Clean, ad-free sysadmin tools — DNS, email authentication, TLS, certificates, whois, network, and everyday utilities. Pure HTML/CSS/JS on the frontend with a handful of Cloudflare Pages Functions for the lookups that need a server. No logs. No tracking. No ads.
Live: https://sysadminstuff.net
- Lookup — A, AAAA, MX, TXT, NS, CNAME, SOA, PTR, SRV, or ALL, via Cloudflare DNS-over-HTTPS. IP input auto-switches to reverse (PTR).
- Propagation — the same record across several diverse public resolvers (Cloudflare, Google, Quad9, DNS.SB, AliDNS, NextDNS), with a consistency verdict. Runs via a Pages Function because most resolvers don't expose a browser-usable (JSON + CORS) DoH API.
- SPF — parsed mechanisms with plain-English explanations and a policy summary.
- DMARC — every tag explained, policy badge (NONE / QUARANTINE / REJECT), report addresses.
- DKIM — look up any selector, key type and bit length, testing-mode warning.
- MX — priority-ordered hosts with resolved IPs and PTR records.
- Header Analyzer — paste raw headers to trace the routing path, per-hop delays, and SPF/DKIM/DMARC results. Runs entirely in your browser.
- Blacklist — checks an IP against 15 DNS blacklists.
- HTTP Headers — all response headers plus a 7-point security-header scorecard.
- Redirects — the full redirect chain, hop by hop, with status codes.
- TLS Grade — protocol/cipher probe and an A–F grade.
- ASN Lookup — ASN or IP details and announced prefixes (bgpview.io).
- Subnet Calculator — network/broadcast/mask/range/host-count. 100% in-browser.
- Geo — approximate IP geolocation (ip-api.com).
- Reverse DNS — PTR lookup with forward-confirmation.
- Certificate history via crt.sh — validity badge, SANs, issuer, expiry countdown.
- RDAP-based whois for domains and IPs.
- Base64, URL Encode, JWT Decoder — nothing you type leaves your browser.
sysadminstuff.net does not log, store, or track queries. No analytics. No cookies. No ads. The utility tools (JWT decoder, Base64, URL encode, subnet calculator) run entirely in your browser and never transmit data. See PRIVACY.md for full details.
The only external asset loaded by the page is the JetBrains Mono font from Google Fonts. To eliminate even that request, download the font, drop the .woff2 files under css/fonts/, replace the Google Fonts <link> tags in index.html/privacy.html with a local @font-face block in css/style.css, and you have a fully self-contained site.
- Cloudflare DNS-over-HTTPS — DNS lookups & blacklist queries
- crt.sh — certificate transparency logs
- RDAP via rdap.org / ARIN — whois data
- ip-api.com — IP geolocation
- bgpview.io — ASN / prefix data
- DNS blacklists: Spamhaus, SpamCop, Barracuda, SORBS, UCEPROTECT, Mailspike, SpamRats, and others
The static files and the Pages Functions run together under Wrangler:
npx wrangler pages dev .Then open the printed local URL. No npm install is required for the frontend — it is plain JS.
A dependency-free smoke-test suite lives in tests/:
# Pure-logic unit tests (no network, runs in plain Node):
node tests/smoke.mjs
# End-to-end checks against a running `wrangler pages dev` instance:
npx wrangler pages dev . & # in one terminal
node tests/e2e.mjs # in another (defaults to http://localhost:8788)node tests/smoke.mjs exits non-zero on any failure, so it is safe to wire into CI. See tests/README.md.
Hosting is effectively free: static files are unlimited on Pages, and the Functions run on the Workers free tier — a hard 100,000 requests/day cap that fails closed (the API tools return errors past the limit; they never bill you). Stay on the free plan and there is no surprise-bill scenario.
The real concern is abuse of the API endpoints (/api/headers fetches URLs, /api/tls opens sockets, /api/propagation and /api/rbl fan out). Two defenses:
-
Code-level (already in the repo):
functions/_middleware.jsrestricts/api/*to read methods and rejects oversized URLs. It's stateless, so it's free and always on. -
Rate limiting (set this up once, free): In the Cloudflare dashboard for the zone → Security → WAF → Rate limiting rules → Create rule:
- If incoming requests match:
URI Pathcontains/api/ - Rate:
20requests per10seconds, counting by client IP - Action: Block (or Managed Challenge) for
60seconds
The free plan includes one rate-limiting rule — this is a good use of it. Adjust the numbers to taste; 20/10s is generous for a human but stops a script hammering your quota.
- If incoming requests match:
- Push this repo to GitHub.
- Cloudflare Pages dashboard → Create project → connect the GitHub repo.
- Build settings: no build command, output directory
/. - Add the custom domain
sysadminstuff.net(already on Cloudflare — DNS auto-configures). - Functions in
functions/deploy automatically. - Every push to
mainauto-deploys both the static files and the functions.
index.html privacy.html wrangler.toml
css/style.css
js/ core.js app.js dns.js email.js web.js network.js cert.js whois.js utils.js
lib/ parse.mjs
functions/ _middleware.js api/ whois.js rbl.js tls.js headers.js asn.js propagation.js
tests/ smoke.mjs e2e.mjs README.md
Issues and PRs welcome. Guidelines:
- No build step and no frontend dependencies — keep it plain HTML/CSS/JS.
- Never log user input in a Pages Function (query params, URLs, IPs). See the no-logging rules in PRIVACY.md.
- No analytics, telemetry, cookies, or third-party scripts (beyond the optional Google Font).
- Add or update a smoke test for anything you change.
Apache-2.0 with the Commons Clause — see LICENSE.
This is source-available, not OSI "open source". You may use, modify, and self-host it freely (including internally at a company). What you may not do is Sell it — that includes hosting it as a paid product or service, or selling support whose value derives substantially from this software. Everything else Apache-2.0 permits.