ToolActToolAct

DNS Lookup

Query DNS records for any domain (A/AAAA/MX/TXT/NS/CNAME/SOA) via DoH. Runs locally in your browser for privacy

Enter a domain, choose a record type, and click Query

What is a DNS lookup?

DNS (Domain Name System) is the internet's phonebook, translating human-readable domains like example.com into the IP addresses machines use to communicate. A DNS lookup asks a DNS server for a specific record under a domain: an A record returns an IPv4 address, an MX record returns the mail servers that receive email, and a TXT record is commonly used for SPF/DKIM and domain ownership verification. This tool performs the lookup directly in your browser using the DoH (DNS over HTTPS) protocol. The request travels from your browser straight to a public DNS resolver and never passes through our servers, so what you query and the results stay local, protecting your privacy.

How to use

Steps

  1. Enter the domain to query, for example example.com
  2. Select the record type to query (e.g. A, MX, TXT) from the dropdown
  3. Optional: switch the DoH provider (Cloudflare, Google, or AliDNS)
  4. Click the Query button or press Enter
  5. Read the name, type, TTL, and value in the result table

Notes

  • TTL (time to live) is in seconds and indicates how long a resolver caches the record; a smaller value means changes propagate faster.
  • A status of NXDOMAIN means the domain does not exist; NOERROR with no answer records usually means that record type is not configured.
  • An MX value looks like "10 mail.example.com" — the leading number is the priority, lower is preferred.
  • TXT records can be long and contain quotes, which is normal; they are commonly used for SPF, DKIM, DMARC, and domain verification.

Use cases

Troubleshoot a site that won't loadQuery the A/AAAA records to confirm the domain resolves to the correct server IP. If you get NXDOMAIN or a wrong IP, the issue is usually DNS configuration rather than the server itself. Combined with the TTL, you can tell whether stale cache is involved.
Verify MX records before configuring emailBefore pointing a domain at a mail provider (Exchange, Google Workspace, etc.), query the MX records to confirm they point to the correct mail servers and that the priority order is right, preventing delivery failures or messages being flagged as spam.
Validate SPF/DKIM/DMARC email policiesQuery TXT records to check whether SPF (v=spf1 ...), DKIM selectors (e.g. default._domainkey), and DMARC (_dmarc) are correctly published, reducing the chance of rejected or spoofed mail — a staple of deliverability troubleshooting.
Confirm global propagation after a DNS changeAfter switching DNS providers or editing records, query through different DoH providers and compare the results to see whether the new records have propagated. With a large TTL, old records may still be cached; results converge once the old TTL expires.
Find a domain's authoritative name serversQuerying NS records reveals which authoritative name servers are responsible for a domain, useful for confirming a DNS hosting switch succeeded or locating the responsible party when resolving anomalies, alongside the SOA record for refresh timing.

Technical principle

DNS queries traditionally run over UDP on port 53: the client sends a DNS message containing the query name and type to its configured recursive resolver, which then walks the root, top-level, and authoritative servers recursively and returns the answer. Defined in RFC 1035, the message is a compact binary format, and browsers cannot send or receive raw UDP 53 due to security restrictions, so web-based DNS tools typically need a backend proxy. DoH (DNS over HTTPS), defined in RFC 8484, wraps DNS messages in HTTPS requests over port 443. It supports two payload forms: the binary wireformat (application/dns-message) and a JSON form (application/dns-json, provided by Google outside RFC 8484 and also supported by Cloudflare). This tool uses the JSON form: the browser sends a GET request with an `Accept: application/dns-json` header to `https://cloudflare-dns.com/dns-query?name=example.com&type=A` and receives structured JSON directly, with no backend required. Key fields in the returned JSON: `Status` is the DNS RCODE (0=NOERROR, 3=NXDOMAIN meaning the domain does not exist, 2=SERVFAIL a server failure); each entry in the `Answer` array contains `name` (record name), `type` (a numeric record-type code such as 1=A, 28=AAAA, 15=MX, 16=TXT, 2=NS, 6=SOA, 5=CNAME), `TTL` (cache time to live in seconds), and `data` (the record value). Authoritative data may also appear in the `Authority` (SOA, NS) and `Additional` sections. The core value of DoH is privacy and tamper resistance: DNS queries are encrypted by HTTPS, so a man-in-the-middle cannot snoop on or tamper with the query content the way they could with plaintext UDP 53, nor easily hijack traffic by port identification. This is exactly what lets this tool run entirely in the browser — traffic goes straight to the DoH provider, through no intermediary server.

