🗄 A · AAAA · MX · TXT · CNAME · NS · SOA · CAA · SRV · PTR

DNS Lookup Tool

Free DNS record lookup tool. Query any DNS record type for any domain instantly. Check A, AAAA, MX, TXT, CNAME, NS, SOA, CAA, SRV, and PTR records using encrypted DNS over HTTPS via Cloudflare and Google.

✓ 10 record types✓ DNS over HTTPS✓ TTL display✓ Cloudflare + Google DoH✓ No signup

DNS Record Lookup

Try:

Record types to query

🔍

Enter a domain above and click Look Up to query its DNS records

What this tool does

Free DNS lookup tool. Query and inspect DNS records for any domain online

This DNS lookup tool lets you query any of the ten major DNS record types for any domain name. Instantly, in your browser, with no software to install. It uses DNS over HTTPS (DoH) to send encrypted queries to Cloudflare's global resolver (cloudflare-dns.com) with automatic fallback to Google's (dns.google), ensuring both privacy and reliability. Unlike traditional DNS tools that use plaintext UDP port 53, DoH prevents network observers from seeing the domains you're looking up.

DNS (Domain Name System), defined in RFC 1034 and RFC 1035, is the internet's distributed directory service. It translates human-readable domain names into IP addresses and configuration data that computers use to communicate. Every record has a TTL (Time To Live) value in seconds controlling how long it is cached by resolvers. Lowering TTL before making DNS changes speeds up propagation; restoring it afterward reduces nameserver query load. This tool displays TTL for every returned record so you always know exactly how fresh the cached data is.

Multi-type batch querying is the most practical feature for email and infrastructure debugging. Select A + MX + TXT + NS in a single lookup to check web hosting, mail routing, SPF records, and nameserver delegation simultaneously. The same checks you would run sequentially using dig or nslookup, done in one click. Common use cases include: verifying MX records after setting up email, confirming TXT records for SPF or DMARC configuration, checking whether a CNAME alias is resolving correctly, and diagnosing why a domain isn't resolving as expected after a DNS change.

All 10 DNS record types explained

IPv4 Address

Maps a domain to a 32-bit IPv4 address. The most fundamental DNS record. Every website serving IPv4 traffic needs one.

AAAA

IPv6 Address

Maps a domain to a 128-bit IPv6 address. Essential for modern dual-stack networks and future-proofing your infrastructure.

Mail Exchange

Specifies which mail servers handle email for the domain. Lower priority number = tried first. Supports automatic failover with multiple MX records.

TXT

Text / SPF / DKIM

Stores arbitrary text. Used for SPF (authorised senders), DKIM (signing keys), DMARC (policy), and domain ownership verification.

CNAME

Canonical Name

Aliases one domain to another. The browser resolves the target domain's A/AAAA records. Cannot be used at the root domain.

Name Server

Delegates a domain zone to authoritative name servers. Set by your domain registrar and controls where DNS records are managed.

SOA

Start of Authority

Zone metadata: primary NS, admin email, serial number, and refresh/retry/expire intervals. Every DNS zone must have exactly one SOA.

CAA

CA Authorisation

Restricts which Certificate Authorities can issue SSL/TLS certificates for the domain, preventing fraudulent certificate issuance.

SRV

Service Record

Defines server location for specific services (VoIP, XMPP, etc.) with priority, weight, port, and target host.

PTR

Pointer / rDNS

Reverse DNS. Maps an IP address back to a hostname. Used by mail servers for anti-spam checks and network diagnostics.

Why it matters

Why DNS lookups matter: debugging infrastructure, verifying email, and auditing security

DNS is the silent infrastructure behind every internet-connected service. When it works correctly it is completely invisible. When it does not, websites fail to load, email is not delivered, APIs cannot connect, and TLS certificates cannot be issued. Because DNS failures often produce generic error messages rather than specific DNS diagnostics, they are among the hardest infrastructure problems to identify without a dedicated lookup tool. A single lookup here frequently surfaces a missing record, a stale cached value, or a misconfiguration that would otherwise take hours to find.

