KernelHost Tools Check-Host

Check-Host: every network diagnostic in one tool

Ten tools in one: IP info with RIPE WHOIS and ASN, ping, traceroute, MTR, HTTP status, TCP port check with banner, DNS lookup, SSL certificate inspection, SMTP banner test and WHOIS. Fast, free, no signup. All tests from the KernelHost node in Frankfurt. Private IPs are automatically rejected to prevent abuse.

What do you want to check?

What can Check-Host do?

Check-Host bundles ten classic network diagnostics in one interface; every test runs from the KernelHost node in Frankfurt.

  • IP info: reverse DNS, RIPE WHOIS owner, ASN, BGP route, inetnum block, netname, abuse contact and country.
  • Ping: 4 ICMP echo packets, average response time and packet loss.
  • Traceroute: hop-by-hop UDP traceroute, up to 20 hops, latency per hop.
  • MTR: combines ping and traceroute over multiple probes per hop, surfacing packet loss on unstable routes.
  • HTTP: status code, response time, final URL after redirects, response headers and target server IP.
  • Port check: TCP connect to any port plus optional banner grab (SSH, SMTP, FTP, IMAP, POP3 etc.).
  • DNS lookup: A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR, SRV, DS, DNSKEY, TLSA and ANY via the Cloudflare resolver 1.1.1.1.
  • SSL check: full TLS certificate inspection: subject, issuer, SAN, validity, days remaining, cipher, protocol and SHA fingerprints.
  • SMTP test: connect to MX host, read greeting banner and EHLO capabilities, without actually sending mail.
  • WHOIS: RIPE WHOIS for IP addresses, ASNs or hostnames, exclusively against whois.ripe.net.

Ping vs traceroute vs MTR

The three connectivity tools measure different aspects of the path to the target.

  • Ping operates at Layer 3 (ICMP) and answers: is the host reachable at all and how fast does it respond. Some hosters filter ICMP, in which case a port check or UDP traceroute is the better option.
  • Traceroute sends packets with increasing TTL and collects responses from intermediate hops, visualizing the exact path and where problems occur.
  • MTR runs ping plus traceroute continuously in parallel; ideal for catching intermittent packet loss on individual hops because it averages over many probes.

Typical diagnosis flow: first DNS lookup (does the name exist?), then ping (is the host up?), if there are issues use traceroute or MTR (where is the packet lost?), then port check (is the service running?), then HTTP or SSL (is the application responding?).

WHOIS and ASN lookup explained

Behind every public IP there is a network operator. Two paths get you there:

  • WHOIS is the text-based information service from the Regional Internet Registries. We query whois.ripe.net (RIPE for Europe) exclusively as standard internet infrastructure. RIPE returns OrgName, address, abuse contact and the CIDR of the assigned block.
  • ASN (Autonomous System Number) identifies the network in global BGP routing. An ASN can hold hundreds of prefixes, so the ASN entry is often more precise than the leased sub-block.

Practical example: an IP from Hetzner formally belongs to the Hetzner ASN (AS24940) but may be delegated to a reseller whose name then shows up in WHOIS. Both pieces together give the full picture.

Understanding the SSL/TLS certificate check

The SSL tab opens a real TLS connection to the target host and gives you all relevant certificate data plus the cipher configuration.

  • Subject and SAN: the Common Name plus Subject Alternative Names list every hostname the certificate is valid for (often multiple domains plus wildcards).
  • Issuer and chain: who issued the certificate (e.g. Let's Encrypt, DigiCert) and how many intermediate certificates the chain contains. A complete chain is mandatory for mobile browsers.
  • Validity: start and end dates plus days remaining. We warn yellow at 30 days and red at 14 days because cron-based renewal needs action in that window.
  • Cipher and protocol: the negotiated TLS version (1.2 or 1.3) plus the cipher suite (e.g. TLS_AES_256_GCM_SHA384) reveal whether the server supports modern crypto.

Privacy

Check-Host runs in a container in Frankfurt. No requests are logged, no tracking cookies are set and no third-party scripts are loaded apart from the hCaptcha bot protection.

  • All tests (ping, traceroute, MTR, DNS, WHOIS, HTTP, SSL, SMTP) run directly from the server in Frankfurt. There is no third-party geo API anymore.
  • WHOIS queries go exclusively to whois.ripe.net (standard internet infrastructure).
  • DNS queries go directly to Cloudflare 1.1.1.1.
  • Private and reserved IP ranges are blocked across all modes (protection against Server-Side Request Forgery).

Frequently Asked Questions

What exactly does Check-Host check?

Ten modes in one tool: IP info (PTR, RIPE WHOIS, ASN, country), ping, traceroute, MTR, HTTP status, TCP port check with banner grab, DNS lookup (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR, SRV, DS, DNSKEY, TLSA, ANY), SSL certificate inspection, SMTP banner test and RIPE WHOIS for IPs, ASNs or hostnames. All tests run from the KernelHost node in Frankfurt FRA01.

What is the difference between ping, traceroute and MTR?

Ping sends four ICMP echo packets and measures round-trip time, telling you whether the host is up and how fast it responds. Traceroute shows every hop on the path with its latency. MTR combines both: it continuously pings every hop, exposing packet loss and unstable hops, ideal for diagnosing routing issues.

What is an ASN?

An Autonomous System Number identifies a network in global BGP routing. Every major provider has at least one ASN, e.g. AS3320 for Deutsche Telekom or AS197540 for KernelHost. The ASN tells you which network an IP actually belongs to, regardless of the DNS name.

Where does the WHOIS data come from?

We query whois.ripe.net exclusively from the server in Frankfurt. RIPE is the Regional Internet Registry for Europe and standard internet infrastructure. If an IP lies outside the RIPE region (ARIN, APNIC, LACNIC, AFRINIC), we let you know without contacting any third-party WHOIS server.

What do HTTP status codes 200, 301, 404 and 5xx mean?

200 (OK): everything is fine, the server responded. 301/302: redirect to another URL. 404 (Not Found): the resource does not exist. 401/403: authentication missing or not allowed. 5xx: server error, the server hit an internal error or is overloaded. The HTTP mode follows up to three redirects and shows you the final status.

What does the SSL tab check exactly?

The SSL tab opens a real TLS connection to the target host (with proper SNI), reads the server certificate plus the entire chain and shows: subject, issuer, subject alternative names (SAN), validity period, days remaining, signature algorithm, serial number, cipher suite, TLS protocol version and SHA1/SHA256 fingerprints. Verification against the system trust store is also performed.

Can I check private IPs (e.g. 192.168.1.1)?

No. For security reasons the tool blocks all private, reserved and loopback addresses (RFC 1918, CGNAT, link-local, loopback, multicast). If we accepted those ranges, an attacker could scan internal networks of the KernelHost container (Server-Side Request Forgery). Local tests need to be run from your own machine.

Are my inputs stored?

No. There is no logging of your queries, no tracking cookies, no third-party scripts (other than hCaptcha, which is integrated GDPR-compliant). All tests (ping, traceroute, MTR, DNS, WHOIS, HTTP, SSL, SMTP) run directly from the server in Frankfurt to the target. We do not contact any third-party API for geo data or anything else.

All KernelHost Products

Need more than just tools? Take a look at our commercial hosting lineup.

KVM-Rootserver from 4,99 €/mo Dedicated-Server from 69,99 €/mo Minecraft-Server from 4,00 €/mo Webhosting from 3,99 €/mo Private VPN-Server Dedicated IP DDoS Protection 3.2 Tbps Arbor