Every time you type a URL into a browser, an invisible chain of lookups happens in milliseconds — translating a human-readable domain name like example.com into a machine-readable IP address like 93.184.216.34. This system is the Domain Name System (DNS), and understanding it is non-negotiable for web developers, DevOps engineers and sysadmins. A DNS lookup tool lets you query this system directly, bypassing your OS cache and browser cache, to see the live state of any domain's DNS records.
Whether you're debugging why your newly deployed site isn't resolving, verifying that your MX records are correctly pointing to your email provider, or checking SPF/DKIM TXT records for email deliverability — a DNS lookup tool is your go-to diagnostic weapon. This guide covers everything from how DNS resolution actually works, to reading record outputs, understanding propagation delays, diagnosing common issues and hardening your setup with DNSSEC and DNS-over-HTTPS.
Run a DNS Lookup Now
Query A, AAAA, MX, CNAME, TXT and all DNS record types for any domain. Free, no login required, real-time results from multiple global resolvers.
What is DNS and How Does Domain Name Resolution Work?
DNS is a globally distributed, hierarchical database. When your computer needs to resolve api.github.com, it goes through a multi-step process called recursive resolution:
The DNS Resolution Chain
- Local cache check — Your OS checks its local DNS cache first. On Linux, run
resolvectl statistics; on Windows,ipconfig /displaydns. - Recursive resolver — If not cached, the query goes to your configured resolver (e.g.,
8.8.8.8for Google,1.1.1.1for Cloudflare). - Root nameservers — The resolver asks one of 13 root nameserver clusters (a.root-servers.net through m.root-servers.net) which TLD nameserver handles
.com. - TLD nameservers — The
.comTLD nameserver returns the authoritative nameservers forgithub.com. - Authoritative nameserver — The authoritative nameserver returns the actual record (e.g., the A record for
api.github.com).
# Trace the full resolution path with dig
dig +trace api.github.com A
# Example output excerpt:
# . 82893 IN NS a.root-servers.net.
# com. 172800 IN NS a.gtld-servers.net.
# github.com. 172800 IN NS ns1.p16.dynect.net.
# api.github.com. 60 IN A 140.82.112.6
DNS Query Types
- Recursive query — Sent by your client to the resolver. "Give me the final answer."
- Iterative query — Used between resolvers and authoritative servers. "Give me the best answer you have or a referral."
- Non-recursive query — The resolver already has the answer cached.
# Query with specific nameserver (bypass local resolver)
dig @8.8.8.8 github.com A
# Check what nameserver your system uses
cat /etc/resolv.conf # Linux/macOS
# nameserver 192.168.1.1
# Windows equivalent
ipconfig /all | findstr "DNS Servers"
DNS Record Types Explained: A, AAAA, MX, CNAME, TXT, NS, SOA
DNS records are the individual entries stored in a zone file. Each type has a specific purpose. Knowing them prevents hours of misconfiguration debugging.
| Record Type | Full Name | Purpose | Example Value | Common Use Cases |
|---|---|---|---|---|
| A | Address | Maps domain to IPv4 | 93.184.216.34 |
Web servers, API endpoints |
| AAAA | IPv6 Address | Maps domain to IPv6 | 2606:2800:220:1:248:1893:25c8:1946 |
Dual-stack sites, CDN IPv6 |
| CNAME | Canonical Name | Alias to another domain | myapp.vercel.app. |
CDN, subdomains, SaaS |
| MX | Mail Exchange | Email routing with priority | 10 mail.example.com. |
Email delivery, Google Workspace |
| TXT | Text | Arbitrary text, verification | v=spf1 include:_spf.google.com ~all |
SPF, DKIM, DMARC, site verify |
| NS | Name Server | Authoritative nameservers | ns1.cloudflare.com. |
Domain delegation |
| SOA | Start of Authority | Zone metadata | Serial, refresh, retry intervals | Zone transfers, serial tracking |
| PTR | Pointer | Reverse DNS (IP to domain) | mail.example.com. |
Email reputation, spam filters |
| SRV | Service | Service location with port/priority | 10 5 5060 sip.example.com. |
SIP, XMPP, game servers |
| CAA | Certification Authority Authorization | Which CAs can issue SSL certs | 0 issue "letsencrypt.org" |
SSL security policy |
Real Record Examples from Zone Files
; A records
example.com. 3600 IN A 93.184.216.34
www.example.com. 3600 IN A 93.184.216.34
; AAAA record
example.com. 3600 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
; CNAME — note: trailing dot is mandatory in zone files
blog.example.com. 3600 IN CNAME myapp.vercel.app.