For email, DNS configuration is the primary determinant of whether messages reach the inbox or the spam folder. The Email Health Checker audits five DNS factors simultaneously with a scored grade, but when you need to inspect the raw record values directly, the exact SPF include chain, the exact DMARC tags, whether a specific DKIM selector key is published, this tool gives you that granularity. Querying TXT records at your root domain reveals the SPF record. Querying TXT at _dmarc.yourdomain.com shows DMARC policy. Querying TXT at selector._domainkey.yourdomain.com shows the DKIM public key. All three in one batch lookup takes under two seconds.

For security teams, DNS records are a primary source of passive reconnaissance data and an active attack surface. CAA records restrict which Certificate Authorities can issue TLS certificates for your domain. A critical control against fraudulent certificate issuance. NS records reveal which DNS provider hosts a domain, which is relevant for DNS hijacking risk assessments. TXT records often accumulate over years, with legacy ownership verification strings, deprecated service configurations, and old SPF includes that are no longer valid. A full TXT record audit with this tool frequently surfaces entries that need to be cleaned up to reduce attack surface and clarify the domain's current configuration.

For DevOps and infrastructure teams, DNS lookups are part of every deployment and migration verification checklist. After pointing a CNAME to a new CDN endpoint, querying this tool confirms what Cloudflare's and Google's resolvers currently return. Which reflects what most internet users see. After migrating email providers, querying MX and TXT together confirms the old provider's MX records are gone and the new SPF include: is in place. The TTL values displayed tell you how long each record will remain cached globally, so you can calculate the remaining propagation window for each change.

Troubleshooting

Common DNS investigation tasks: what to query and how to read the results

Most DNS debugging tasks follow one of a small number of patterns. Here is what to query and how to interpret what you find.

Email not being received. Checking MX records

Query MX for the recipient domain. An empty result means the domain has no MX records and cannot receive email. Messages will hard-bounce with a permanent failure. If MX records are present, verify they point to your provider's expected servers (ASPMX for Google Workspace, mail.protection.outlook.com for Microsoft 365). Use the MX Record Lookup for provider detection, priority analysis, and redundancy checking.

💡 Also query TXT to check the SPF record. Ensure all your sending services are listed as authorised senders.

Checking SPF, DKIM, or DMARC publication

Query TXT for your root domain (SPF. Starts v=spf1). Query TXT for _dmarc.yourdomain.com (DMARC. Starts v=DMARC1). Query TXT for selector._domainkey.yourdomain.com replacing 'selector' with your DKIM selector name such as 'google' for Google Workspace or 'selector1' for Microsoft 365 (DKIM. Contains p= public key). For detailed analysis of each record, use the SPF Record Checker, DMARC Analyzer, and DKIM Analyzer respectively.

💡 Not sure of your DKIM selector? View the DKIM-Signature header of any sent email from that domain. The s= tag contains the selector name.

DNS change not showing up. Checking propagation

Query the record type you changed. If the old value appears, the TTL has not yet expired at Cloudflare's or Google's resolvers. Note the TTL displayed. This is the maximum remaining wait. If the new value appears here but not in your browser, your local ISP resolver is still serving the cached old value and will update after its own cached TTL expires.

💡 This tool queries from Cloudflare's and Google's global resolver network. If the new value appears here, most internet users worldwide will see it within minutes.

Domain returns NXDOMAIN. Diagnosing non-existent names

NXDOMAIN means the queried name has no DNS records of any type. Check for typos. If the domain should exist, query the parent domain's NS records to identify the authoritative nameservers, then verify the record is published there. A common cause: a subdomain was added in one DNS control panel but the domain's NS records still point to a different provider where the record does not exist.

💡 NXDOMAIN differs from an empty answer. Empty means the domain exists but has no records of the queried type. NXDOMAIN means no records of any type at all.

Auditing TXT records for security and cleanup

Query TXT for the domain and review every entry. Look for: old service verification strings from providers no longer in use, SPF include: mechanisms pointing to services no longer sending email (each wastes a lookup against the 10-lookup RFC 7208 limit), and any sensitive information inadvertently published. Stale TXT records are surprisingly common on domains that have been managed for several years.

