DNS Record Lookup

{{ summaryStatusBadge.label }} {{ singleRecords.length }} record{{ singleRecords.length === 1 ? '' : 's' }} Manual lookup {{ summaryResolverBadge }} {{ summaryTypeBadge }} DNSSEC AD DNSSEC AD: off {{ do_flagBool ? 'DNSSEC DO requested' : 'DNSSEC DO off' }} A {{ singleResult.derived.a_count }} AAAA {{ singleResult.derived.aaaa_count }} MX {{ singleResult.derived.mx_count }}

Domain or IP:

Enter one domain, hostname, URL host, IPv4, or IPv6; use PTR in record types for IP reverse lookups.

Preset:

Choose Custom before editing the comma-separated type list by hand.

Record types:

Comma or space separated: A AAAA CNAME TXT MX NS SOA CAA SRV PTR HTTPS SVCB.

Ignored {{ singleExtraLinesNotice }} extra line(s). This tool processes only the first non‑blank line.

Resolver:

Auto tries Google first, then Cloudflare if the response is unusable.

DNSSEC DO bit:

Switch on when you need DNSSEC material alongside ordinary answers.

DNSSEC CD bit:

Use only while isolating DNSSEC validation errors.

Timeout:

Set 0 for browser defaults, or about 1500-5000 ms for strict troubleshooting.

Type	Name	TTL	Data	Copy
{{ r.type }}	{{ r.name }}	{{ r.ttl }}	{{ r.data }}
No DNS records returned Try another record type, resolver, or target if you expected an answer.

Field	Value	Copy
{{ row.k }}	{{ row.vs.join('; ') }}
No field breakdown available Run a successful lookup to populate derived DNS fields.

No record data to visualize yet.

TTL information is unavailable for the current lookup.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

When a domain change looks half-finished, DNS is usually the first place to check because it decides which addresses, mail servers, aliases, name servers, certificate rules, service hints, and text policies a resolver can see for a name. A browser may only show that a site failed, but DNS records can show whether the name still points at the old host, lacks an IPv6 record, follows an alias chain, returns no data for the requested type, or still carries a long cache lifetime.

DNS is not one large file that everyone reads at the same moment. The system is distributed across authoritative name servers and recursive resolvers. Authoritative servers hold zone data for a domain. Recursive resolvers answer user queries, cache responses, and may validate DNSSEC signatures before handing an answer back. That extra resolver step is why two people can check the same name a few minutes apart and see different TTL values or different answers during a migration.

Common DNS troubleshooting questions and useful record types
Situation	Records that usually matter	What the answer can reveal
Website cutover	`A`, `AAAA`, `CNAME`, `HTTPS`, `SVCB`	Address changes, alias targets, IPv6 coverage, and modern service hints.
Email routing or authentication	`MX`, `TXT`, `SRV`, `NS`, `SOA`	Mail exchanger priority, SPF-style text policy, service records, and zone authority clues.
Certificate issuance or security checks	`CAA`, `TLSA`, `SSHFP`, `DS`, `DNSKEY`	Certificate authority limits, service fingerprints, delegation signer records, and DNSSEC material.
IP ownership clues	`PTR`	Reverse DNS names derived from IPv4 or IPv6 addresses.

The record type matters as much as the name. Asking for A records does not prove that mail is configured, and asking for MX records does not prove that the website is pointed correctly. A name can have no answer for one type while still answering normally for another type. That distinction is important when a blank result is easy to mistake for a dead domain or a completed migration.

Diagram showing a DNS question passing through a recursive resolver, record-type choice, no-data path, and answer rows with TTL data.

TTL, short for Time to Live, is one of the most practical fields in a lookup. It is measured in seconds and tells caches how long an answer may be reused before it should be refreshed. A low TTL can help planned changes settle faster, while a high TTL can keep old answers visible even after the authoritative zone has been updated.

A resolver snapshot is evidence, not final proof. It does not show every public resolver, every regional cache, or the authoritative zone file itself. Negative answers can also be cached, DNSSEC validation can change whether an answer is accepted, and DNS-over-HTTPS JSON fields can differ between providers. Treat a lookup as a focused diagnostic view, then compare resolvers or authoritative tools when the decision is high impact.

How to Use This Tool:

Use one target and one clear record-type plan per lookup. The page processes the first non-blank line, reports ignored extra lines, and turns URL input into the host name before asking the selected public resolver.

