DNS, SSL, Redirect & URL — Manual

Back to the overview: DNS, SSL, Redirect & URL · Open the live tool: www.jpkc.com/tools/dns-ssl-redirect-url/

This manual describes all five tabs in full: what they query, how to read the results, and what technical limits apply. The tool's interface is in English, so the tab and button labels are quoted in their original spelling.

Architecture and limits up front

Three tabs (DNS, SSL / Security, Redirect) pull data from the network and therefore run through the JPKCom servers; two tabs (URL, SPF — and the slug generator) compute entirely in the browser.

DNS fetch: a server-side PHP endpoint resolves the records with dns_get_record() and returns JSON.
SSL and Redirect fetch: a server-side cURL proxy (p.php) fetches the target; the tool analyzes the raw data in your browser.
Authentication: before each server request, the JavaScript obtains a fresh, daily-rotating token via p-api.php (valid within a 5-minute window) that is referer-checked. These endpoints are not a public API — they only work from within the tool.
SSRF protection: private, loopback, link-local, reserved, and CGNAT addresses (RFC 1918, 127/8, 169.254/16, 100.64/10, IPv6 fc00::/7, fe80::/10, ::1) are blocked — for the DNS reverse lookup, the SSL/redirect fetch, and on every redirect hop again. Only http/https are allowed.
Limits: at most 10 redirect hops (loops are detected), a 15 s timeout per fetch, maximum URL length 3072 characters, domain length 253 characters. A client-side throttle allows only about 1 request per second; in expert mode (see below) it is lifted.
Privacy: the checked domain sees the JPKCom server, not your IP.

Expert Mode (optional)

The tool supports an optional Expert Mode via a self-hosted local proxy (LocalProxy on http://127.0.0.1:<port>). When active, SSL and Redirect fetch their data through that local proxy instead of the JPKCom server, and the client-side throttle is lifted. Setup is advanced and not needed for normal use; the DNS tab does not use the local proxy.

DNS — query DNS records

In the DNS tab you enter a domain (e.g. example.com) or an IP address and pick the record type on the right. Lookup queries exactly that type; Check All queries the most important types at once.

Single lookup

The dropdown offers A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR, NAPTR, ANY. The result contains the records found with all their fields (e.g. pri and target for MX; mname, rname, serial, refresh, retry, expire, minimum-ttl for SOA), the number of hits, and a timestamp.

Check All — comprehensive lookup

Check All queries A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, and CAA in turn and adds four extra checks when they find something:

www (A) — the A record of the www. subdomain.
DMARC (TXT) — the TXT record at _dmarc.<domain>.
DKIM (TXT) — the record at default._domainkey.<domain>, but only if it actually starts with v=DKIM.
Wildcard (A) — checks whether a random subdomain resolves; if so, the entry is shown as *.<domain> (a hint at a wildcard DNS record).

For IP addresses, Check All is disabled (record types apply to domains only).

Reverse lookup (PTR) and IDN

Enter an IP address in the domain field and the tool automatically switches the record type to PTR and builds the reverse address (…in-addr.arpa for IPv4, …ip6.arpa for IPv6). Reverse lookups work only for publicly routable IPs — private, loopback, and reserved ranges are rejected. Internationalized domains (umlauts and the like) are converted to Punycode before the query; the result shows both the Unicode and the Punycode form.

Output: JSON or zone view

By default the result appears as JSON in a read-only CodeMirror editor. Zone switches to a BIND-style zone file (aligned columns: name, TTL, class, type, data). Use Copy (JSON or zone), JSON (save as file), and Save Zone to keep the result.

SSL / Security — certificate and headers

In the SSL / Security tab you enter a domain (https:// is prepended) and click Check SSL. The server fetches the page and returns the raw data; the tool builds several cards from it:

Connection — URL, the final URL after any redirect, IP address, HTTP status code, and protocol version (HTTP/1.0, /1.1, /2, or /3).
Certificate — common name, organization (if present), issuer, Valid From and Valid Until with days remaining (green, yellow at ≤ 30 days, red when expired), Signature (signature algorithm), Public Key (key algorithm), and the verification result (OK or a specific error such as "Certificate has expired", "Self-signed certificate", "Hostname mismatch").
Subject Alternative Names — all DNS names and IP SANs stored in the certificate, as a list.
Certificate Chain — the chain from the server certificate through intermediate CA(s) to the root CA, each with subject and issuer.
Security Headers — nine headers are checked: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy. A counter badge shows "present/total" (green from 6, yellow from 3, otherwise red). Present headers are additionally validated for content — for example HSTS for max-age ≥ 1 year and includeSubDomains/preload, CSP for unsafe-inline/unsafe-eval/HTTP sources, X-Content-Type-Options for nosniff — and tagged with an OK, warning, or error badge. Missing headers get a short note on what they would protect against.
Timing — DNS Lookup, TCP Connect, SSL Handshake, Pretransfer, Start Transfer, and Total.
Server — Server, X-Powered-By, Via, X-Cache, Cf-Ray, X-Served-By, and Content-Type headers where present.
Raw Headers — the complete raw response headers, collapsible.

