What is a DNS lookup?

A DNS lookup queries the Domain Name System to retrieve records associated with a domain name. Different record types store different information: A records map domains to IPv4 addresses, AAAA records map to IPv6 addresses, MX records identify mail servers, TXT records store text data like SPF and DKIM policies, and NS records identify the authoritative name servers for the domain.

What do the DNS record types mean?

A records map a domain to an IPv4 address (e.g. 93.184.216.34). AAAA records map to IPv6 addresses. CNAME records alias one domain to another (e.g. www.example.com → example.com). MX records specify mail servers with priority values. TXT records store arbitrary text — commonly used for SPF email authentication, DKIM keys, and domain ownership verification. NS records list the authoritative name servers for the domain. SOA (Start of Authority) records contain zone metadata including the primary name server, responsible email, and serial number.

TTL (Time to Live) is the number of seconds a DNS record can be cached by resolvers before they must re-query the authoritative server. A TTL of 300 means the record can be cached for 5 minutes. Short TTLs (60–300s) allow faster propagation of changes but increase DNS query volume. Long TTLs (3600s–86400s) reduce DNS load but mean changes take longer to propagate globally.

Is my query data private?

Your queries go directly from your browser to Cloudflare's public DNS-over-HTTPS API (1.1.1.1). No query data passes through our servers. Cloudflare's privacy policy governs how they handle DoH queries — they state they do not sell or use query data for advertising. The domain names you look up are visible to Cloudflare as the DNS resolver.

DNS Lookup Tool Online — Query A, MX, TXT, NS Records

You just pointed your domain to a new server and need to verify the DNS change propagated. nslookup and dig work from the terminal, but you’re on a machine without them installed, or you want to quickly check from Cloudflare’s resolver specifically (not your ISP’s cached result). You need the A record, MX record, and TXT record for SPF — right now, in a browser tab.

Why This Tool (Not the DNS Record Generator)

PureDevTools has a DNS Record Lookup & Generator for building DNS zone files. This tool is for querying — it hits Cloudflare’s DNS-over-HTTPS API directly from your browser to look up A, AAAA, CNAME, MX, TXT, NS, and SOA records for any domain. No server round-trip through our infrastructure; the query goes straight from your browser to 1.1.1.1.

What Is DNS?

The Domain Name System (DNS) is the internet’s distributed phone book. When you type a domain name like example.com into a browser, your computer sends a DNS query to resolve that name into one or more IP addresses. DNS records store all kinds of information about a domain — mail server locations, IPv4 and IPv6 addresses, text-based authentication policies, and zone configuration metadata.

This tool queries DNS records directly from your browser using Cloudflare’s public DNS-over-HTTPS (DoH) API at 1.1.1.1. No query data passes through our servers — the lookup goes straight from your browser to Cloudflare.

DNS Record Types Explained

A Record — IPv4 Address

The most fundamental record type. An A record (Address record) maps a domain name to a 32-bit IPv4 address.

example.com.  3600  IN  A  93.184.216.34

A single domain can have multiple A records for load balancing. Round-robin DNS distributes requests across all listed addresses.

AAAA Record — IPv6 Address

The AAAA record maps a domain to a 128-bit IPv6 address. IPv6 is the modern successor to IPv4, providing a vastly larger address space.

example.com.  3600  IN  AAAA  2606:2800:21f:cb07:6820:80da:af6b:8b2c

Most modern servers and ISPs support both A and AAAA records (dual-stack). If both exist, clients typically prefer IPv6.

CNAME Record — Canonical Name (Alias)

A CNAME record creates an alias from one domain name to another. The aliased domain’s A/AAAA records are then used for resolution.

www.example.com.  300  IN  CNAME  example.com.

Important rules:

A CNAME cannot coexist with other record types at the same name (except DNSSEC records)
CNAME chains are allowed but add latency (each hop requires a new query)
The root/apex zone (example.com) cannot use a CNAME — use A/AAAA or an ALIAS/ANAME record instead

MX Record — Mail Exchanger

MX records identify the mail servers that accept email for a domain. Each record has a priority (lower = higher priority).

example.com.  3600  IN  MX  10 mail.example.com.
example.com.  3600  IN  MX  20 mail2.example.com.

When sending email to user@example.com, the sending server queries MX records and tries the lowest-priority server first. Multiple MX records provide redundancy.

TXT Record — Text Data

TXT records store arbitrary text strings. They are used for many purposes:

Purpose	Example value
SPF (sender policy)	`v=spf1 include:_spf.google.com ~all`
DKIM (email signing)	`v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3...`
DMARC (email policy)	`v=DMARC1; p=reject; rua=mailto:dmarc@example.com`
Domain verification	`google-site-verification=ABC123...`
ACME challenges	`_acme-challenge.example.com → <token>`

NS Record — Name Servers

NS records list the authoritative name servers for a domain — the servers that hold the official DNS records for that zone.

example.com.  172800  IN  NS  a.iana-servers.net.
example.com.  172800  IN  NS  b.iana-servers.net.