💡 Use the SPF Flattening Tool if your SPF record has too many include: mechanisms approaching the 10-lookup limit.

Examples

Real DNS records explained: what each type looks like in practice

These examples show what each DNS record type looks like and what the value means when you look it up.

A Recordexample.com. Maps domain to IPv4 address

Query: example.com (A) Result: 93.184.216.34 TTL: 3600 seconds Host: IANA / Example Domain

An A record is the most basic DNS record, pointing a domain to an IPv4 address. When you type a URL in your browser the first DNS lookup it performs is an A record query. The TTL of 3600 seconds means resolvers cache this result for one hour before re-querying the authoritative nameserver.

MX Recordgmail.com. Routes email to Google mail servers

Query: gmail.com (MX) Result: 10 alt1.gmail-smtp-in.l.google.com 20 alt2.gmail-smtp-in.l.google.com 30 alt3.gmail-smtp-in.l.google.com Note: Lower priority number = higher preference

MX records tell sending servers where to deliver email for a domain. Multiple records with different priority values provide failover. If the primary server (priority 10) is unreachable, the sender tries priority 20, then 30. All major mail providers publish multiple MX records for redundancy and reliability.

TXT Recordexample.com. SPF policy defines authorised senders

Query: example.com (TXT) Result: v=spf1 include:_spf.google.com include:sendgrid.net ~all Type: SPF (Sender Policy Framework)

TXT records are used for email authentication (SPF, DKIM, DMARC), domain ownership verification, and third-party service configuration. This SPF record authorises Google and SendGrid to send email on behalf of the domain. The ~all softfail means all other senders should be treated with suspicion by receiving servers.

CNAME Recordwww.example.com. Alias pointing to root domain

Query: www.example.com (CNAME) Result: example.com TTL: 300 seconds Note: Resolver then looks up A record for example.com

A CNAME creates an alias from one hostname to another. Here www.example.com resolves by first following the CNAME to example.com, then looking up its A record. CNAMEs cannot be placed at the root domain itself. Only on subdomains like www, mail, or ftp.

NXDOMAINnonexistent.example.com. Name does not exist in DNS

Query: nonexistent-subdomain.example.com (A) Result: NXDOMAIN (Non-Existent Domain) Code: 3 Meaning: No DNS record of any type at this name

NXDOMAIN means the queried name does not exist in DNS at all. For email senders, NXDOMAIN on an MX lookup means the domain cannot receive email and any message sent will hard-bounce immediately. For websites it means the subdomain has not been configured in DNS.

FAQ

DNS lookup questions and answers

Answers to the most common questions about DNS records, TTL, DNS over HTTPS, propagation, NXDOMAIN, DNSSEC, and how DNS relates to email authentication.

What is a DNS lookup?

A DNS lookup queries the Domain Name System to translate a human-readable domain name into the IP addresses and configuration data that computers use to connect and communicate. Every time you visit a website, send an email, or use an online service, your device performs DNS lookups automatically. The Domain Name System is defined in RFC 1034 and RFC 1035. This tool lets you perform those lookups manually so you can inspect, troubleshoot, and verify any domain's DNS configuration. Querying up to all 10 major record types simultaneously in a single batch.

What are MX records used for?

MX (Mail Exchange) records tell the internet which mail servers handle email for a domain. When someone sends an email to user@example.com, their sending mail server performs a DNS MX lookup for example.com to find the correct delivery destination. Lower priority numbers are preferred. Priority 10 is tried before priority 20. Multiple MX records with different priorities provide failover redundancy: if the primary server is unreachable, the sender automatically tries the next-lowest priority. Use the MX Record Lookup tool for a dedicated MX analysis including provider identification and redundancy checking.

What is a TXT record used for?

