DNS Record Enumerator

DNS Recon Summary

Last run: {{ lastRunLocal }}

Notes

{{ w }}

#	Metric	Value	Notes
{{ idx + 1 }}	{{ row.metric }}	{{ row.value \|\| '-' }}	{{ row.note \|\| '-' }}

#	Category	Check	Status	Notes
{{ idx + 1 }}	{{ row.category }}	{{ row.label }}	{{ row.status }}	{{ row.note \|\| '-' }}

#	Type	RCODE	AD	Answers	Authority	Additional	Flags	Query ms
{{ idx + 1 }}	{{ row.type }}	{{ row.status === null ? row.rcode : `${row.rcode} (${row.status})` }}	{{ row.ad ? 'Yes' : 'No' }}	{{ row.answers }}	{{ row.authority }}	{{ row.additional }}	{{ row.flags \|\| '-' }}	{{ row.ms === null \|\| row.ms === undefined ? '-' : row.ms }}

#	Type	Records	Unique Names	Unique Values	TTL Min	TTL Avg	TTL Max	Sections
{{ idx + 1 }}	{{ row.type }}	{{ row.count }}	{{ row.uniqueNames }}	{{ row.uniqueData }}	{{ row.ttlMin === null \|\| row.ttlMin === undefined ? '-' : row.ttlMin }}	{{ row.ttlAvg === null \|\| row.ttlAvg === undefined ? '-' : row.ttlAvg.toFixed(2) }}	{{ row.ttlMax === null \|\| row.ttlMax === undefined ? '-' : row.ttlMax }}	{{ formatSectionSummary(row.sections) }}

#	Type	Name	Summary	Details
{{ idx + 1 }}	{{ row.type }}	{{ row.name \|\| '-' }}	{{ row.summary \|\| '-' }}	{{ row.details \|\| '-' }}

#	Host	Sources	Types	Answer	TTL	Notes
{{ idx + 1 }}	{{ row.host }}	{{ row.sources \|\| '-' }}	{{ row.types \|\| '-' }}	{{ row.answer \|\| '-' }}	{{ row.ttl \|\| '-' }}	{{ row.note \|\| '-' }}

#	Host	Sources	Types	Answer	TTL	Scope	Notes
{{ idx + 1 }}	{{ row.host }}	{{ row.sources \|\| '-' }}	{{ row.types \|\| '-' }}	{{ row.answer \|\| '-' }}	{{ row.ttl \|\| '-' }}	{{ row.scope \|\| '-' }}	{{ row.note \|\| '-' }}

#	IP	PTR Name	Hostnames	TTL	Notes
{{ idx + 1 }}	{{ row.ip }}	{{ row.ptrName \|\| '-' }}	{{ row.hostnames \|\| '-' }}	{{ row.ttl \|\| '-' }}	{{ row.note \|\| '-' }}

Filter

Type

#	Section	Type	Name	TTL	Data
{{ idx + 1 }}	{{ row.section }}	{{ row.type }}	{{ row.name \|\| '-' }}	{{ row.ttl === null \|\| row.ttl === undefined ? '-' : row.ttl }}	{{ row.data \|\| '-' }}

#	Probe	Name	Types	Answer	TTL	Notes
{{ idx + 1 }}	{{ row.kind }}	{{ row.name }}	{{ row.types \|\| '-' }}	{{ row.answer \|\| '-' }}	{{ row.ttl \|\| '-' }}	{{ row.note \|\| '-' }}

Tags: DNS , Networking , Security

Export to PDF Fullscreen

Include query parameters

Embed:

Customize embed code

Include query parameters

Wrap embed in collapsible toggle

Collapse panel by default

Hide card frame (bare iframe)

Loading behavior

Width

Height

Aspect ratio (width : height)

Max height (optional)

Collapsible heading

Collapsible description (optional)

Allow fullscreen

Referrer policy

Sandbox tokens

Domain Name System records are the public signposts that tell devices where a site, email, or service lives and how to reach it reliably. When something breaks, a Domain Name System record lookup for a domain can reveal whether the name points to the right place or if it drifts between answers.

You provide a domain name, a host name, or a numeric address and the page returns an inventory of published records along with timing and summary counts. It also highlights common configuration gaps, so you can spot missing mail policies or unexpected redirects without digging through separate lookups.

For example, if messages are bouncing you can confirm which mail exchangers are listed, whether sender policy text is present, and whether related host names resolve to addresses. Results should be treated as a snapshot because caching and resolver choice can change what you see from minute to minute. A clean looking record set still does not prove that the service behind it is reachable or correctly configured.

