DNS message exchange diagram showing UDP to TCP fallback for large DNS TXT records, with 8-step protocol flow and RFC 6891 EDNS

Over the past few months, we’ve heard from DNS Check customers encountering increasingly complex DNS configurations. Modern domains often accumulate dozens of TXT records for email authentication, domain verification, and security tokens, creating responses that exceed traditional UDP limits and trigger complex fallback mechanisms. These scenarios were generating confusing error messages and, in some cases, false alerts when DNS servers didn’t handle large responses correctly.

We’re excited to announce significant performance and reliability enhancements that directly address these challenges. These improvements make DNS troubleshooting clearer, reduce false alerts, and ensure accurate monitoring of your critical DNS records, regardless of how complex your DNS configuration becomes.

Enhanced DNS Error Diagnostics

When DNS queries fail, the difference between a server error, a network timeout, and a connection refusal can determine whether you’re looking at a nameserver misconfiguration or a network connectivity issue. Previously, DNS Check grouped all DNS server communication errors under a single “ServFail” category, forcing you to investigate further to understand the root cause.

DNS Check now distinguishes between three distinct types of communication failures:

  1. General ServFail errors: Issues with the nameserver itself, such as internal server errors or misconfigurations. You’ll see these when the nameserver receives your query but can’t process it due to zone file errors or server-side issues.

  2. Query timeouts: When DNS Check’s connection to your chosen nameserver times out. This typically indicates network connectivity problems or an overloaded nameserver that can’t respond within the timeout window.

  3. Connection refused: When the nameserver actively refuses the connection request. This often means the nameserver isn’t accepting queries from DNS Check’s monitoring locations or isn’t running on the expected port.

This enhanced error categorization immediately points you toward the right troubleshooting approach. Instead of generic ServFail messages requiring additional investigation, you get specific diagnostic information that saves time and reduces confusion during DNS incidents.

Improved Support for Large TXT Records

Here’s a real-world example that illustrates why large TXT record support matters. When you query a domain with extensive verification and email authentication records, you might see something like this:

$ dig txt example.com
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.10.6 <<>> txt example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12832
;; flags: qr rd ra; QUERY: 1, ANSWER: 23, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.			IN	TXT

;; ANSWER SECTION:
example.com.		300	IN	TXT	"MS=ms70274184"
example.com.		300	IN	TXT	"google-site-verification=C7thfNeXVahkVhniiqTI1iSVnElKR_kBBtnEHkeGDlo"
example.com.		300	IN	TXT	"apple-domain-verification=DNnWJoArJobFJKhJ"
example.com.		300	IN	TXT	"facebook-domain-verification=h9mm6zopj6p2po54woa16m5bskm6oo"
example.com.		300	IN	TXT	"stripe-verification=5096d01ff2cf194285dd51cae18f24fa9c26dc928cebac3636d462b4c6925623"
[... 18 more verification records ...]
example.com.		300	IN	TXT	"v=spf1 ip4:199.15.212.0/22 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com -all"

;; Query time: 10 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; MSG SIZE  rcvd: 1954

Notice two critical details: the “Truncated, retrying in TCP mode” message and the final response size of 1954 bytes. This response exceeds the DNS Flag Day recommended UDP buffer size of 1232 bytes, forcing the query to fall back from UDP to TCP - exactly the scenario illustrated in the diagram above.

DNS Check now handles these large TXT record scenarios more reliably through several key improvements:

  1. Enhanced EDNS handling: We’ve improved compatibility with nameservers that have incomplete implementations of RFC 6891 Extension Mechanisms for DNS (EDNS). Some DNS providers implement EDNS incompletely, causing issues when responses approach or exceed the advertised buffer size. DNS Check now adapts to these implementation quirks automatically.

  2. Improved TCP connection management: When UDP responses are truncated (as shown in the dig output above), DNS Check establishes a TCP connection to retrieve the complete response. We’ve enhanced our TCP connection handling to prevent premature disconnects that some nameservers exhibit, ensuring reliable retrieval of large responses.