TXT records store arbitrary text data associated with a domain. They are used for SPF (Sender Policy Framework. Specifying which mail servers are authorised to send email for the domain), DKIM (publishing cryptographic public keys for email message signing), DMARC (defining email authentication enforcement policy), and domain ownership verification for services like Google Search Console, GitHub, and Microsoft 365. TXT records can also hold general configuration data for third-party services. When querying a domain's TXT records, you will often see multiple entries. One for SPF (starting v=spf1), one or more DKIM keys (at selector._domainkey subdomains), and a DMARC record (at _dmarc.yourdomain.com).

What does TTL mean in a DNS record?

TTL (Time To Live) is the number of seconds a DNS record should be cached by resolvers before they re-query the authoritative nameserver for a fresh value. A TTL of 300 means resolvers cache the answer for 5 minutes. A TTL of 86400 means they cache it for 24 hours. Lower TTLs allow faster propagation of DNS changes. If you change an A record with a TTL of 300, the change is visible globally within about 5 minutes. Higher TTLs reduce DNS query volume on your nameservers, which is useful for stable records that rarely change. Best practice: set TTLs to 3600 (1 hour) normally, reduce to 300 (5 minutes) 24-48 hours before a planned DNS change, then restore to 3600 after the change propagates.

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) sends DNS queries encrypted over the HTTPS protocol instead of plaintext UDP port 53. Traditional DNS queries are visible to your ISP, network administrator, and any observer on the same network. They can see every domain you look up even if the pages themselves are HTTPS. DoH prevents this by tunnelling DNS inside TLS-encrypted HTTPS. This tool uses Cloudflare's public DoH resolver (cloudflare-dns.com) as primary and Google's (dns.google) as automatic fallback. DoH also improves query reliability on networks with restricted or unreliable UDP port 53.

What is a CNAME record?

A CNAME (Canonical Name) record creates an alias from one domain name to another. For example, www.example.com might CNAME to example.com, meaning the browser resolves example.com's A or AAAA records to find the IP. CNAME records cannot coexist with other record types at the same name (with the exception of DNSSEC-related records), which is why they cannot be used at the root domain (apex). A root domain needs MX, TXT, and other records. Many modern DNS providers support CNAME-like records at the apex through proprietary ALIAS or ANAME record types that flatten the CNAME at query time.

What is a CAA record?

CAA (Certificate Authority Authorisation) records let domain owners specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. Without CAA records, any trusted CA can issue a certificate for any domain. With CAA records, only the listed CAs may issue. Preventing fraudulent or mistaken certificate issuance by unauthorised CAs. For example: 0 issue 'letsencrypt.org' means only Let's Encrypt can issue certificates. 0 issuewild 'sectigo.com' means only Sectigo can issue wildcard certificates. CAA records are checked by CAs before issuing, not by browsers.

What is a PTR record?

PTR (Pointer) records are the reverse of A records. They map an IP address back to a hostname, stored in the special in-addr.arpa DNS zone. Reverse DNS is used by mail servers as one of their anti-spam checks: when a server connects to deliver email, the receiving server looks up the PTR record of the connecting IP to verify it has a meaningful hostname, and ideally that the hostname forward-confirms back to the same IP (FCrDNS). IPs without PTR records are negatively scored or rejected by many spam filters. PTR records are managed by the IP address owner (hosting provider or ISP), not by the domain owner. Use the Reverse DNS Lookup tool for a dedicated PTR record lookup.

Why might my DNS changes not show up immediately?

DNS changes propagate based on each record's TTL value. If your old record had a TTL of 86400 (24 hours), resolvers worldwide that cached it will not re-query until that TTL expires. Meaning they serve the old value for up to 24 hours after you make the change. This tool queries Cloudflare's and Google's resolvers, which typically reflect changes quickly once the TTL expires. To speed up future changes, lower the TTL of your records to 300 seconds 24-48 hours before making changes, confirm the new TTL is live and cached everywhere, make the change, then restore the TTL to a higher value once propagation is confirmed.

What is the difference between an NS record and a SOA record?

NS (Name Server) records specify which servers are authoritative for a domain's DNS zone. The servers that hold the actual DNS records. SOA (Start of Authority) records contain zone metadata: the primary nameserver, the administrator email address, a serial number (incremented on each update), and timing parameters (refresh, retry, expire intervals) that control how secondary nameservers synchronise with the primary. Every DNS zone must have exactly one SOA record and at least two NS records. Changing your NS records at your registrar is what delegates a domain to a new DNS provider.

