, the score declines more gently, reflecting slower rollbacks and delayed change detection. Defaults of 300 seconds minimum and 86,400 seconds maximum fit many enterprise baselines.

Performance and transport hardening

Performance penalizes latency beyond your target at 0.5 points per millisecond and subtracts 5 points per retry, making repeated re-queries visible in the report. Transport hardening is scored separately: DoH/DoT score 100, TCP 75, and UDP 60. For sensitive domains, combine encrypted transport, validating resolvers, and tight baselines to keep integrity stable across networks.

FAQs

1) What inputs should I collect first?

Start with resolver output: DNSSEC validation state, AD/AA/TC flags, RCODE, answer section count, returned record type, and TTL. Add client-measured latency and retry count. For sensitive domains, keep a baseline of expected IPs or CNAME targets for comparison.

2) How do I choose minimum and maximum TTL?

Set the minimum to the shortest TTL you consider stable for caching (often 60–300s). Set the maximum to your change-detection window (often 24–48h). If you operate rapid failover, lower the maximum so unwanted changes surface sooner.

3) Why does UDP score lower than TCP or encrypted options?

Plain UDP is easier to spoof on-path and is more sensitive to fragmentation. TCP reduces spoofing and handles large responses without truncation. Encrypted transports add confidentiality and integrity against interception, making manipulation harder on untrusted networks.

4) What does “Bogus” DNSSEC mean here?

Bogus indicates validation failure for the response chain. Treat it as untrusted until you confirm the zone’s signatures, time, and resolver behavior. Check for key rollovers, clock drift, broken DS records, or interception that strips or alters DNSSEC data.

5) Can a high score guarantee the response is safe?

No. The score reflects the signals you provide and common integrity risks. Advanced attacks can evade simple checks, and misconfigured baselines can hide issues. Use the report as a triage aid, then confirm with authoritative queries, logs, and captures when needed.

6) How should I use exports in incident response?

Attach CSV exports to tickets to preserve inputs and scores. Use PDF reports for stakeholder updates and audits. Re-run the calculator after remediation to document improvement, and store reports alongside resolver logs and packet captures for a complete evidence set.

Related Calculators

Phishing Domain Risk CalculatorMalicious Domain Detection CalculatorDDoS DNS Exposure CalculatorDNSSEC Validation Status CalculatorExpired Domain Risk CalculatorDomain Abuse Risk CalculatorDNS Tunnel Detection CalculatorDNS Query Anomaly CalculatorDomain Trust Score CalculatorDNS Filtering Effectiveness Calculator

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.