sysadmintools

Methodology

This page documents what each tool on the Site actually does, what data it pulls from, and the limits you should keep in mind before trusting its output. If a tool is wrong, stale, or based on a stub, we say so here.

Tool results should be treated as one signal among several. When you're debugging a production issue, cross-check with a second source before making a change that affects users.

General principles

DNS Lookup (/dns)

Forwards the requested record type (A, AAAA, MX, TXT, NS, CNAME, SOA, PTR) to a public DNS resolver using the operating system's dig binary via child_process. The Site does not run its own authoritative DNS server and does not maintain its own recursive cache — you're seeing what the configured public resolver returns at the moment of the query.

Data source: the system-configured recursive DNS resolver on the server (typically Cloudflare 1.1.1.1 / Quad9 9.9.9.9 in production). DNSSEC validation is enabled where the upstream supports it.

Refresh cadence: each query is live. No caching across requests.

Known limitations: recursive resolvers cache negative responses per RFC 2308; a recently-deleted record may still appear in the response with a low TTL. If you need authoritative confirmation, query the authoritative name server directly (dig @ns1.example.com example.com A).

What Is My IP (/my-ip)

Detects your public IPv4 and IPv6 address from the request'sX-Forwarded-For and request socket, then forwards the IP to ip-api.com for geolocation (city, region, country, ISP, ASN). The detected IP, the lookup response, and the request log line are returned to your browser and are not stored.

Data source: ip-api.com free tier (rate-limited to 45 requests per minute per source IP). For higher volume, consider self-hosting an equivalent lookup.

Known limitations: accuracy of geolocation is provider-dependent and may place you in the wrong metro area by tens of kilometers. ISP and ASN data are generally accurate at the organizational level. Reverse DNS (PTR) is queried separately and may fail if your ISP does not publish one.

Subnet Calculator (/subnet)

Pure client-side JavaScript. Given a CIDR (e.g. 10.0.0.0/16 or 2001:db8::/48), it returns the network address, broadcast (IPv4 only), usable host range, wildcard mask, total host count, and a printable bitmask. Runs entirely in your browser; nothing is sent to the server.

Known limitations: IPv6 does not have a broadcast address, and the calculator does not synthesize one. The /31 and /32 (and /127, /128) edge cases are handled per RFC 3021.

WHOIS Lookup (/whois)

Sends the domain to a server-side WHOIS client which walks the referral chain from the appropriate registrar (e.g. Verisign for .com) to the sponsoring registrar. We do not maintain our own WHOIS server.

Data source:the live WHOIS service for the TLD's registry. Where RDAP is available and the TLD's registry supports it, we prefer RDAP — it returns structured JSON rather than free-text, which means the result is presented in a table rather than raw prose.

Known limitations:many registrars redact registrant contact data for GDPR / ICANN Temp Spec reasons. Expect to see "REDACTED FOR PRIVACY" in place of registrant name, email, and phone for any personal-name registration.

TLS / SSL Checker (/tls)

Opens a TLS connection to the requested host:443 (or arbitrary port), captures the negotiated certificate chain, and reports:

Data source: the live TLS handshake against the target host. The chain validation uses the CA bundle shipped with the container, which is updated periodically by the base image rebuild process.

Known limitations: we cannot see what a real user in production sees if your stack uses a custom CA, an outbound proxy, or client-certificate authentication — the check emulates a generic client. We also do not enumerate multiple SNI candidates; if the host runs SNI multiplexing (one IP, many certs) we only return the cert served on the default SNI.

HTTP Headers Inspector (/headers)

Issues an HTTP/1.1 GET to the target URL and returns the response headers, status line, and (where reasonable) redirect chain. The raw User-Agent we send is documented on the page so you can predict how a target reacts.

Known limitations: the request does not execute JavaScript, so headers set client-side at runtime (e.g. via fetch with custom headers) will not appear here. The 10-second request timeout may be too short for very slow targets.

Open Port Reference (/ports)

A static, curatable reference of well-known port assignments, common services, and the security implication of each. Each entry is cross-referenced to the IANA Service Name and Transport Protocol Registry. The reference is reviewed manually before publication; ports not in our list return a "not in reference" result rather than a fabricated one.

The local-probe feature (/api/local-ports) issues a single short TCP connect attempt from your browser against a loopback or RFC1918 target you specify. It is intentionally scoped to private IP ranges — it will not, and cannot, scan arbitrary internet hosts from your machine.

DMARC / SPF / DKIM (/dmarc)

Resolves the apex domain and walks its DNS records for the record types used by email authentication: _dmarc.example.com TXT for DMARC policy, example.com TXT for SPF (the v=spf1 record), and the common DKIM selectors (google, selector1, selector2, k1, default, cm) via <selector>._domainkey.example.com TXT.

Known limitations:the DKIM selector list is heuristic. If your organization uses a non-standard selector, the tool will report it as "not configured" even when it is. Inspect the zone manually if you have access.

DNS Propagation Checker (/propagation)

Issues the same DNS query from multiple public resolvers (one per major cloud region) and reports the response from each. Comparison across providers is a practical signal of whether a record has propagated, or whether one provider is returning stale cached data.

Data source: public DNS resolvers operated by third parties (Cloudflare, Google, Quad9, OpenDNS). The list of resolvers is documented inline on the tool page.

Site Security Audit (/audit)

Combines several of the tools above into a single read-only security check: certificate validity, DNS record hygiene, email authentication (DMARC/SPF/DKIM), presence of security.txt, and the response headers for common security-relevant fields (HSTS, X-Content-Type-Options, Referrer-Policy, CSP). Each sub-check is graded independently; the site-level grade is the weighted average.

Known limitations:the grader weights are opinionated and biased toward Internet-facing production services. An internal tool that opens port 22 to the world without HSTS will receive a poor grade even if that's appropriate for its context. Treat the grade as "check the report", not "you failed."

CVE feed (/cve)

Aggregates the CISA Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD) feed on a rolling 24-hour window. The list shows currently-active CVEs with severity from CVSS v3.1 (NVD) or the KEV classification (CISA), plus vendor and product mentions where those fields are populated.

Refresh cadence: every 30 minutes via cron. The list is regenerated server-side, not in the browser.

Known limitations: we surface CVEs that the upstream feeds publish; we do not perform CVSS scoring ourselves, we do not generate our own advisories, and we do not maintain vendor-specific watchlists. For production triage, confirm against the vendor advisory directly.

Blog (/blog)

Long-form, nerdy, opinionated explainers of the kinds of things sysadmins actually do at 2am when something is on fire. Posts are written by a human (occasionally drafted with AI and then revised and edited). We publish roughly once a fortnight.

What this page is not

This page is not a privacy policy (that's here) or a terms-of-service document (that's here). It is also not a guarantee. We document what each tool does today, with the known limitations we're aware of. If you find an inaccuracy, please open an issue.