What is DNS propagation and how long does it take?

DNS propagation is the process by which a DNS change made at an authoritative nameserver spreads to resolvers worldwide. When you update a DNS record, the authoritative server has the new value immediately, but cached copies at ISP resolvers and other caching nameservers will continue serving the old value until their cached TTL expires. Full global propagation can take anywhere from a few minutes (for records with short TTLs) to 48 hours (for records with long TTLs or resolvers that do not honour TTL correctly). This tool shows you the current value at Cloudflare's and Google's resolvers. If you see the new value here, most of the world will see it within minutes.

What is the difference between authoritative DNS and recursive DNS?

Authoritative DNS servers hold the actual DNS records for a domain. When you publish a DNS record at Cloudflare, Route 53, or Namecheap, those providers operate the authoritative nameservers for your zone. Recursive (or caching) DNS resolvers are what your computer and applications query. They look up the answer by asking authoritative nameservers and then cache the response for the TTL period. This tool queries recursive resolvers (Cloudflare's 1.1.1.1 and Google's 8.8.8.8) which reflect what most internet users see, including any cached values. Your DNS provider's dashboard shows the authoritative value which may differ from what recursive resolvers are currently serving if a change was recent.

What is DNSSEC and why is it important?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that the data they receive has not been tampered with in transit. Without DNSSEC, a malicious actor with access to network traffic could inject false DNS responses directing users to fraudulent servers. An attack called DNS spoofing or cache poisoning. DNSSEC chains of trust from the root zone down through TLDs to individual domains, with each level signing the next. When DNSSEC is enabled on a domain, the DS and RRSIG records in the DNS zone are the cryptographic proof. Major DNS providers including Cloudflare, AWS Route 53, and Google Cloud DNS support DNSSEC configuration.

What is the difference between this DNS lookup tool and nslookup or dig?

nslookup and dig are command-line tools that perform DNS queries from your local machine using your system's configured DNS resolver. They require terminal access and command-line knowledge. This tool performs DNS queries directly from your browser using Cloudflare's DoH API. No software installation, no command line, and it queries Cloudflare's global resolver network rather than your local system resolver, giving you a view of what most internet users see rather than what your ISP's resolver specifically returns. The practical results are usually identical, but this tool is faster to use, accessible from any device, and queries from a neutral, globally-distributed vantage point.

How do I check if my email DNS is configured correctly?

For a complete email DNS health check, query these record types: TXT at your root domain (look for v=spf1 at the beginning, this is your SPF record), TXT at _dmarc.yourdomain.com (look for v=DMARC1, this is your DMARC record), MX at your root domain (verifies inbound mail routing), and TXT at selector._domainkey.yourdomain.com where 'selector' is your DKIM selector name (look for p= containing the public key). For a faster all-in-one check with scored results, use the Email Health Checker which runs all five checks, MX, SPF, DMARC, DKIM, and disposable domain detection, simultaneously with an A-F grade.

What does NXDOMAIN mean in a DNS lookup result?

NXDOMAIN (Non-Existent Domain) is the DNS response code returned when the queried domain name does not exist in DNS at all. It means no DNS records of any type exist at that name. This is different from receiving an empty answer (where the domain exists but has no records of the queried type). Common causes of NXDOMAIN: a typo in the domain name, a subdomain that has not been created in DNS, a domain that has expired and been removed from the registry, or a record that was deleted. For email senders, NXDOMAIN on an MX lookup means the recipient domain cannot receive email and any message sent will result in an immediate hard bounce.

Related Email & DNS Tools

MX Record Lookup MX Priority Optimizer Reverse DNS Lookup Email Health Checker Email Privacy Auditor DMARC Checker DMARC Analyzer SPF Record Checker SPF Flattening Tool DKIM Analyzer Email Header Analyser All Tools

Need a disposable email address?Generate a free, instant throwaway. Zero signup, zero trace.

Get Free Temp Mail ->