Choose this when you want a broad picture across many record types rather than checking one type at a time. For the clearest comparisons, run the same target twice with the same settings, then repeat after you publish a change and watch how time to live values settle.

If your target list includes internal names, treat them as sensitive and avoid sharing outputs widely. Only enumerate domains you own or have permission to assess.

Technical Details:

The Domain Name System (DNS) answers questions like “what address should this name use” by returning resource records grouped into sections such as Answer, Authority, and Additional. Each record includes a Time To Live (TTL) value in seconds, which is a caching hint that influences how quickly changes show up.

This enumerator sends DNS over HTTPS (DoH) queries to a selected resolver and collects response codes, flags, counts per section, and the elapsed query time in milliseconds. From those raw responses it builds a single record inventory and computes summaries such as unique names, unique values, records per type, and TTL and timing statistics.

Several record types are parsed into human friendly fields to make patterns easier to spot, including Start Of Authority (SOA), Mail Exchanger (MX), Service (SRV), Certification Authority Authorization (CAA), Naming Authority Pointer (NAPTR), and Service Binding (SVCB) and HTTPS service records. Optional checks also look for common email authentication records such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), Mail Transfer Agent Strict Transport Security (MTA-STS), TLS Reporting (TLS-RPT), and DomainKeys Identified Mail (DKIM) selectors.

Interpret results as a point in time rather than a guarantee. Different resolvers and caches can surface different answers, wildcard DNS can make many names appear to exist, and some records describe intent but do not prove that a service is reachable.

Core processing pipeline

Read the first non blank line and normalize URLs, emails, and host and port inputs to a hostname.
Convert Unicode hostnames to ASCII for internationalized names before queries.
If the target is an IP address, build the PTR reverse lookup name and query only PTR.
Assemble record types from the core set and optional service, DNSSEC, and security families.
Query each record type over DoH and measure per query time in milliseconds.
Flatten Answer, Authority, and Additional sections into a single inventory.
Normalize values by removing TXT quotes and trailing dots where records allow them.
Optionally query email policy TXT names and DKIM selectors and summarize findings.
Optionally discover subdomains from certificate logs and a wordlist, then resolve A, AAAA, and CNAME.
Optionally resolve related targets referenced by NS, MX, SRV, SVCB, HTTPS, CNAME, and SOA.
Optionally test a random subdomain for wildcard answers and reverse resolve IPs to PTR.
Compute statistics, checks, parsed details, and structured JSON for exporting.

Core calculations

\begin{matrix} {TTL}_{avg} & = & \frac{{TTL}_{1} + {TTL}_{2} + \dots + {TTL}_{N}}{N} \\ {ms}_{avg} & = & \frac{{ms}_{1} + {ms}_{2} + \dots + {ms}_{M}}{M} \end{matrix}

Symbols used in DNS statistics
Symbol	Meaning	Unit or datatype	Source
`TTL`	Per record Time To Live value.	seconds	Derived from DNS answers
`N`	Number of records with a numeric TTL.	integer	Derived
`ms`	Per query elapsed time measured around a DoH request.	milliseconds	Derived from timing
`M`	Number of queries with a measured elapsed time.	integer	Derived
`RCODE`	DNS response code mapped to a label.	integer or text	Derived from responses
`AD`	Authenticated Data flag reported by the resolver.	boolean	Derived from responses
`DO`	DNSSEC OK bit requested on DoH queries.	boolean	Input, with an automatic override
`CD`	Checking Disabled bit requested on DoH queries.	boolean	Input

Worked example

Suppose the inventory contains two answers and you want to understand the summary numbers that appear in the overview.

Records A with TTL 300, CNAME with TTL 1800
Query times 120 ms for A, 80 ms for CNAME

\begin{matrix} {TTL}_{avg} & = & \frac{300 + 1800}{2} & = & 1050 \end{matrix}

\begin{matrix} {ms}_{avg} & = & \frac{120 + 80}{2} & = & 100 \end{matrix}

A lower TTL usually means changes propagate faster but caches refresh more often, and higher query times can point to resolver reachability issues.

Interpretation aids

Response code labels
Code	Label	Meaning
0	`NOERROR`	The resolver returned an answer set, which may still be empty.
1	`FORMERR`	The query was malformed for the resolver.
2	`SERVFAIL`	The resolver failed while trying to answer.
3	`NXDOMAIN`	The name does not exist in DNS.
4	`NOTIMP`	The resolver does not implement the requested operation.
5	`REFUSED`	The resolver refused the query, often due to policy.

