WebToolsPlanet
developer Tools

DNS Lookup Tool

Query A, AAAA, MX, TXT, CNAME, NS, and SOA DNS records globally using Cloudflare DoH — for email, SSL, and domain debugging.

Last updated: March 25, 2026

This tool sends data to our server for processing. Data is not stored and is deleted immediately after your result is returned.

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is DNS Lookup Tool?

The Domain Name System (DNS) is the internet's distributed phonebook — it translates human-readable domain names (google.com) into IP addresses (172.217.16.206) and stores a wide range of configuration records that govern how email, web traffic, and other services for a domain work. Every domain has multiple DNS record types stored at its authoritative nameservers, and any computer on the internet can query these records using the DNS protocol.

This tool queries DNS records via Cloudflare's DNS-over-HTTPS (DoH) API (1.1.1.1) — providing fast, globally consistent results without caching delays from your local ISP resolver. Key record types: **A** records map a domain to IPv4 addresses (where the website is hosted). **AAAA** maps to IPv6. **MX** records define mail servers for receiving email. **TXT** records store arbitrary text — critical for email authentication (SPF, DKIM, DMARC) and domain ownership verification. **CNAME** records are domain aliases pointing one domain to another. **NS** records identify the authoritative nameservers for the domain.

How to Use DNS Lookup Tool

1

Enter a valid domain name (e.g., `github.com`, `mail.google.com`, or a subdomain like `api.example.com`)

2

Select the DNS record type to query from the dropdown: A, AAAA, MX, TXT, CNAME, NS, SOA, or ALL

3

The results table displays each record's value, TTL (time-to-live in seconds), and priority (for MX records)

4

Click the "Copy" icon next to any record value to copy it to your clipboard

5

For email troubleshooting, query TXT records and look for records starting with "v=spf1" (SPF), "v=DKIM1" (DKIM), or "v=DMARC1" (DMARC)

Common Use Cases

  • Verifying SPF records are correctly set up after adding a new email sending service (SendGrid, Mailchimp, Postmark)
  • Checking if a DNS migration (new hosting provider) has propagated by comparing old vs. new A record IP addresses
  • Troubleshooting email deliverability by looking up SPF, DKIM, and DMARC TXT records for your domain
  • Verifying SSL certificate domain ownership challenge — checking for TXT record added during Let's Encrypt or Certbot validation
  • Confirming a CNAME redirect is working correctly after setting up a custom domain for a GitHub Pages or Netlify site
  • Checking NS records to identify which DNS provider controls a domain (Cloudflare, Route 53, Namecheap, GoDaddy)
  • Inspecting MX record priorities to understand which mail server receives email first (lower priority = higher precedence)
  • Looking up SOA records to find the domain's primary nameserver and the serial number that indicates when zone data was last updated

Example Input and Output

Querying all email-related DNS records for a domain (SPF, DKIM, DMARC):

Domain: example.com (querying TXT records)
Domain: example.com
Record type: TXT
DNS records returned
TXT Records for example.com:

1. "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
   TTL: 3600s
   → SPF record: authorized sending servers for email

2. "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
   TTL: 3600s
   → DMARC policy: quarantine failing emails, send reports

3. "google-site-verification=abc123def456..."
   TTL: 3600s
   → Domain ownership proof for Google Search Console

MX Records for example.com:
  Priority 10: aspmx.l.google.com (Google Workspace primary)
  Priority 20: alt1.aspmx.l.google.com (backup)

Privacy Note (Server-Side DNS Query)

DNS lookups require a server-side query to Cloudflare's DoH API (browsers cannot make raw DNS protocol requests directly). The domain name you query is sent to Cloudflare's 1.1.1.1 resolver. Cloudflare's privacy policy states they do not store queried domain names beyond 24 hours and do not sell query data.

Debugging Email Deliverability

The most common email deliverability problems found via DNS: (1) SPF includes too many lookup mechanisms (>10 DNS lookups = "permerror"). (2) DKIM selector name doesn't match the d= and s= values the sending service specified. (3) DMARC "p=none" with no rua= report address — you're collecting no data. (4) Multiple conflicting SPF records (only one "v=spf1" TXT record is allowed per domain). Query TXT records here and compare against your email provider's configuration docs.