Enter a domain, hostname, URL host, IPv4 address, or IPv6 address in Domain or IP. For IP addresses, choose a PTR lookup because ordinary address records do not apply to reverse DNS.
Public resolvers cannot reliably see private split-horizon names. Use an internal resolver for private hostnames or VPN-only zones.
Pick a Preset that matches the problem. General covers common web, mail, name-server, and policy records. Web, Email, Security, and DNSSEC narrow the query list for a specific investigation.
Choose Custom before editing Record types by hand. Type names may be comma- or space-separated, repeated entries are collapsed, and unsupported punctuation is removed from each token.
Open Advanced when the resolver view matters. Google and Cloudflare query that provider directly, while Auto tries Google first and falls back to Cloudflare if the first response is unusable.
Auto is a recovery path, not a propagation test across many resolvers.
Turn on DNSSEC DO bit when you want DNSSEC-related records returned where available. Use DNSSEC CD bit only when comparing normal validation with a checking-disabled query.
DNSSEC CD bit can help isolate validation behavior, but it does not repair a signed zone or prove an application is secure.
Set Timeout only when you need a strict troubleshooting window. A value of 0 uses the browser's normal request behavior; values around 1500 to 5000 ms can fail faster during outage triage.
Read DNS Records Overview first, then use Field Breakdown, Raw DoH Responses, Record Type Breakdown, TTL Distribution, and JSON when you need audit detail or exportable evidence.

If the result says no records were returned, check the target spelling, confirm that the requested type belongs to that kind of target, and compare the other resolver before changing live DNS.

Interpreting Results:

The record table is the main evidence. Each row gives the record type, owner name, TTL, and data value returned for one requested type. The summary badges and charts help scan the shape of the answer, but the row data is what should go into change notes, incident tickets, or resolver comparisons.

How to interpret key DNS lookup result fields
Result item	What it means	Common misread
`TTL`	Seconds the answer may remain cached before refresh.	A low TTL does not force every cache to refresh instantly.
`DNSSEC AD`	The selected resolver marked at least one returned response as authenticated.	It is resolver evidence, not a complete independent DNSSEC audit.
No answers	The selected resolver returned no answer rows for the requested type list.	The domain may still exist and answer for a different type.
Record type chart	Counts returned rows by DNS record type.	A taller bar does not mean a record type is more important.
TTL chart	Shows average, minimum, and maximum TTL by returned type.	The chart ignores types with no finite TTL-bearing rows.

Resolver differences are normal during changes and failures. One resolver may still have an older cached answer, another may have refreshed more recently, and DNSSEC validation behavior can change whether a response is accepted. Compare the owner name, record type, TTL, and data value before treating a difference as a configuration error.

The raw DNS-over-HTTPS response is useful when you need provider fields such as response status, question details, authority records, or DNSSEC flags. For most operational comparisons, the normalized records table is easier to share because it removes provider JSON noise and keeps the answer rows together.

Technical Details:

A DNS query asks for one resource record type at one owner name. Recursive resolvers may answer from cache, contact authoritative name servers, follow aliases, validate DNSSEC material, or return a negative response such as name error or no data. DNS-over-HTTPS changes the transport to HTTPS, but the underlying DNS question still depends on the name, type, resolver cache, and validation state.

Record data is type-specific. An A response carries IPv4 addresses, AAAA carries IPv6 addresses, MX carries mail exchangers with preference values, NS names authoritative name servers, and TXT can hold policy or verification text. Security-oriented records such as CAA, TLSA, SSHFP, DS, and DNSKEY answer different questions, so they should not be read as substitutes for one another.

Lookup Path

The lookup target is reduced to one name or address before queries are sent. URL schemes and paths are ignored for DNS purposes, internationalized hostnames are converted to ASCII form when the browser can do so, and domain labels are checked for common length and hyphen rules. Each requested type becomes its own public DNS-over-HTTPS request.

DNS lookup target handling rules
Input kind	Name queried	Useful record path	Limit to remember
Domain or hostname	Cleaned host name, with ASCII conversion where supported	Any requested type in the type list	A pasted URL path does not affect DNS.
IPv4 address	Octets reversed below `in-addr.arpa`	`PTR`	Default web or mail record sets are skipped for IP input.
IPv6 address	Expanded hexadecimal nibbles reversed below `ip6.arpa`	`PTR`	Abbreviated IPv6 notation must expand cleanly before the reverse name can be formed.

Record Type and DNSSEC Controls

Record type tokens are uppercased, deduplicated, and sent separately. If the type list is empty, the lookup falls back to the general record set. The DNSSEC DO bit asks for DNSSEC data where available, while the CD bit asks the resolver not to perform validation for that query. The AD bit appears in a response when the resolver reports authenticated data.