If the connection fails, an error alert with the cURL error code and description appears instead of the cards; SSL-specific errors are marked as such. Copy JSON / Save JSON keep the result. The SSL fetch runs with a 15 s timeout.

Redirect — trace the redirect chain

In the Redirect tab you enter a URL and click Trace Redirects. The server follows the chain hop by hop (it does not auto-follow Location, but steps through each one), up to 10 hops. Per hop you see:

the hop number and that stop's URL,
the status code (colored by 2xx/3xx/4xx/5xx),
an HTTPS or HTTP badge,
the IP address, the timing, and the Server header,
for HTTPS hops, the certificate name (certCN) with days remaining,
the raw headers of that hop (collapsible).

Relative Location redirects are resolved to absolute URLs. If an already visited URL is targeted again, the tool stops with "Redirect loop detected". A hop pointing to a private/internal address is rejected as "Blocked redirect target". The last hop (no longer a 3xx) is marked as the endpoint. Copy JSON / Save JSON keep the whole chain.

URL — parser and slug generator

This tab works entirely in the browser, with no server fetch.

URL parser

With Parse URL the tool breaks an address into its parts via the JavaScript URL API: href, protocol, hostname (plus hostname (Unicode) for IDN), port (or "(default)"), pathname, search, hash, origin, host, username, and password (masked as ***). If a protocol is missing, https:// is added. Below, a table lists all query parameters as key/value pairs, and an encoding block shows the address rendered with encodeURI and decodeURIComponent. All fields are editable; Copy JSON copies the structure.

URL slug generator

The URL Slug Generator turns arbitrary text into a URL-safe slug live (as you type). It handles German umlauts (ä→ae, ö→oe, ü→ue, ß→ss), decomposes accented characters via Unicode normalization (é→e, ñ→n …), replaces all other special characters with the separator (- or _), collapses repeated separators, and trims them at the edges. A character count sits below; Copy copies the slug.

SPF — build an SPF TXT record

The SPF tab generates a valid v=spf1 record live — also entirely client-side. You configure the form on the left, and the record updates instantly on the right.

All Policy (catch-all): -all (Fail, recommended for production), ~all (SoftFail, default, for testing), ?all (Neutral), +all (Pass — explicitly not recommended), or "None" (omit). A hint below the select explains the chosen policy.
Own Mail Servers — checkboxes for a (the domain's A record sends mail) and mx (the MX servers send mail; on by default).
Mail Providers — 16 one-click presets: Google, Microsoft 365, Amazon SES, SendGrid, Mailchimp, Postmark, Brevo, Mailgun, Zoho, HubSpot, Salesforce, Mailjet, SparkPost, Klaviyo, Fastmail, and Proton Mail. Each preset adds its include: mechanism.
Custom include: and IP Addresses — your own include: lines plus any number of ip4:/ip6: entries.
Advanced — a redirect= (points the policy at another domain; replaces the all-policy) and a free field for additional, space-separated mechanisms.

On the right, a stats row shows two live values: DNS lookups (x/10, yellow from 8, red above 10) and Length (characters, yellow from 300, red above 450). ip4:/ip6: cost no lookups; everything else costs one each. The generator warns at more than 10 DNS lookups, above 450 characters, at +all, and at the redirect= plus all-policy conflict. A DNS Entry card summarizes how to publish the record (type TXT, host @, the value, TTL 3600). Copy copies the record; Verify DNS jumps to the DNS tab and sets the type there to TXT, so you can look up your published record directly.

Operating limits — at a glance

Privacy: fetches run through the JPKCom server; the target does not see your IP.
SSRF / private-IP protection: private, local, reserved, and CGNAT addresses are blocked (DNS reverse, SSL, every redirect hop); only http/https.
Limits: max. 10 redirect hops, 15 s timeout per fetch, URL ≤ 3072 characters, domain ≤ 253 characters.
Throttle: client-side ~1 server request per second (off in expert mode).
Token: daily-rotating, 5-minute window, referer-checked — not a public API.
Usable without the server: URL parser, slug generator, and SPF generator compute entirely in the browser.

For the big picture and the audiences, see the overview. Concrete workflows are in the examples, tricks in the tips & tricks. You can try everything right in the tool.