DNS Record Lookup
Query A, AAAA, CNAME, MX, TXT, NS, SOA, CAA and SRV records for any domain using Cloudflare's DNS-over-HTTPS API. No dig command or terminal needed — results in under a second.
1.1.1.1 DNS-over-HTTPS API to query records. Results reflect what Cloudflare's resolver sees — propagation times mean recent changes may not be visible everywhere yet. TTL values are in seconds.
What is a DNS Lookup Tool?
A DNS lookup tool queries the Domain Name System to retrieve the records associated with a domain — A records that point to IPv4 addresses, MX records that route email, TXT records used for domain ownership verification and email authentication, and more. For DevOps and SRE engineers, being able to inspect DNS records instantly from a browser is essential when debugging deployment failures, verifying SSL certificate domain ownership, and troubleshooting email deliverability.
DNS is often called the phone book of the internet, but its operational implications go far beyond simple name resolution. TXT records carry SPF and DKIM policies that determine whether your outbound email is accepted or marked as spam. CAA records control which certificate authorities are permitted to issue TLS certificates for your domain. NS records determine which authoritative servers a registrar delegates to. Understanding and verifying these records is a core SRE skill when managing production infrastructure at any scale.
When to Use This Tool
- Deployment verification: After updating a DNS record — such as pointing an A record to a new load balancer IP — confirm that the change is visible from the public internet before cutting over traffic.
- SSL certificate debugging: Verify that a CNAME or TXT record required by your CA for domain-validated (DV) certificate issuance has propagated correctly before triggering certificate issuance.
- Email deliverability checks: Inspect SPF TXT records and DMARC TXT records to ensure they are correctly configured and not inadvertently blocking your outbound mail.
- Nameserver delegation verification: Confirm that NS records reflect the correct authoritative nameservers after transferring a domain between registrars or migrating DNS hosting.
How It Works
This tool sends DNS queries using Cloudflare's DNS-over-HTTPS (DoH) API at 1.1.1.1/dns-query. DoH wraps the DNS query inside an HTTPS request, which means the lookup is encrypted in transit and not visible to network intermediaries. The response contains the resource records from the authoritative nameservers for the queried domain, along with the TTL (Time to Live) for each record. Because the queries go through Cloudflare's globally distributed resolver, results represent the public DNS view rather than any cached or split-horizon view specific to your local network.
Frequently Asked Questions
Which DNS server does this tool use?
This tool queries Cloudflare's DNS-over-HTTPS (DoH) service at 1.1.1.1. DoH encrypts the DNS query inside an HTTPS connection, ensuring your lookups are not visible to network intermediaries such as ISPs or corporate proxies. Results reflect the global public DNS view as seen by Cloudflare's anycast resolver network, which covers over 300 data centres worldwide. This makes it reliable for verifying whether a DNS change has propagated globally, rather than just on your local resolver.
What DNS record types can I look up?
The tool supports A (IPv4 address), AAAA (IPv6 address), CNAME (canonical name alias), MX (mail exchanger, with priority), TXT (free-form text — used for SPF, DKIM, Google Search Console verification, and others), NS (authoritative nameservers), SOA (Start of Authority, containing zone serial and refresh timings), and CAA (Certification Authority Authorization, restricting which CAs can issue certificates for the domain). These cover the full set of records that DevOps and infrastructure teams interact with on a daily basis.
How long does DNS propagation take after changing records?
Propagation time is determined by the TTL (Time to Live) value set on the record being changed — a record with a 300-second TTL will be expired and re-fetched by resolvers within 5 minutes, while one with an 86400-second (24-hour) TTL can take up to a day to propagate fully across the internet. The best practice before a major DNS change such as a domain migration or load balancer cutover is to lower the TTL to 300 seconds at least 48 hours in advance, giving existing caches time to expire. Once you've made the change and confirmed it's working, you can raise the TTL back to a higher value to reduce resolver load. Note that some resolvers ignore TTL values and cache for longer than specified.