# DNS, SSL, Redirect & URL — Manual

> Full feature reference: DNS records, SSL certificates and headers, redirect chains, the URL parser, slug and SPF generators — with all operating limits.

Source: https://www.jpkc.com/db/en/tools/dns-ssl-redirect-url/manual/

Back to the overview: [DNS, SSL, Redirect & URL](https://www.jpkc.com/db/en/tools/dns-ssl-redirect-url/) · Open the live tool: [www.jpkc.com/tools/dns-ssl-redirect-url/](https://www.jpkc.com/tools/dns-ssl-redirect-url/)

This manual describes all five tabs in full: what they query, how to read the results, and what technical limits apply. The tool's interface is in English, so the tab and button labels are quoted in their original spelling.

## Architecture and limits up front

Three tabs (DNS, SSL / Security, Redirect) pull data from the network and therefore run through the JPKCom servers; two tabs (URL, SPF — and the slug generator) compute entirely in the browser.

- **DNS fetch:** a server-side PHP endpoint resolves the records with `dns_get_record()` and returns JSON.
- **SSL and Redirect fetch:** a server-side cURL **proxy** (`p.php`) fetches the target; the tool analyzes the raw data in your browser.
- **Authentication:** before each server request, the JavaScript obtains a fresh, daily-rotating token via `p-api.php` (valid within a **5-minute window**) that is referer-checked. These endpoints are **not a public API** — they only work from within the tool.
- **SSRF protection:** private, loopback, link-local, reserved, and CGNAT addresses (RFC 1918, 127/8, 169.254/16, 100.64/10, IPv6 `fc00::/7`, `fe80::/10`, `::1`) are blocked — for the DNS reverse lookup, the SSL/redirect fetch, and on **every redirect hop again**. Only `http`/`https` are allowed.
- **Limits:** at most **10 redirect hops** (loops are detected), a **15 s** timeout per fetch, maximum URL length **3072 characters**, domain length **253 characters**. A **client-side throttle** allows only about **1 request per second**; in expert mode (see below) it is lifted.
- **Privacy:** the checked domain sees the JPKCom server, not your IP.

### Expert Mode (optional)

The tool supports an optional **Expert Mode** via a self-hosted local proxy (`LocalProxy` on `http://127.0.0.1:<port>`). When active, **SSL** and **Redirect** fetch their data through that local proxy instead of the JPKCom server, and the client-side throttle is lifted. Setup is advanced and not needed for normal use; the DNS tab does not use the local proxy.

## DNS — query DNS records

In the **DNS** tab you enter a domain (e.g. `example.com`) or an IP address and pick the record type on the right. **Lookup** queries exactly that type; **Check All** queries the most important types at once.

### Single lookup

The dropdown offers **A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR, NAPTR, ANY**. The result contains the records found with all their fields (e.g. `pri` and `target` for MX; `mname`, `rname`, `serial`, `refresh`, `retry`, `expire`, `minimum-ttl` for SOA), the number of hits, and a timestamp.

### Check All — comprehensive lookup

**Check All** queries A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, and CAA in turn and adds four extra checks when they find something:

- **www (A)** — the A record of the `www.` subdomain.
- **DMARC (TXT)** — the TXT record at `_dmarc.<domain>`.
- **DKIM (TXT)** — the record at `default._domainkey.<domain>`, but only if it actually starts with `v=DKIM`.
- **Wildcard (A)** — checks whether a random subdomain resolves; if so, the entry is shown as `*.<domain>` (a hint at a wildcard DNS record).

For IP addresses, **Check All** is disabled (record types apply to domains only).

### Reverse lookup (PTR) and IDN

Enter an **IP address** in the domain field and the tool automatically switches the record type to **PTR** and builds the reverse address (`…in-addr.arpa` for IPv4, `…ip6.arpa` for IPv6). Reverse lookups work **only for publicly routable IPs** — private, loopback, and reserved ranges are rejected. **Internationalized domains** (umlauts and the like) are converted to Punycode before the query; the result shows both the Unicode and the Punycode form.

### Output: JSON or zone view

By default the result appears as **JSON** in a read-only CodeMirror editor. **Zone** switches to a BIND-style zone file (aligned columns: name, TTL, class, type, data). Use **Copy** (JSON or zone), **JSON** (save as file), and **Save Zone** to keep the result.

## SSL / Security — certificate and headers

In the **SSL / Security** tab you enter a domain (`https://` is prepended) and click **Check SSL**. The server fetches the page and returns the raw data; the tool builds several cards from it:

- **Connection** — URL, the final URL after any redirect, IP address, HTTP status code, and protocol version (HTTP/1.0, /1.1, /2, or /3).
- **Certificate** — common name, organization (if present), issuer, **Valid From** and **Valid Until** with days remaining (green, yellow at ≤ 30 days, red when expired), **Signature** (signature algorithm), **Public Key** (key algorithm), and the verification result (`OK` or a specific error such as "Certificate has expired", "Self-signed certificate", "Hostname mismatch").
- **Subject Alternative Names** — all DNS names and IP SANs stored in the certificate, as a list.
- **Certificate Chain** — the chain from the server certificate through intermediate CA(s) to the root CA, each with subject and issuer.
- **Security Headers** — nine headers are checked: `Strict-Transport-Security`, `Content-Security-Policy`, `X-Frame-Options`, `X-Content-Type-Options`, `X-XSS-Protection`, `Referrer-Policy`, `Permissions-Policy`, `Cross-Origin-Opener-Policy`, `Cross-Origin-Resource-Policy`. A counter badge shows "present/total" (green from 6, yellow from 3, otherwise red). Present headers are additionally **validated for content** — for example HSTS for `max-age` ≥ 1 year and `includeSubDomains`/`preload`, CSP for `unsafe-inline`/`unsafe-eval`/HTTP sources, `X-Content-Type-Options` for `nosniff` — and tagged with an OK, warning, or error badge. Missing headers get a short note on what they would protect against.
- **Timing** — DNS Lookup, TCP Connect, SSL Handshake, Pretransfer, Start Transfer, and Total.
- **Server** — Server, X-Powered-By, Via, X-Cache, Cf-Ray, X-Served-By, and Content-Type headers where present.
- **Raw Headers** — the complete raw response headers, collapsible.