Check status meanings
Status	Interpretation	Action cue
`PASS`	The record pattern was found as expected.	Use it as a baseline for later runs.
`WARN`	A risky condition was detected, such as wildcard answers or missing AD responses.	Double check with another resolver and confirm intent.
`FAIL`	The expected record pattern was not found.	Verify the zone contents and confirm propagation.

Variables and parameters

User configurable parameters
Parameter	Meaning	Unit or datatype	Typical range	Sensitivity	Notes
`target`	Domain, hostname, or IP address to query.	text	Valid DNS name or IP	High	Only the first non blank line is processed.
`resolver`	DNS over HTTPS provider selection.	enum	auto, cloudflare, google	Medium	Auto tries Cloudflare then Google.
`timeout_ms`	Abort a request after this many milliseconds.	ms	0 and up	Medium	0 means no extra timeout beyond network defaults.
`do_flag`	Request DNSSEC records using the DO bit.	boolean	true or false	Low	Forced on automatically when DNSSEC record queries are enabled.
`cd_flag`	Disable DNSSEC checking using the CD bit.	boolean	true or false	Low	Useful for debugging validation failures.
`include_services`	Query service related record types at the apex name.	boolean	true or false	Low	Adds SRV, NAPTR, SVCB, and HTTPS.
`include_dnssec`	Query DNSSEC related record types.	boolean	true or false	Low	Adds DNSKEY, DS, RRSIG, NSEC, and NSEC3.
`include_security`	Query security related record types.	boolean	true or false	Low	Adds TLSA, SSHFP, and OPENPGPKEY.
`include_email`	Check common email authentication and reporting TXT records.	boolean	true or false	Medium	Also supports optional DKIM selector checks.
`discover_ct`	Discover subdomains using Certificate Transparency sources.	boolean	true or false	Medium	Queries external discovery services when enabled.
`discover_wordlist`	Probe a wordlist of common subdomains.	boolean	true or false	Medium	Generates candidate names from a configurable list.
`max_discovery`	Cap how many discovered hostnames are resolved.	integer	0 and up	High	0 removes the local cap, but discovery sources still have limits.
`resolve_targets`	Resolve hostnames referenced by other records.	boolean	true or false	Medium	Looks at NS, MX, SRV, SVCB, HTTPS, CNAME, and SOA targets.
`wildcard_check`	Test a random subdomain for wildcard answers.	boolean	true or false	Medium	Uses a random label and queries A, AAAA, and CNAME.
`reverse_ptr`	Reverse resolve unique A and AAAA addresses to PTR.	boolean	true or false	Medium	Builds in-addr.arpa or ip6.arpa names and queries PTR.
`reverse_ptr_limit`	Cap how many IPs are reverse resolved.	integer	0 and up	Medium	0 means no limit.

Constants and built in lists

Built in constants that shape lookups
Constant	Value	Unit	Source	Notes
`CORE_TYPES`	8	types	Constant	A, AAAA, CNAME, MX, NS, SOA, TXT, CAA.
`SERVICE_TYPES`	4	types	Constant	SRV, NAPTR, SVCB, HTTPS.
`SECURITY_TYPES`	3	types	Constant	TLSA, SSHFP, OPENPGPKEY.
`DNSSEC_TYPES`	5	types	Constant	DNSKEY, DS, RRSIG, NSEC, NSEC3.
`DEFAULT_HOST_PROBES`	60	labels	Constant	Common host labels used for wordlist discovery and optional probes.
`DEFAULT_SRV_PROBES`	18	labels	Constant	Common SRV service labels such as `_sip._tcp` and `_submission._tcp`.
`resolve concurrency`	6	workers	Constant	Used for resolving discovered hosts, target hosts, and PTR lookups.
`CT page cap`	10	pages	Constant	Maximum pages fetched when paginating a certificate log source.

Units, precision, and rounding

Query duration is measured with a high resolution clock and rounded to the nearest millisecond.
TTL averages are displayed with two decimals, and average query time is displayed with one decimal in the overview.
Non finite numeric inputs, such as empty or invalid numbers, fall back to safe defaults.
TXT values are displayed with quotes removed, and many name like values have trailing dots stripped.

