DNS Record Lookup
Query any DNS record type for any domain — A, AAAA, MX, TXT, NS, CNAME, and more. Client-side queries via Cloudflare's edge network. No signup required.
What Are DNS Records?
DNS (Domain Name System) records are instructions stored in authoritative name servers that map domain names to IP addresses, mail servers, and other services. Defined in RFC 1035, DNS is the backbone of internet infrastructure — every website visit, email delivery, and API call begins with a DNS lookup.
This tool queries 14 DNS record types directly via Cloudflare's DNS-over-HTTPS resolver. All queries run in your browser — no data is sent to our servers, and results typically arrive in under 100 milliseconds.
DNS Record Types Reference
| Type | RFC | Purpose |
|---|---|---|
| A | 1035 | Maps a domain to an IPv4 address. |
| AAAA | 3596 | Maps a domain to an IPv6 address. |
| CNAME | 1035 | Creates an alias pointing to another domain name. |
| MX | 1035 | Specifies mail servers responsible for receiving email. Includes a priority value — lower numbers are tried first. |
| NS | 1035 | Delegates a domain to specific authoritative name servers. |
| TXT | 1035 | Stores arbitrary text. Used for SPF, DMARC, DKIM, and domain verification. |
| SOA | 1035 | Start of Authority — identifies the primary name server, admin contact, and zone timing parameters. |
| SRV | 2782 | Locates servers for specific services (e.g., SIP, XMPP, LDAP) with priority, weight, and port. |
| CAA | 8659 | Specifies which Certificate Authorities are allowed to issue certificates for the domain. |
| PTR | 1035 | Reverse DNS — maps an IP address back to a hostname. Used for email sender verification. |
| DS | 4034 | DNSSEC Delegation Signer — establishes chain of trust between parent and child zones. |
| DNSKEY | 4034 | DNSSEC public key — used to verify DNS record signatures. |
| TLSA | 6698 | Associates a TLS certificate with a domain for DANE authentication. |
| HTTPS | 9460 | Service Binding — provides connection parameters like ALPN protocols and IP hints for HTTPS. |
How DNS Lookups Work
When you enter a domain in this tool, your browser sends a DNS-over-HTTPS (DoH) request to Cloudflare's 1.1.1.1 resolver. The resolver queries the authoritative name server for the domain and returns the records. DoH encrypts the query over HTTPS, preventing eavesdropping on your DNS traffic.
Each DNS record has a TTL (Time To Live) value that tells resolvers how long to cache the result. When you update a DNS record, the old value may persist in caches until the TTL expires. Use the auto-refresh toggle above to monitor changes as they propagate through Cloudflare's cache.
What Is DNSSEC?
DNSSEC (DNS Security Extensions, RFC 4034) adds cryptographic signatures to DNS records, preventing spoofing and cache poisoning attacks. When the "DNSSEC" badge appears green in results above, it means Cloudflare's resolver validated the chain of trust from the root zone to the domain's authoritative server — the records have not been tampered with.
How to Use This Tool
Enter a domain name and click "Lookup." Select a record type from the tab bar, or choose "ALL" to query every type at once. For reverse DNS, select the PTR tab and enter an IPv4 or IPv6 address. Use the auto-refresh toggle (30s or 60s) to watch for DNS changes in real time. Every query result URL is shareable — copy the address bar to send someone a direct link.
FAQ
How do I do a DNS lookup?
Enter a domain name in the input field above and click "Lookup." Select the record type you want to check using the tab bar, or choose "ALL" to query every record type at once. Results appear in under 100 milliseconds. For reverse DNS lookups, select the PTR tab and enter an IP address.
What does a DNS lookup do?
A DNS lookup queries a domain's authoritative name server to retrieve the records configured for that domain. These records determine where website traffic is routed (A/AAAA), which mail servers receive email (MX), which certificate authorities can issue certificates (CAA), and how email authentication protocols like SPF and DMARC are configured (TXT).
Is DNS lookup secure?
This tool uses DNS-over-HTTPS (DoH), which encrypts your DNS query over HTTPS. Traditional DNS sends queries in plaintext. DoH prevents network observers from seeing which domains you're looking up. The DNSSEC badge indicates whether the domain's records are cryptographically signed.
How to check DNS records for a domain?
Enter the domain name above and select the record type tab. For email authentication records, check TXT records and look for SPF, DMARC, and DKIM entries. For a complete audit, use the "ALL" tab or our Domain Health Check tool.
What is reverse DNS lookup?
Reverse DNS maps an IP address back to a hostname using PTR records. It's the opposite of a forward lookup (A/AAAA records). Email servers use reverse DNS to verify that a sending server's IP matches its claimed hostname — a failed reverse DNS check is a common cause of email deliverability problems.
What is DNSSEC and why does it matter?
DNSSEC adds digital signatures to DNS records, creating a chain of trust from the root zone. Without DNSSEC, an attacker could intercept DNS queries and return forged records (DNS spoofing). DNSSEC prevents this by letting resolvers verify that records haven't been modified. When this tool shows "DNSSEC Validated," the records are cryptographically authenticated.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free