If the connection fails, an error alert with the cURL error code and description appears instead of the cards; SSL-specific errors are marked as such. **Copy JSON** / **Save JSON** keep the result. The SSL fetch runs with a **15 s** timeout.

## Redirect — trace the redirect chain

In the **Redirect** tab you enter a URL and click **Trace Redirects**. The server follows the chain **hop by hop** (it does not auto-follow `Location`, but steps through each one), up to **10 hops**. Per hop you see:

- the **hop number** and that stop's URL,
- the **status code** (colored by 2xx/3xx/4xx/5xx),
- an **HTTPS or HTTP badge**,
- the **IP address**, the **timing**, and the **Server** header,
- for HTTPS hops, the certificate name (`certCN`) with days remaining,
- the **raw headers** of that hop (collapsible).

Relative `Location` redirects are resolved to absolute URLs. If an already visited URL is targeted again, the tool stops with **"Redirect loop detected"**. A hop pointing to a private/internal address is rejected as **"Blocked redirect target"**. The last hop (no longer a 3xx) is marked as the endpoint. **Copy JSON** / **Save JSON** keep the whole chain.

## URL — parser and slug generator

This tab works **entirely in the browser**, with no server fetch.

### URL parser

With **Parse URL** the tool breaks an address into its parts via the JavaScript URL API: `href`, `protocol`, `hostname` (plus `hostname (Unicode)` for IDN), `port` (or "(default)"), `pathname`, `search`, `hash`, `origin`, `host`, `username`, and `password` (masked as `***`). If a protocol is missing, `https://` is added. Below, a table lists all **query parameters** as key/value pairs, and an encoding block shows the address rendered with `encodeURI` and `decodeURIComponent`. All fields are editable; **Copy JSON** copies the structure.

### URL slug generator

The **URL Slug Generator** turns arbitrary text into a URL-safe slug live (as you type). It handles German umlauts (ä→ae, ö→oe, ü→ue, ß→ss), decomposes accented characters via Unicode normalization (é→e, ñ→n …), replaces all other special characters with the **separator** (`-` or `_`), collapses repeated separators, and trims them at the edges. A character count sits below; **Copy** copies the slug.

## SPF — build an SPF TXT record

The **SPF** tab generates a valid `v=spf1` record live — also entirely client-side. You configure the form on the left, and the record updates instantly on the right.

- **All Policy** (catch-all): `-all` (Fail, recommended for production), `~all` (SoftFail, default, for testing), `?all` (Neutral), `+all` (Pass — explicitly not recommended), or "None" (omit). A hint below the select explains the chosen policy.
- **Own Mail Servers** — checkboxes for `a` (the domain's A record sends mail) and `mx` (the MX servers send mail; on by default).
- **Mail Providers** — 16 one-click presets: Google, Microsoft 365, Amazon SES, SendGrid, Mailchimp, Postmark, Brevo, Mailgun, Zoho, HubSpot, Salesforce, Mailjet, SparkPost, Klaviyo, Fastmail, and Proton Mail. Each preset adds its `include:` mechanism.
- **Custom include:** and **IP Addresses** — your own `include:` lines plus any number of `ip4:`/`ip6:` entries.
- **Advanced** — a `redirect=` (points the policy at another domain; replaces the all-policy) and a free field for additional, space-separated mechanisms.

On the right, a stats row shows two live values: **DNS lookups** (`x/10`, yellow from 8, red above 10) and **Length** (characters, yellow from 300, red above 450). `ip4:`/`ip6:` cost no lookups; everything else costs one each. The generator warns at more than **10 DNS lookups**, above **450 characters**, at `+all`, and at the `redirect=` plus all-policy conflict. A **DNS Entry** card summarizes how to publish the record (type `TXT`, host `@`, the value, TTL `3600`). **Copy** copies the record; **Verify DNS** jumps to the DNS tab and sets the type there to `TXT`, so you can look up your published record directly.

## Operating limits — at a glance

- **Privacy:** fetches run through the JPKCom server; the target does not see your IP.
- **SSRF / private-IP protection:** private, local, reserved, and CGNAT addresses are blocked (DNS reverse, SSL, every redirect hop); only `http`/`https`.
- **Limits:** max. 10 redirect hops, 15 s timeout per fetch, URL ≤ 3072 characters, domain ≤ 253 characters.
- **Throttle:** client-side ~1 server request per second (off in expert mode).
- **Token:** daily-rotating, 5-minute window, referer-checked — not a public API.
- **Usable without the server:** URL parser, slug generator, and SPF generator compute entirely in the browser.

For the big picture and the audiences, see the [overview](https://www.jpkc.com/db/en/tools/dns-ssl-redirect-url/). Concrete workflows are in the [examples](https://www.jpkc.com/db/en/tools/dns-ssl-redirect-url/examples/), tricks in the [tips & tricks](https://www.jpkc.com/db/en/tools/dns-ssl-redirect-url/tips/). You can try everything right in the [tool](https://www.jpkc.com/tools/dns-ssl-redirect-url/).