; MX records with priorities
example.com. 3600 IN MX 1 aspmx.l.google.com.
example.com. 3600 IN MX 5 alt1.aspmx.l.google.com.
example.com. 3600 IN MX 10 alt2.aspmx.l.google.com.
; TXT — SPF record
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
; TXT — DMARC record
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
; NS records
example.com. 86400 IN NS ns1.cloudflare.com.
example.com. 86400 IN NS ns2.cloudflare.com.
; SOA record
example.com. 3600 IN SOA ns1.cloudflare.com. dns.cloudflare.com. (
2026031901 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (7 days)
3600 ) ; minimum TTL
example.com CANNOT be a CNAME — only subdomains like www.example.com can. Use ALIAS/ANAME records or Cloudflare's "CNAME flattening" for apex domains.
How to Read DNS Lookup Results: TTL, Priority and Response Codes
A raw DNS response contains more information than most tools surface by default. Here's how to interpret every field.
Anatomy of a dig Response
$ dig github.com A
; <<>> DiG 9.18.0 <<>> github.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;github.com. IN A
;; ANSWER SECTION:
github.com. 60 IN A 140.82.114.4
;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Mar 19 10:00:00 UTC 2026
;; MSG SIZE rcvd: 55
Field-by-Field Breakdown
| Field | Value in Example | What it Means |
|---|---|---|
| status | NOERROR | Query succeeded. Other codes: NXDOMAIN (domain doesn't exist), SERVFAIL (server error), REFUSED (query refused) |
| flags: qr | present | This is a Query Response (not a question) |
| flags: rd | present | Recursion Desired — client asked for full resolution |
| flags: ra | present | Recursion Available — server supports recursion |
| flags: aa | absent | Authoritative Answer — only present when querying the authoritative nameserver directly |
| TTL | 60 | Time To Live in seconds. After 60s, cached copies expire and must be re-fetched. |
| Class | IN | Internet class. Almost always IN. Others (CH, HS) are legacy. |
DNS Response Codes (RCODEs)
| RCODE | Name | Meaning | Common Cause |
|---|---|---|---|
| 0 | NOERROR | Success | — |
| 1 | FORMERR | Format error | Malformed query |
| 2 | SERVFAIL | Server failure | Nameserver misconfiguration, DNSSEC failure |
| 3 | NXDOMAIN | Non-existent domain | Domain not registered, typo in domain name |
| 4 | NOTIMP | Not implemented | Query type not supported by server |
| 5 | REFUSED | Query refused | Access control policy, rate limiting |
Understanding TTL Strategy
# Low TTL = faster propagation but more DNS queries (cost + latency)
# Typical values:
# 60 — Active change in progress (lower before migrations)
# 300 — Dynamic or frequently-changed records
# 3600 — Standard web records
# 86400 — Stable NS, MX records
# 604800 — SOA expire (7 days)
# Check TTL and watch it count down:
watch -n 10 "dig +nocmd +noall +answer github.com A"
DNS Propagation: Why Changes Take Time and How to Check Status
When you change a DNS record, the new value doesn't instantly appear everywhere. Each resolver around the world has cached the old value and will keep serving it until that cache expires — this is DNS propagation, and it can take anywhere from minutes to 48 hours.
The Propagation Math
Old TTL on your A record: 3600 seconds (1 hour)
Time zero: You change 203.0.113.10 → 198.51.100.20 at your registrar.
T+0 — Authoritative nameserver has new record (immediate).
T+0 — Resolvers that query NOW get the new value.
T+60m — All resolvers that queried in the last hour expire their cache.
T+60m — Effective propagation complete (for TTL=3600).
With TTL=86400 (24h default), worst case is 24–48h.