Validation and bounds

Input validation rules and bounds
Field	Type	Min	Max	Step or pattern	Error text	Placeholder
Target	text	1	253	Domain or hostname, underscores allowed, or IPv4 or IPv6	Enter a domain, hostname, or IP address. Enter a valid domain or hostname.	example.com or 8.8.8.8
Resolver	enum	-	-	`auto`, `cloudflare`, `google`	-	auto
Timeout	number	0	-	Step 100	-	3500
Max discovered hosts	number	0	-	Step 10	-	200
Max PTR lookups	number	0	-	Step 10	-	60
DKIM selectors	text	0	-	Comma or space separated tokens	-	default, selector1
Wordlist and hostnames	text	0	-	Comma or newline separated labels or full hostnames	-	www, mail, api
SRV list	text	0	-	Comma or newline separated service labels	-	_sip._tcp, _submission._tcp

I/O formats and normalization

Supported inputs and outputs
Input	Accepted families	Output	Encoding and precision	Rounding
Target text	Domain, hostname, IPv4, IPv6, URL, email, host and port	Normalized hostname or PTR name	Unicode converted to ASCII when possible	Not applicable
DNS answers	Answer, Authority, Additional sections	Record inventory and parsed details	TXT quotes removed, many names trimmed of trailing dots	Not applicable
Timing metrics	Per query elapsed time	Total, min, max, average query time	Milliseconds, numeric	Per query times are rounded to integers
Exports	Tables and a structured payload	Clipboard copies and downloadable files	Pretty printed JSON uses two space indentation	Displayed TTL averages use two decimals

Networking and storage behavior

DoH lookups are sent to the selected public resolver provider, with an auto mode that tries Cloudflare then Google.
Certificate discovery can call a Cert Spotter API and crt.sh, and may route requests through an auxiliary CORS proxy when needed.
Requests can be aborted by a configurable timeout, and a cancel action prevents stale results from being displayed.
No local or session storage writes are used in this package, and results stay in memory unless you export them.

Performance and complexity

Most work is network bound. The base request count is the number of queried record types, which is 8 core types plus any enabled families, and each discovered or referenced hostname adds three lookups for A, AAAA, and CNAME.

Email checks add 4 TXT queries plus one TXT query per DKIM selector.
Wildcard detection adds 3 queries against a random name.
Reverse PTR adds 1 query per unique IP, capped by the configured limit.
Host probes add 3 queries per wordlist item, and SRV probes add 1 query per service label.

Diagnostics and determinism

Identical inputs can yield different outputs across time because caches expire, certificate logs update, and wildcard tests use a random label. Within a single run, a sequence guard prevents late responses from overwriting a newer run after you cancel or restart.

Security considerations

Use targets you own or are authorized to assess, since discovery and probing generate real DNS traffic.
Heads-up Wildcard DNS can make wordlist discovery appear successful even when hosts do not exist.
TXT records can contain sensitive policy details, so treat exports as potentially confidential.
Public resolvers and discovery sources may log queries, so avoid pasting secrets into the target field.

Assumptions and limitations

The tool is designed for public DNS visibility through the selected resolver, not private split horizon views.
Only the first non blank line of the target input is processed, and extra lines are ignored.
Hostnames are validated with relaxed rules that allow underscores for service labels.
When the target is an IP address, the tool only performs PTR lookups and skips other types.
TXT records are returned as separate strings and are not concatenated into a single logical value.
Discovery through certificate sources is best effort and may miss new or unissued subdomains.
A max discovery value of 0 removes the local cap, but discovery sources still have page and count limits.
Target resolution follows hostnames referenced by specific record types and does not chase every embedded name.
Average values summarize what was returned and do not predict future resolver performance.
Exports mirror the current view and do not include hidden context beyond the collected responses.

Edge cases and error sources

Internationalized domain names are converted to ASCII, and different Unicode spellings can map to the same name.
Trailing dots are trimmed from names, which can hide the difference between relative and absolute forms.
Inputs like email addresses are reduced to the domain portion after the at sign.
Host and port parsing only strips a port when there is a single colon and trailing digits.
Bracketed IPv6 forms are supported, but unusual zone identifiers can fail PTR conversion.
IPv6 expansion depends on canonical hextet parsing, and malformed compression can yield an invalid PTR name.
Resolvers can return empty Answer sections with NOERROR, which is not the same as NXDOMAIN.
Timeouts and network blockers can produce NO RESPONSE for one resolver but not the other.
Long TLSA and SSHFP fingerprints are shortened in summaries for readability.
Some record types rely on token splitting, so unexpected whitespace can affect parsed fields.
Wildcards and parking services can cause many unrelated names to resolve to the same answers.
Cancellation stops result display but may not stop in flight network requests already sent.

Standards and conventions

Record meanings and flags follow common IETF DNS conventions, while email policy checks follow widely used SPF, DMARC, DKIM, MTA-STS, and TLS-RPT conventions.