  • Traditional DNS: RFC 1035, UDP/TCP port 53, binary messages; browsers cannot send/receive it directly and need a backend proxy.
  • DoH: RFC 8484, DNS wrapped in HTTPS over port 443, encrypts query content, resists snooping and hijacking.
  • JSON DoH: requests carry `Accept: application/dns-json` and return structured JSON; supported by both Cloudflare and Google with open CORS, so browsers can call them directly.
  • RCODE: 0=NOERROR, 2=SERVFAIL, 3=NXDOMAIN (domain does not exist), 5=REFUSED.
  • Record type codes: 1=A, 28=AAAA, 5=CNAME, 15=MX, 16=TXT, 2=NS, 6=SOA, 33=SRV, 257=CAA.
  • TTL is the cache time to live in seconds; a recursive resolver returns the cached result until the TTL expires, then re-queries the authoritative server.

Examples

Query the A record of example.com

Domain:  example.com
Type:    A
Status:  NOERROR

Answer:
  example.com.   300   A   93.184.216.34

# TTL 300s: this IPv4 record will be cached for 5 minutes.

Query the MX record of gmail.com

Domain:  gmail.com
Type:    MX
Status:  NOERROR

Answer:
  gmail.com.   3600   MX   5 gmail-smtp-in.l.google.com.
  gmail.com.   3600   MX   10 alt1.gmail-smtp-in.l.google.com.

# The leading number is the priority, lower is preferred; mail is delivered to the priority-5 server first.

Query the TXT record of example.com (SPF)

Domain:  example.com
Type:    TXT
Status:  NOERROR

Answer:
  example.com.   3600   TXT   "v=spf1 -all"

# This SPF policy means the domain sends no mail and all sources are rejected.

Query a non-existent domain (NXDOMAIN)

Domain:  this-domain-does-not-exist-12345.com
Type:    A
Status:  NXDOMAIN

Answer: (none)

# Status=3 means the domain does not exist in DNS, not a server failure.

FAQ

Does a DNS lookup compromise my privacy?

No. The request goes straight from your browser to the DoH provider you choose (Cloudflare, Google, or AliDNS), fully encrypted over HTTPS and never through our servers — we cannot see what you query. This is actually safer than a traditional plaintext UDP 53 query.

Why do different providers sometimes return different results?

DNS results are cached at each resolver level according to TTL. Different providers have different cache states and refresh timings, so during the propagation window after a record change they may return the old and new values. Results converge once the old record's TTL expires.

What does NOERROR with no answer records mean?

It means the domain exists and the query succeeded, but the domain has no record of the type you queried. For example, an empty MX result usually means the domain does not receive email. The Authority section typically returns an SOA record as the basis for negative caching.

What does the TTL value affect?

TTL (seconds) determines how long a resolver caches the record. A larger TTL means faster global resolution and lower server load, but slower propagation of changes; a smaller TTL means changes take effect quickly but queries happen more often. TTL is often lowered before a planned DNS change.

Is reverse DNS (IP to domain) supported?

Yes. To query a PTR record, enter the IP address in reverse format: 8.8.8.8 becomes 8.8.8.8.in-addr.arpa, and IPv6 uses the ip6.arpa suffix. The returned PTR record is the domain name the IP resolves to.

Why does opening the DoH URL directly in the browser return 400?

Cloudflare's JSON DoH endpoint requires an Accept: application/dns-json header. The address bar sends an HTML Accept header by default, so it returns 400. This is expected; calling it via fetch with a custom header works normally.

Can I query any top-level domain?

Yes. As long as the domain is registered in DNS and has the relevant records configured — including generic TLDs (.com, .org), country-code TLDs (.cn, .jp, .de), and new gTLDs — the DoH provider will resolve it recursively and return the result.

Related tools

Whois Lookup

Free online Whois domain lookup. Check registrar details, registration dates, expiration dates, DNS servers, and domain status for global TLDs.

IP Address Lookup Tool

Free online IP address lookup tool. Instantly find your public IP address and geolocation info including country, city, and ISP.

SSL Certificate Checker

Free online SSL certificate checker. Verify SSL/TLS validity, expiration date, certificate chain, domain match, and HTTPS configuration issues.

Ping Test Tool

Free online ping test tool. Check server or domain connectivity, latency, packet loss, average response time, and min/max statistics.

Port Check Tool

Free online port checker. Test open ports on any IP address or domain, run batch checks, and view response times in your browser.

HTTP Status Code Query

Free online HTTP status code reference with all standard codes. Search and filter by category, quickly find 1xx to 5xx status code meanings.