Trace CNAME Alias Chain

CNAME Alias Chain

Current inputs differ from the last completed trace. Re-run before trusting the on-screen alias path.

Hostname:

Enter one hostname or URL, e.g. www.example.com or https://www.example.com/path.

Terminal record type:

Choose A/AAAA for web reachability, MX for mail, or TXT/CAA for validation checks.

Resolver lens:

Use Auto for the first healthy resolver, or pin Cloudflare, Google, or DNS.SB.

Compare resolvers:

Turn on for cutovers; leave off when one primary resolver view is enough.

Hop budget:

Choose 2-12 hops; raise only when long provider chains are expected.

Expected canonical suffix:

Optional suffix such as cloudfront.net or akamaiedge.net; omit the leading dot.

Timeout:

Choose 2500-9000 ms; use longer values when comparing resolvers on slow networks.

Auto-run:

Enable only for prefilled URLs; manual entry still requires Trace Chain.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Hop	Owner	CNAME target	TTL	Note	Copy
{{ row.hop }}	{{ row.owner }}	{{ row.target }}	{{ row.ttl }}	{{ row.note }}
No CNAME hops visible The selected hostname answered directly or did not expose a public CNAME chain from this resolver view.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Resolver	Outcome	Hops	Landing	Terminal read	TTL span	Comparison	Copy
{{ row.resolver }}	{{ row.outcome }}	{{ row.hops }}	{{ row.landing }}	{{ row.terminal }}	{{ row.ttl }}	{{ row.comparison }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A hostname can look simple in a control panel while public DNS is taking a longer route. The name people type may be only an alias, and the useful answer may live several CNAME hops away on a CDN, hosting platform, verification service, or mail provider. When that route changes, the first question is not always whether the website or application is broken. It is often whether recursive resolvers are still following the old alias path.

CNAME records separate the name being queried from the canonical name that DNS should follow next. That distinction matters because ordinary service records normally belong at the final owner reached by the alias path. A web check usually cares about A or AAAA records, a mail check may care about MX, a vendor proof often uses TXT, and certificate authority policy uses CAA. Looking only at the first CNAME can miss the name that actually has to publish the terminal record.

Alias owner: The hostname being queried, for example shop.example.com.
Canonical name: The target name named by the CNAME record, often a provider-owned hostname.
Terminal RRset: The final group of same-type DNS records read after visible CNAME hops stop.

The confusing cases usually appear during cutovers, provider migrations, and domain verification. A control panel can show the intended record while a public resolver still has the previous answer cached. Another resolver may already land on the new provider, and a third may return no terminal TXT or A record because a negative answer is cached. Those differences can look like service failure even when the right next step is to wait for the relevant TTL before changing more DNS.

Common situations where CNAME chain evidence matters
Situation	What the alias path can clarify	What still needs a separate check
CDN or host migration	Whether the final canonical name ends at the expected provider.	HTTP routing, TLS certificates, and application health.
SaaS domain verification	Whether the alias lands where the vendor expects and exposes the chosen TXT or CAA answer.	Vendor account state and verification polling delays.
Mail routing change	Whether the queried name answers directly or reaches an MX-capable terminal owner.	Mailbox acceptance, SPF, DKIM, DMARC, and SMTP behavior.
Apex or proxied hostname	Whether public DNS shows a literal CNAME path or direct terminal records.	Provider flattening, ALIAS-style synthesis, or proxy settings.

DNS alias path from requested name through CNAME hops, canonical landing, terminal records, and resolver comparison.

Alias-chain evidence is strongest when it is kept in its lane. It can show where public resolvers send a hostname, whether the path settles, and whether the selected terminal RRset is visible. It cannot prove that HTTPS is configured correctly, that SMTP will accept mail, or that a SaaS vendor has finished its account-side verification.

How to Use This Tool:

Start with the hostname people or systems actually use, then choose the terminal record type that matches the service question you need to answer.

Enter one value in Hostname. A full URL is fine, but only the hostname is traced. If several lines are pasted, the page keeps the first hostname and reports that the rest were ignored.
Choose Terminal record type from the service you are testing. Use A or AAAA for web reachability, MX for mail routing, TXT for verification text, and CAA for certificate authority policy.
Open Advanced when resolver choice affects the decision. Resolver lens on Auto tries the built-in public resolvers in order until one answers without a transport failure; pin Cloudflare, Google, or DNS.SB when you need that exact view.
Keep Compare resolvers enabled for DNS cutovers, cache questions, and incident checks. Disable it when one public resolver answer is enough and you want a shorter read.
Use Hop budget to stop loops and unexpectedly deep chains. The visible choices run from 2 to 12 hops; raise the limit only when long provider indirection is expected.
Add Expected canonical suffix when the provider told you where the alias should land, such as cloudfront.net or akamaiedge.net. Omit the leading dot so the suffix comparison can match the final canonical name.
Press Trace Chain. Read CNAME Route Read for the summary, CNAME Hop Ledger for each alias step, Terminal RRset Read for the final records, and Resolver Comparison when public resolver views diverge.