Every domain must have at least two NS records for redundancy. NS records at the parent zone (.com) must match those in the domain’s own zone (delegation consistency).

SOA Record — Start of Authority

The SOA record contains administrative information about the DNS zone. Every domain has exactly one SOA record.

Field	Purpose
Primary NS	The master name server for the zone
Responsible email	Admin email (with `@` replaced by `.`)
Serial	Version number — secondary servers sync when this changes
Refresh	How often secondary servers check for updates
Retry	How long to wait before retrying a failed refresh
Expire	How long secondary servers serve zone data without a refresh
Minimum TTL	Default TTL for negative responses (NXDOMAIN caching)

What Is DNS-over-HTTPS (DoH)?

Traditional DNS queries are sent as unencrypted UDP packets on port 53, visible to anyone on the network path. DNS-over-HTTPS (DoH) wraps DNS queries inside HTTPS requests, providing:

Encryption: Queries cannot be read by ISPs, network admins, or eavesdroppers
Integrity: Responses cannot be tampered with
Privacy: Your DNS queries look like normal HTTPS traffic

Public DoH providers:

Provider	Endpoint	Notes
Cloudflare	`https://1.1.1.1/dns-query`	Privacy-focused, no query logging for ads
Google	`https://8.8.8.8/dns-query`	High availability, global anycast
Quad9	`https://9.9.9.9/dns-query`	Malware-blocking resolver

This tool uses Cloudflare’s DoH JSON API. Queries are made entirely in your browser.

Understanding TTL (Time to Live)

Every DNS record includes a TTL value in seconds — how long resolvers are permitted to cache the record before re-querying the authoritative server.

TTL	Display	When to use
30–60s	30s / 1m	During active DNS migration — changes propagate quickly
300s	5m	Typical for dynamic records (CDN, load balancers)
3600s	1h	Standard for most A/AAAA records
86400s	1d	Stable records like NS and MX
604800s	7d	Very stable records (rarely changed)

DNS propagation refers to the time it takes for a record change to reach all resolvers globally. With a TTL of 3600s, old caches can persist for up to one hour after you change a record. To minimize propagation time, lower the TTL well before a planned change.

Common DNS Debugging Scenarios

Cannot reach a website:

Look up A records — is there an IP address?
Try pinging the IP directly — if it works, DNS is the issue
Check if the NS records point to the correct name servers
Verify the SOA serial number matches between primary and secondary servers

Email delivery problems:

Check MX records — are mail servers listed?
Verify priority values (lower = higher priority)
Check TXT records for SPF — missing SPF causes spam rejections
Look for DKIM keys in TXT records (usually at default._domainkey.example.com)
Check _dmarc.example.com TXT record for DMARC policy

SSL certificate issuance (Let’s Encrypt ACME): DNS-01 challenges require a TXT record at _acme-challenge.<domain> with a specific token value. Look this up to verify the challenge token is correctly published before your CA checks it.

Subdomain not resolving: Check if there’s an A record for the subdomain, or a CNAME pointing to the parent. Remember that CNAME records at the apex (example.com) are not valid — use an A record there.

Frequently Asked Questions

How long does DNS propagation take? DNS propagation depends on the TTL of the old record. If the old record had a 1-hour TTL, some resolvers may serve the old value for up to 1 hour after you make a change. Global propagation with a 300s TTL typically completes within 5–10 minutes. With a 24-hour TTL, propagation can take up to 24 hours. Always lower TTLs well before planned changes.

What is DNSSEC? DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with. DNSSEC protects against cache poisoning attacks. This tool queries raw DNS records including DNSSEC signatures, though it does not validate them.

Why do I see different results from different DNS resolvers? DNS resolvers cache records for their TTL duration. If you recently changed a record, different resolvers may still serve the old cached value. Additionally, some resolvers filter or block certain domains (malware-blocking resolvers, parental controls). Using multiple resolvers is a good way to diagnose propagation issues.

What is a wildcard DNS record? A wildcard record (e.g. *.example.com) matches any subdomain that doesn’t have a more specific record. For example, *.example.com with an A record means anything.example.com resolves to that IP, unless a more specific record exists. Wildcards appear with an asterisk in the record name.

Why does my CNAME not work at the root domain? The DNS standard (RFC 1912) prohibits CNAME records at the zone apex because other record types (like SOA and NS) must exist there, and CNAMEs cannot coexist with other records. Some DNS providers offer a proprietary extension called ALIAS, ANAME, or CNAME flattening that works around this limitation by resolving the CNAME target and returning its A records directly.

DNS Lookup