  3. DNS Flag Day compliance: DNS Check now uses 1232-byte UDP buffers by default, following DNS Flag Day recommendations. This prevents IP fragmentation issues that can cause packet loss and monitoring failures.

This enhancement is particularly valuable for monitoring email authentication records like SPF records with multiple include statements, large DKIM public keys, and domains with extensive third-party service integrations that require domain verification records.

Optimized Query Reliability

Reliability improvements often happen behind the scenes, but their impact on your monitoring experience is significant. We’ve fine-tuned timeout values and retry logic to strike a better balance between rapid issue detection and false positive prevention.

  1. Smarter timeout management: Different types of DNS queries require different timeout strategies. Large TXT record queries over TCP naturally take longer than simple A record lookups over UDP. DNS Check now adjusts timeout values based on query type and transport protocol, reducing false timeouts for legitimate slow responses while maintaining rapid detection of actual failures.

  2. Connection pooling enhancements: For users monitoring hundreds or thousands of DNS records, efficient connection management makes a substantial difference in query performance. We’ve optimized connection pooling to reuse TCP connections when appropriate, reducing the overhead of establishing new connections for each large record query.

  3. Intelligent retry strategies: When a query fails, the retry approach depends on the failure type. Network timeouts warrant different retry timing than server errors. DNS Check now implements failure-specific retry logic that improves success rates while avoiding unnecessary load on DNS servers.

These optimizations are particularly beneficial if you’re monitoring large numbers of DNS records or require frequent check intervals, but all users benefit from more reliable monitoring and fewer false alerts.

Streamlined Integrations

Reliable notifications depend on reliable integration partners. We’ve updated our integration offerings to focus on actively maintained, dependable notification channels:

  1. Removed discontinued services: Following Flowdock’s service discontinuation, we’ve removed this integration to prevent configuration confusion. If you were using Flowdock notifications, you’ll need to migrate to an alternative integration.

  2. Enhanced Basecamp support: The Basecamp integration now supports both Basecamp 3 and Basecamp 4. Existing Basecamp integrations continue working without modification.

All remaining integrations received strengthened error handling and more robust delivery mechanisms. These improvements reduce the likelihood of missed notifications during DNS incidents, when reliable alerting matters most.

API Performance Improvements

The DNS Check API has received significant architectural improvements that benefit both our web application and API users. We’ve streamlined the internal codebase, removing legacy dependencies while maintaining full backward compatibility.

  1. Faster response times: Database query optimizations and improved caching reduce API response latency, particularly for accounts monitoring large numbers of DNS records.

  2. Enhanced reliability: Better error handling and connection management improve API availability.

  3. Future-ready architecture: These changes establish a foundation for upcoming API enhancements, including expanded query capabilities and additional DNS record types.

If you’re building applications on DNS Check’s API, you’ll experience more consistent performance. The improved architecture also supports our roadmap for additional API features.

Looking Forward

These enhancements reflect our commitment to evolving DNS Check alongside the changing DNS landscape. As organizations adopt more cloud services, improve email security, and integrate additional third-party tools, DNS configurations grow increasingly complex. DNS Check’s improvements ensure reliable monitoring regardless of this complexity.

The enhanced error diagnostics provide clearer troubleshooting guidance when issues occur. The improved large TXT record support handles modern DNS configurations that previous generations of DNS monitoring tools struggle with. The optimized query reliability reduces false alerts that can desensitize teams to real DNS problems.

Whether you’re monitoring a handful of critical records for a small business or managing DNS infrastructure for a large enterprise, these improvements ensure you receive accurate, actionable alerts when DNS issues arise and clear information to resolve them efficiently.

Ready to experience these improvements? Sign up for a free DNS Check account and start monitoring your DNS records today. Existing customers immediately benefit from these enhancements: no configuration changes required.