If an empty-hostname error appears, enter a hostname or URL before tracing. If the stale-input warning appears after you change a field, run the trace again before trusting copied values or exported data.

Interpreting Results:

Read Outcome, Canonical landing, Terminal read, and Resolver drift together. Route Complete with terminal answers means the primary public resolver reached a final owner and found the selected RRset. Terminal Missing means the alias path settled, but the final owner did not return that record type from the selected view.

Direct Answer is not automatically wrong. Apex flattening, ALIAS-style records, proxying, or provider synthesis can return terminal records without exposing a literal public CNAME path.
Loop Detected means the alias path pointed back to a name already visited, so resolution cannot settle on one canonical landing from that resolver view.
Hop Budget Exceeded means another visible CNAME remained after the configured limit. Raise the budget only after confirming that the extra provider indirection is expected.
Suffix result is a DNS-name comparison. A match does not prove HTTPS, SMTP, certificate issuance, or vendor verification will succeed.
Resolver drift points to a public-view difference: outcome drift changes the status, alias drift changes the path, and terminal drift changes the final answer set.

A false-confidence mistake is treating one green DNS result as service health. Use TTL span, Negative-cache hint, and any resolver drift before making another DNS edit, then follow with the service-specific check for HTTP, TLS, SMTP, or the vendor account.

Technical Details:

A CNAME resource record makes one DNS owner name an alias for a canonical name. Resolution then restarts at that canonical name. DNS specifications also keep CNAME use separate from ordinary data at the same owner name, which is why a terminal A, AAAA, MX, TXT, or CAA read belongs after visible alias hops stop.

Recursive resolver evidence is cache-bound. Positive answers carry TTL values in seconds, and negative answers such as NXDOMAIN or no data can also be cached when SOA authority data gives a usable lifetime. During a migration, the same hostname can produce different public answers until older cache entries expire.

Rule Core:

The alias walk follows direct CNAME answers for the current owner, stops when no direct CNAME remains, and then reads the selected terminal RRset. The path is bounded so a loop or unexpectedly deep chain returns a useful stopping reason instead of running without a clear end.

CNAME alias trace rule sequence
Rule	DNS condition	Resulting outcome
Normalize owner name	The first hostname is extracted from a hostname or URL, lowercased, and stripped of a trailing dot.	One public DNS owner name is traced.
Follow visible CNAMEs	The current owner returns one or more direct CNAME answers for that exact owner.	The first direct target becomes the next hop in CNAME Hop Ledger.
Stop on repeated target	A target has already appeared in the path.	Loop Detected, and terminal lookup is skipped.
Stop on hop budget	The configured limit is reached while another direct CNAME remains visible.	Hop Budget Exceeded, and terminal lookup is skipped.
Read terminal RRset	No more direct CNAME is visible within the limit.	The final owner is queried for A, AAAA, MX, TXT, or CAA.
Compare public views	Compared resolvers differ on outcome, alias path, or terminal answer signature.	Outcome drift, Alias drift, or Terminal drift appears in Resolver Comparison.

The terminal record type changes the meaning of the same alias path. A web migration usually needs A or AAAA answers at the landing name. A mail-routing check needs MX answers. Provider validation often needs TXT. CAA answers affect which certificate authorities may issue certificates for the name. A complete alias path with no matching terminal RRset can mean the wrong terminal type was selected, the final owner has not published that RRset, or a public resolver has cached a negative answer.

Trace outputs and interpretation fields
Output field	Meaning	Useful check
Canonical landing	The final owner name reached after visible CNAME hops stop.	Compare it with the provider hostname or suffix you expected.
Terminal read	The count or status of the selected terminal RRset at the final owner.	Confirm that the record type matches the service being tested.
TTL span	The minimum-to-maximum TTL range surfaced from visible hops and terminal answers.	Use the larger relevant TTL as a cautious retry window.
Negative-cache hint	An SOA-derived estimate for how long a missing name or missing RRset may stay cached.	Retry after that interval before assuming a new DNS edit failed.
Suffix result	A string check against the final canonical name.	Treat a mismatch as DNS evidence, then verify provider instructions and service behavior.