DNSSEC and resolver controls used by the lookup
Control or flag	DNS meaning	Operational use
`Resolver`	Chooses the recursive resolver view.	Compare Google and Cloudflare when cache age, policy, or validation behavior may differ.
`DO`	Signals that DNSSEC records are desired.	Use for DS, DNSKEY, RRSIG, NSEC, or NSEC3 evidence checks.
`CD`	Requests checking-disabled handling.	Use sparingly to isolate validation failures against the normal resolver answer.
`AD`	Reports authenticated data from the resolver.	Treat it as the resolver's validation signal, not browser-side cryptographic proof.

TTL Statistics

TTL charts are computed only from returned answer rows that have finite, non-negative TTL values. Record-count bars count rows by type. The TTL chart groups rows by type and computes minimum, maximum, and average seconds.

averageTTL = \frac{\sum_{i = 1}^{n} {TTL}_{i}}{n}

The average TTL is useful for comparing returned groups, but minimum and maximum often matter more during migrations. A single long-TTL record can keep stale answers alive even when other records refresh quickly.

Privacy and Accuracy Notes:

Lookup requests are made by your browser to the selected public DNS-over-HTTPS resolver. The resolver receives the target name or reverse lookup name, requested record type, DNSSEC flags, and normal request metadata associated with the HTTPS request. Use an internal resolver or local diagnostic command for private hostnames, split-horizon zones, or sensitive investigation targets.

A single public resolver view does not prove global DNS propagation.
Cached positive and negative answers can remain visible until their cache rules expire.
Provider JSON formats are convenient for diagnostics, but behavior can differ between providers.
DNSSEC flags identify resolver behavior and returned metadata; they do not audit registrar settings, web certificates, mail security, or application configuration.
Short timeouts can turn slow valid responses into lookup failures, so compare with a longer timeout before concluding that DNS is broken.

Worked Examples:

A website migration for www.example.com should start with the Web preset. If the table returns a CNAME target plus new A or AAAA addresses, check whether the owner name and data match the migration plan. A high maximum TTL in the TTL chart means some caches may keep older answers longer than expected.

An email delivery issue for example.com should use the Email preset. Read MX records first because they identify the mail route. Then inspect TXT rows for policy records and SOA or NS rows for zone clues. Existing TXT records do not prove that mail routing exists if no MX rows are returned.

A reverse DNS check for 8.8.8.8 should use Custom with PTR. The lookup asks the reverse name under in-addr.arpa and returns any PTR owner and hostname data the resolver sees. If no answer appears, compare a second resolver before assuming the address has no reverse DNS.

A DNSSEC investigation for a signed zone should use the DNSSEC preset with the DO bit on, then repeat with the CD bit only if validation behavior needs comparison. Differences between those two checks can help separate missing DNSSEC material from a validation failure at the resolver.

FAQ:

Why does a valid domain return no records?

The domain may not have the requested record type, the resolver may have cached a negative answer, or the type may not fit the target. Try a narrower preset, compare the other resolver, and check spelling before changing DNS.

Why does an IP address need PTR?

Address records point names to IP addresses. Reverse DNS starts from an IP-derived name and asks for PTR, so the default domain record set is not the right question for an IP target.

Does DNSSEC AD mean the domain is fully secure?

No. AD means the selected resolver reported authenticated DNS data for the response. It does not inspect certificates, mail policy, registrar locks, hosting security, or application behavior.

Why do Google and Cloudflare show different answers?

Resolvers can differ because of cache age, refresh timing, validation decisions, filtering policy, or provider JSON behavior. Compare the actual rows and TTL values before deciding which difference matters.

Can this check private internal DNS names?

Not reliably. The lookup uses public DNS-over-HTTPS resolvers, so private split-horizon names should be tested from a network and resolver that can see the internal zone.

Glossary:

Authoritative name server: A name server that holds zone data for a domain or delegated zone.
Recursive resolver: A resolver that answers client queries by using cache, referrals, and authoritative name servers.
TTL: Time to Live, the number of seconds a DNS answer may be reused from cache.
PTR: A reverse DNS record type used to map an IP-derived reverse name to a hostname.
DNS-over-HTTPS: A way to send DNS queries and receive DNS responses over HTTPS.
AD bit: Authenticated Data, a response flag indicating that the resolver reports DNSSEC-authenticated data.
CD bit: Checking Disabled, a query flag asking the resolver not to apply DNSSEC validation for the response.
DO bit: DNSSEC OK, a query signal asking for DNSSEC records where they are available.

References:

Domain Names - Implementation and Specification, RFC Editor, November 1987.
Negative Caching of DNS Queries, RFC Editor, March 1998.
Protocol Modifications for the DNS Security Extensions, RFC Editor, March 2005.
DNS Queries over HTTPS, RFC Editor, October 2018.
DNS-over-HTTPS, Google for Developers.
Using JSON, Cloudflare Docs.
How to query DNS records in Windows, simplified.guide.
How to add a DNS record in cPanel, simplified.guide.