Privacy and compliance

Requests are made from the browser to the chosen resolver and optional discovery sources, results are not written to local storage by this package, and use should be limited to authorized targets.

Step by Step Guide:

Domain record enumeration is easiest when you start with the core name, then expand outward to related hosts and policies until the picture matches what you intended.

Enter a Target domain, hostname, or IP address, then run the enumeration.
If results look inconsistent, switch the Resolver and compare response codes and TTL.
Adjust Timeout if your network is slow or the resolver is rate limiting.
Enable service, DNSSEC, or security record families when you need a wider footprint.
Keep email checks enabled when diagnosing mail delivery or spoofing controls, and add DKIM selectors if you know them.
Enable discovery and set a reasonable max discovered hosts when you want a quick subdomain sweep.
Turn on related target resolution to see where name servers, mail exchangers, and service targets point.
Use Wildcard detection before trusting discovery results, and enable reverse PTR when you need hostname context for IPs.

Quick example

Enter example.com, keep auto resolver, then review the checks for NS and SOA presence and scan the type summary for CNAME, MX, and TXT patterns.

Run the same target twice to separate transient cache effects from real changes.

If wildcard answers are detected, treat wordlist and certificate discoveries as hints, not proof.

When debugging mail, focus on MX and the policy TXT names before deep record families.

Use a small max discovery cap first, then expand only if you need more coverage.

Pro tip: keep one known good baseline run and compare future changes against it before chasing noise.

FAQ:

Is my data stored?

The page sends your target to the selected public resolver and, if enabled, certificate discovery sources. The package does not write to local storage, and results remain in memory unless you export them.

How accurate are results?

Results reflect what one resolver answered at one moment. Caches, resolver policy, and wildcard DNS can change what appears, so compare multiple runs and switch resolvers before concluding a record is missing.

What inputs are accepted?

You can paste a domain, hostname, IPv4, IPv6, URL, email address, or host and port string. Only the first non blank line is processed, and the tool normalizes the input to a hostname before querying.

Can it run offline?

No. Enumeration depends on live DNS over HTTPS queries and optional discovery calls, so you need network access to the configured endpoints.

If your network blocks public resolvers, choose another network or use a permitted resolver.

What does WARN mean?

WARN indicates a condition worth double checking, such as wildcard answers or missing AD flags. It is a prompt to verify intent and confirm with a second resolver, not an automatic failure.

How do I check DMARC?

Keep email checks enabled and review the DMARC finding. The tool queries the TXT name _dmarc.<domain>, looks for v=DMARC1, and extracts the policy value if present.

Is there any licensing gate?

The app does not include a purchase flow or license key prompt. Redistribution and reuse depend on the license terms that came with the package you received.

Troubleshooting:

If you see NO RESPONSE, try switching the resolver or increasing the timeout.
If subdomain discovery shows nothing, enable certificate discovery and wordlist discovery, then rerun.
If discovery finds many hosts that all resolve the same way, check whether wildcard detection was triggered.
If email checks show missing records, confirm you are querying the correct organizational domain rather than a subdomain.
If reverse PTR returns no hostnames, the IP may not have PTR records published.
If parsed details look odd, inspect the raw record inventory for unexpected spacing or quoting.

Nothing returns for every type

If every query shows no response, your network may be blocking public DoH endpoints. Try a different network or adjust security filters to allow the resolver you selected.

Advanced Tips:

Tip Start with core types, then enable DNSSEC only when you need validation clues.
Tip Use related target resolution to spot external dependencies outside the target domain.
Tip Keep a low max discovery value for quick triage and raise it only when the baseline looks clean.
Tip Add known DKIM selectors from your mail platform to avoid guessing and reduce noise.
Tip When SERVFAIL appears, rerun after a short wait to separate transient upstream failures from a persistent issue.
Tip Treat PTR names as hints and corroborate them with forward lookups if you use them for access rules.

Glossary:

DNS: Domain Name System, maps names to records used by clients.
DoH: DNS over HTTPS, DNS queries sent via HTTPS requests.
TTL: Time To Live, seconds a resolver may cache an answer.
RCODE: Response code, indicates success, failure, or non existence.
PTR: Pointer record used for reverse mapping an IP to a name.
DNSSEC: DNS Security Extensions, signatures that protect record integrity.
AD and CD: Authenticated Data and Checking Disabled flags related to DNSSEC validation.
Wildcard DNS: A zone behavior where many names resolve even if not defined.
CT: Certificate Transparency, public logs that can reveal issued names.
SPF and DMARC: Email authentication policies published as TXT records.