Public DNS-over-HTTPS views are useful for seeing what recursive resolvers return, but they are not authoritative zone audits. JSON-shaped resolver responses are provider-specific, so production investigations should pair public recursive evidence with authoritative DNS checks and the service-specific test that proves the hostname actually works.

Privacy Notes:

The hostname and selected DNS record type are sent to the chosen public recursive resolver services so they can answer the lookup.

Do not test private internal names if disclosing the hostname to public resolvers would be a problem.
When a full URL is entered, the trace uses the hostname. Paths, fragments, and query strings are not needed for CNAME resolution.
Resolver comparison sends the same DNS question to multiple public resolver views, which can be useful during a cutover but broader than a single lookup.

Worked Examples:

CDN Cutover Landing Check

A migration checks www.store.example, selects A as the terminal type, and sets edge.examplecdn.net as the expected suffix. CNAME Hop Ledger shows two hops, Canonical landing ends with the expected suffix, and Terminal read reports two A answers. That is useful DNS evidence for the cutover, followed by a separate HTTPS and certificate test.

Apex Name With Direct Answers

A check for example.org returns Direct Answer, four A records, and no rows in CNAME Hop Ledger. That can be normal when a DNS provider flattens an apex name. Compare the returned addresses and TTL span with the provider instructions instead of trying to force a literal CNAME at the apex.

Verification TXT Missing After Alias Resolution

A SaaS setup checks verify.customer.example with terminal type TXT. The alias walk reaches a vendor-owned name, but Terminal read reports no TXT answers and Negative-cache hint shows 300 seconds. Waiting for that interval before retrying is more useful than changing unrelated CNAME settings immediately.

Rollback With Resolver Drift

A CDN hostname expects cloudfront.net, but Suffix result says Did not match and Canonical landing still ends in an old provider domain. If Resolver Comparison also shows Alias drift, the public views have not converged yet; compare the hop TTLs before deciding whether the rollback failed.

Hop Budget Boundary

A deep enterprise chain is tested with a two-hop budget, and the summary shows Depth cap. Terminal lookup is skipped because another direct CNAME remained visible. Raising Hop budget to 4 or 6 makes sense only if that extra provider indirection is expected.

FAQ:

Why does a hostname answer directly when I expected a CNAME?

The public resolver may be seeing flattened, proxied, ALIAS-style, or direct records. Check Terminal RRset Read and the provider instructions before treating Direct Answer as an error.

Which terminal record type should I choose?

Choose the RRset that matches the service decision: A or AAAA for web addresses, MX for mail routing, TXT for verification text, and CAA for certificate authority policy.

What does resolver drift mean?

Resolver drift means at least one compared public resolver returned a different outcome, alias chain, or terminal answer than the primary result. During cutovers, wait for the visible TTLs or check the authoritative zone before making another edit.

Why did terminal lookup get skipped?

Terminal lookup is skipped when the alias path loops or the configured hop budget is exceeded. Read CNAME Hop Ledger to find the repeated target or the final visible hop before raising the limit.

Why does the page say the result is stale?

The visible inputs no longer match the completed trace. Press Trace Chain again so CNAME Route Read, Terminal RRset Read, and Resolver Comparison reflect the current fields.

Can this prove the website or mail service works?

No. It checks public DNS evidence for the selected hostname and terminal RRset. Follow with an HTTP, TLS, SMTP, or provider verification test for the actual service.

Glossary:

CNAME: A DNS resource record that makes one owner name an alias for another canonical name.
Alias owner: The queried DNS name that holds the CNAME record.
Canonical name: The target name named by a CNAME record and followed next during resolution.
RRset: A set of DNS records with the same owner name, class, and type.
Terminal RRset: The selected record set queried after no more direct CNAME hop is visible.
TTL: The time in seconds that a resolver may cache an answer before it should refresh it.
Negative-cache hint: An SOA-based estimate for how long a missing name or missing RRset may remain cached.
Resolver drift: A difference between public recursive resolver views for the same hostname and terminal record type.

References:

RFC 1034: Domain Names - Concepts and Facilities, IETF, November 1987.
RFC 2181: Clarifications to the DNS Specification, IETF, July 1997.
RFC 2308: Negative Caching of DNS Queries (DNS NCACHE), IETF, March 1998.
RFC 8484: DNS Queries over HTTPS (DoH), IETF, October 2018.
Using JSON, Cloudflare Docs, May 5, 2026.
JSON API for DNS over HTTPS (DoH), Google Public DNS.