DNS-over-HTTPS Privacy

Traditional DNS queries are sent over UDP in plaintext — your ISP can see every domain you look up. DNS-over-HTTPS (DoH) encrypts DNS queries inside HTTPS traffic. Modern browsers (Chrome, Firefox, Edge) support DoH natively. You can configure your browser to use Cloudflare DoH (1.1.1.1/dns-query) or Google DoH (8.8.8.8/dns-query) for private DNS resolution at the browser level.

Frequently Asked Questions

What is the difference between an A record and a CNAME record?
An A record maps a hostname directly to an IPv4 address: example.com → 93.184.216.34. A CNAME (Canonical Name) record maps a hostname to another hostname, not an IP: www.example.com → example.com. The resolver then fetches the A record for example.com. Use A records for apex domains (example.com itself) and CNAME records for subdomains. Important: you cannot create a CNAME at the DNS zone apex (root domain) — some DNS providers offer a proprietary "ANAME" or "ALIAS" record to solve this.
How do SPF, DKIM, and DMARC records affect email delivery?
SPF (Sender Policy Framework): a TXT record listing which mail servers are authorized to send email for your domain. Format: v=spf1 include:sendgrid.net ~all. DKIM (DomainKeys Identified Mail): a public key stored as a TXT record that allows receivers to verify that email headers were not tampered with in transit. DMARC (Domain-based Message Authentication, Reporting & Conformance): a TXT record telling receivers what to do when SPF or DKIM checks fail (none/quarantine/reject) and where to send reports. All three together dramatically improve email deliverability and prevent spoofing.
What does TTL mean and how does it affect DNS changes?
TTL (Time-To-Live) is the number of seconds that DNS resolvers (and ISPs' DNS caches) are allowed to cache a record before re-querying. A TTL of 3600 means resolvers cache the record for 1 hour. When you change a DNS record, old caches serve the old value until their TTL expires. To reduce propagation time before a planned DNS change: lower the TTL to 300 (5 minutes) 24-48 hours before the change, make the change, then raise TTL again afterward.
How long does DNS propagation take globally?
DNS propagation is not instantaneous — it depends on each resolver's cached TTL for the record. With a 3600s TTL, full global propagation takes up to 48 hours in the worst case (some embedded devices have longer caches). With a 300s TTL, propagation completes in 5–15 minutes globally. Cloudflare's DoH resolver (1.1.1.1), which this tool uses, fetches from the authoritative nameserver if the cache has expired — so results here are more current than your ISP's potentially stale cache.
What does the MX record priority number mean?
Lower MX priority number = higher precedence (the opposite of what "priority" might imply). When another mail server sends email to your domain, it queries your MX records and attempts delivery to the server with the lowest priority number first. If that server is unavailable, it tries the next-lowest number. Example: Priority 10 is tried before Priority 20. Google Workspace primary MX (aspmx.l.google.com) has priority 1; backup servers have higher numbers (5, 10, 15).
Can I use this tool to check if DNS has propagated to Cloudflare?
Yes. This tool uses Cloudflare's 1.1.1.1 DNS-over-HTTPS API as its resolver — querying this tool shows you what Cloudflare currently returns for the record, which reflects whether propagation has reached Cloudflare's global network. Since Cloudflare's resolver refreshes frequently, a result matching your new DNS value is a reliable indicator of global propagation. For a comprehensive multi-region propagation check, use whatsmydns.net which queries multiple resolvers worldwide simultaneously.

How This Tool Works

The domain and record type are sent to Cloudflare's public DNS-over-HTTPS endpoint: https://cloudflare-dns.com/dns-query?name={domain}&type={type} with Accept: application/dns-json headers. Cloudflare queries its global anycast resolver network and returns a JSON response with the Answer array containing record values, TTLs, and metadata. The response is parsed and displayed in the results table. For MX records, the priority field is extracted from the data field prefix.

Technical Stack

Cloudflare DoH API (1.1.1.1)DNS-over-HTTPS JSON formatFetch API (server-side)RFC 1035 DNS record formats

Related Tools

JWT Decoder
Decode and inspect JSON Web Tokens (JWT) without validation.
Cron Expression Generator
Build and decode cron schedule expressions visually — get human-readable descriptions and next run times.
HTTP Status Code Reference
Searchable reference for all HTTP status codes — with meaning, common causes, and fix recommendations.
User Agent Parser
Decode any User-Agent string — identify browser, engine, OS, device type, and bot classification.
SQL Formatter
Format and beautify SQL queries.
Unix Timestamp Converter
Convert Unix epoch timestamps to human-readable dates and vice versa — with timezone support.