Nameserver Health Monitor

We start by fetching the NS records for the zone, then for each nameserver:

• Resolve the hostname to an IP, preferring an A record and falling back to AAAA.
• Send a SOA query for the zone directly to that IP.
• Time the round-trip in milliseconds.
• Parse the SOA serial from the response.

The check then compares the serial number returned by every responding nameserver. They should match — when they don't, one or more authoritatives are out of sync.

If one of four nameservers is dead, only resolvers that happened to query the other three will see the zone — and DNS resolvers cache aggressively, so the failure can be invisible to most observers while breaking some users. Serial drift means a recent change made it to some nameservers but not others, producing the classic "it works for me" debugging trap.

Latency matters too: a nameserver that takes 1.5 seconds to answer adds that latency to every cold lookup that lands on it.

For an unresponsive nameserver: check whether the host is reachable, whether the DNS service is running, and whether firewall rules are dropping queries. If the nameserver is no longer in service, remove it from the zone's NS records and update the parent delegation.

For serial drift: identify which nameserver has the older serial and trigger a zone transfer or push. Persistent drift usually points to a broken NOTIFY/AXFR setup or a nameserver that fell behind during a deploy.

Latency above a second isn't fatal but is worth investigating — it usually means the nameserver is overloaded, geographically distant from our prober, or routing through a degraded path.