DNS Lookup Tool
Query DNS records for any domain. Check A, AAAA, MX, TXT, NS, CNAME, SOA records and email security (SPF, DKIM, DMARC).
Quick:
Querying DNS records...
What is DNS and How Does a DNS Lookup Work?
DNS (Domain Name System) is the internet's distributed directory service — it translates human-readable domain names like example.com into IP addresses that computers use to communicate. Every time you visit a website, send an email, or connect to a service, DNS lookups happen in the background to resolve names to addresses.
A DNS lookup works through a chain of queries: your device asks a recursive resolver (usually your ISP or Google/Cloudflare DNS), which in turn queries root nameservers, then TLD nameservers (.com, .net), and finally the authoritative nameserver for the domain — which returns the actual record.
How to Use This Tool
- Enter a domain name (e.g.,
example.com) in the input field. - Select the record type you want to query, or choose ALL to see everything.
- Click Lookup.
- Results show the record values and TTL (Time To Live).
DNS Record Types Explained
- A — Maps a domain to an IPv4 address. The most fundamental record type.
- AAAA — Maps a domain to an IPv6 address (four A's = 4× the bits).
- CNAME — Canonical Name. Alias pointing one domain to another. Cannot coexist with other records at the zone apex.
- MX — Mail Exchange. Specifies which servers handle email for the domain, with priority values.
- TXT — Free-form text. Used for SPF (email authentication), DKIM public keys, domain verification, and DMARC policies.
- NS — Nameserver. Delegates authority for a zone to specific nameservers.
- SOA — Start of Authority. Contains zone metadata: primary nameserver, admin email, serial number, and cache timings.
- PTR — Pointer. Reverse DNS — maps an IP address back to a domain name.
- SRV — Service record. Specifies hostname and port for specific services (used by SIP, XMPP, Minecraft servers).
- CAA — Certification Authority Authorization. Restricts which CAs can issue TLS certificates for a domain.
Frequently Asked Questions
TTL (Time To Live) is the number of seconds a DNS record can be cached by resolvers before they must re-query the authoritative nameserver. A TTL of 3600 means records are cached for 1 hour. Lower TTL (60–300 seconds) allows faster propagation when you change records but increases DNS query load. Higher TTL (86400 = 24 hours) reduces load but means changes take longer to propagate globally. Best practice: lower your TTL 24–48 hours before planned DNS changes, then increase it again afterward.
DNS propagation delay is caused by caching at multiple levels: your OS DNS cache, your router's cache, your ISP's recursive resolver cache, and CDN edge caches. Each caches records until the TTL expires. Propagation "up to 48 hours" refers to worst-case scenarios where records were cached with high TTLs. With modern low-TTL records, changes typically propagate globally within minutes to a few hours.
An A record maps a name directly to an IP address:
example.com → 93.184.216.34. A CNAME maps a name to another name: www.example.com → example.com. CNAMEs require an additional lookup to resolve the target name. You cannot use a CNAME at a zone apex (bare domain like example.com) — only at subdomains. For apex domains pointing to load balancers or CDNs, use ALIAS or ANAME records (provider-specific flattening).SPF is a TXT record starting with
v=spf1 at your root domain. DKIM is a TXT record at selector._domainkey.yourdomain.com. DMARC is a TXT record at _dmarc.yourdomain.com. Use this DNS Lookup tool to query TXT records for your domain and verify these records exist. For full email authentication testing, tools like mail-tester.com and MXToolbox validate the full chain.DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that records haven't been tampered with (DNS cache poisoning attacks). It doesn't encrypt DNS traffic — for that, use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). DNSSEC is recommended for domains, especially high-value ones, but requires both your domain registrar and DNS hosting provider to support it. Misconfigured DNSSEC can make your domain unreachable, so test carefully before deploying.