DNS Lookup
Full domain intelligence — all DNS records, email authentication analysis, provider detection, and health scoring in one place.
What is a DNS lookup?
The Domain Name System (DNS) is the internet's address book — it translates human-readable domain names
like example.com into the IP addresses,
mail server addresses, and configuration records that make email delivery, websites, and security policies work.
A DNS lookup queries authoritative nameservers to retrieve all the records published for a domain. For IT administrators, MSPs, and security professionals, understanding a domain's full DNS configuration is essential for troubleshooting email delivery, verifying security posture, identifying infrastructure providers, and detecting misconfigurations before they cause outages.
This tool goes beyond a simple dig/nslookup wrapper. It retrieves all record types, parses SPF/DMARC policies, discovers DKIM selectors, detects DNS and email providers, and calculates a domain health score — answering "what can you tell me about this domain?" rather than just showing raw records.
Understanding DNS record types
Each DNS record type serves a specific purpose. Here are the records this tool checks and what each one means.
| Record | Purpose | Example | Security role |
|---|---|---|---|
| A | Maps domain to IPv4 address | 104.21.45.67 | Origin server identity |
| AAAA | Maps domain to IPv6 address | 2606:4700::6815 | IPv6 connectivity |
| MX | Mail server for inbound email | 10 mail.example.com | Email routing |
| TXT | Text data (SPF, DKIM, verification) | v=spf1 … -all | Email authentication |
| NS | Authoritative nameservers | ns1.cloudflare.com | DNS delegation |
| CNAME | Alias pointing to another hostname | www → example.com | CDN / load balancing |
| SOA | Zone authority metadata | Serial, TTL values | Zone management |
| CAA | Permitted certificate authorities | 0 issue "letsencrypt.org" | Certificate security |
How DNS affects email security
Three DNS-based standards — SPF, DKIM, and DMARC — work together to authenticate email and protect domains from spoofing and phishing. All three are published as DNS records.
SPF — Sender Policy Framework
Published as a TXT record, SPF lists which mail servers are authorised to send email for a domain. When a receiving server gets a message, it checks the sending IP against the SPF record. SPF has a hard limit of 10 DNS lookups — exceeding this causes a PermError that may result in mail rejection.
DKIM — DomainKeys Identified Mail
DKIM uses asymmetric cryptography to sign outgoing emails. The public key is published as a DNS TXT
record at selector._domainkey.domain.
Receivers verify the signature to confirm the email wasn't modified in transit.
DMARC — Policy and Reporting
Published at _dmarc.domain,
DMARC tells receiving servers what to do with messages that fail SPF or DKIM:
- p=none — monitor only, no filtering
- p=quarantine — send failing mail to spam
- p=reject — block failing mail entirely
DMARC also enables aggregate reporting (rua) so domain owners can see which servers are sending email as their domain — critical for detecting phishing campaigns.
Common DNS misconfigurations
Email authentication problems
- No SPF record — any server can send email claiming to be from your domain
- SPF +all — permits every server on the internet, defeating the purpose of SPF entirely
- SPF lookup limit exceeded — more than 10 DNS lookups causes PermError and mail rejection
- No DMARC record — spoofed email is delivered with no enforcement
- DMARC p=none — monitoring only, no active protection against spoofing
Infrastructure and certificate warnings
- No CAA record — any certificate authority can issue certificates for your domain, enabling potential certificate misissuance
- Single nameserver — no redundancy; if the nameserver fails, the entire domain becomes unreachable
- No AAAA record — IPv6 users cannot reach your website directly
- DNSSEC not enabled — DNS responses are not cryptographically signed, leaving the domain vulnerable to cache poisoning
- High TTL before a migration — resolvers cache the old record for too long during DNS changes
Frequently asked questions
What is a DNS lookup?
A DNS lookup queries the Domain Name System to retrieve records associated with a domain. DNS records map domain names to IP addresses, mail servers, and configuration data. This tool retrieves all common DNS record types and analyzes them for security and configuration issues.
What is an A record?
An A record maps a domain name to an IPv4 address (e.g. 104.21.45.67). When a browser looks up a domain, it uses the A record to find the IP address of the web server. CDN services like Cloudflare proxy traffic through their own IP ranges, hiding the origin server.
What is an MX record?
An MX (Mail Exchanger) record tells sending mail servers which servers to deliver email to for a domain. The priority number in an MX record determines order — lower numbers are tried first. Multiple MX records provide redundancy so email delivery continues if one server is down.
What is a TXT record used for?
TXT records store arbitrary text data and serve many purposes: SPF for email authentication, DMARC policy publication, DKIM key publishing, domain ownership verification for Google Search Console and other services, and multi-string data for various security tools. A domain can have multiple TXT records.
What is a CAA record?
A CAA (Certification Authority Authorization) record specifies which certificate authorities are allowed to issue SSL/TLS certificates for a domain. For example, 0 issue "letsencrypt.org" means only Let's Encrypt can issue certificates. Without a CAA record, any CA can issue, which increases the risk of fraudulent certificate issuance.
What is SPF?
SPF (Sender Policy Framework) is a TXT DNS record that authorises which mail servers can send email as your domain. If a sending server's IP isn't in the SPF record, the receiving server can reject or mark the message as suspicious. SPF has a hard limit of 10 DNS lookups — exceeding this causes a PermError that may result in legitimate email being rejected.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) publishes a policy at _dmarc.yourdomain.com that tells receiving servers what to do with email that fails SPF or DKIM: monitor (p=none), send to spam (p=quarantine), or reject (p=reject). DMARC also enables reports so you can see who is sending email as your domain.
Why do many domains use Cloudflare?
Cloudflare provides DNS hosting, DDoS protection, a global CDN, and web application firewall services. Domains using Cloudflare nameservers (ns1.cloudflare.com, ns2.cloudflare.com) benefit from fast DNS propagation and optional IP proxying that hides the origin server. Cloudflare is detectable by its specific IP ranges and nameserver hostnames.
What is a nameserver?
A nameserver (NS record) is the DNS server that holds and answers queries for a domain. When you register a domain, you point it to authoritative nameservers that store all the DNS records. Common providers include Cloudflare (ns1.cloudflare.com), Amazon Route 53 (awsdns-*.com), and Azure DNS (azure-dns.com). Having at least two nameservers provides redundancy.
How long does DNS propagation take?
Propagation time equals the TTL of the record being changed. If the old record had a TTL of 3600 (one hour), resolvers that cached it will serve the old value for up to one hour. To reduce propagation time, lower your TTL to 300 seconds at least 24 hours before making the change, then raise it again afterward. Nameserver changes at the registrar level can take 24–48 hours regardless of TTL.