How to Pre-Reduce Propagation Time
Lower TTL 24–48 hours before making changes:
# Step 1: 48h before migration, lower TTL to 300s (5 min)
# (Do this in your DNS provider's dashboard)
# Step 2: Verify the low TTL has propagated
dig +nocmd +noall +answer example.com A
# example.com. 300 IN A 203.0.113.10
# Step 3: Make your DNS change
# Step 4: Wait 5 minutes
# Step 5: After confirmed working, raise TTL back to 3600+
Checking Propagation Across Global Resolvers
# Query multiple public resolvers manually:
for resolver in 8.8.8.8 1.1.1.1 9.9.9.9 208.67.222.222 64.6.64.6; do
echo -n "$resolver: "
dig @$resolver +short example.com A
done
# Output during propagation:
# 8.8.8.8: 203.0.113.10 (old - cached)
# 1.1.1.1: 198.51.100.20 (new - already updated)
# 9.9.9.9: 198.51.100.20 (new)
# 208.67.222.222: 203.0.113.10 (old - cached)
# 64.6.64.6: 198.51.100.20 (new)
Common DNS Issues and How to Diagnose Them
Most DNS problems fall into a handful of categories. Here's a systematic diagnostic playbook.
Issue 1: NXDOMAIN — Domain Not Found
dig example-newsite.com A
# status: NXDOMAIN
# Diagnose:
# 1. Check domain registration
whois example-newsite.com | grep -E "Expir|Status|Name Server"
# 2. Check if nameservers are set
dig example-newsite.com NS
# If NXDOMAIN here too, domain isn't registered or NS not set.
# 3. Verify with registrar's authoritative server directly
dig @a.iana-servers.net example-newsite.com A
Issue 2: SERVFAIL — Server Failure
dig example.com A
# status: SERVFAIL
# Common causes:
# - DNSSEC validation failure (most common in 2026)
# - Nameserver misconfiguration
# - Zone file syntax error
# Test without DNSSEC validation:
dig +cd example.com A # +cd = checking disabled
# If this succeeds, DNSSEC is broken.
# Check DNSSEC chain:
dig +dnssec example.com A
dig example.com DNSKEY
dig example.com DS
Issue 3: Wrong IP / Cached Old Record
# Flush local DNS cache:
# macOS
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo resolvectl flush-caches
# Windows
ipconfig /flushdns
# Then verify:
dig +short example.com A # Should show new IP
Issue 4: Email Delivery Problems (MX/SPF/DKIM)
# Check MX records
dig example.com MX
# 10 aspmx.l.google.com.
# Verify SPF record
dig example.com TXT | grep "spf"
# "v=spf1 include:_spf.google.com ~all"
# Verify DKIM (selector depends on your email provider)
dig google._domainkey.example.com TXT
# "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
# Verify DMARC
dig _dmarc.example.com TXT
# "v=DMARC1; p=reject; rua=mailto:reports@example.com"
Issue 5: CNAME Chain / Loop
# CNAME chains slow resolution. Maximum recommended depth: 3
dig +trace www.example.com CNAME
# Detect loops — this will hang or timeout:
# A CNAME → B CNAME → A (loop!)
# Fix: resolve CNAME chain manually and check for circularity
dig +short www.example.com CNAME # Get first target
dig +short [target] CNAME # Follow chain
DNS Security: DNSSEC, DNS over HTTPS (DoH) and DNS Hijacking
DNS was designed in the 1980s without security in mind. Modern DNS security layers address three attack vectors: cache poisoning, man-in-the-middle interception, and DNS hijacking.
DNSSEC — Cryptographic Integrity
DNSSEC adds digital signatures to DNS records. Resolvers can verify that records haven't been tampered with in transit.
# Check if a domain has DNSSEC enabled
dig +dnssec example.com A
# Look for RRSIG record in the additional section
# RRSIG A 13 2 3600 20260419000000 20260319000000 34505 example.com. [signature]
# Check DS record at parent zone (proves chain of trust)
dig example.com DS
# Verify DNSSEC chain with online tools:
# https://dnsviz.net/d/example.com/dnssec/
# Check DNSKEY (zone signing key)
dig example.com DNSKEY
# 257 3 13 [key-data] ← KSK (Key Signing Key)
# 256 3 13 [key-data] ← ZSK (Zone Signing Key)
DNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS queries travel in plaintext on UDP port 53. DoH encrypts queries inside HTTPS; DoT uses TLS on port 853.
# Query Cloudflare's DoH endpoint directly with curl
curl -s "https://cloudflare-dns.com/dns-query?name=github.com&type=A" -H "accept: application/dns-json" | jq '.Answer[]'
# Output:
# {
# "name": "github.com.",
# "type": 1,
# "TTL": 60,
# "data": "140.82.114.4"
# }
# Configure systemd-resolved to use DoT (Linux)
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google
DNSOverTLS=yes
DNS Hijacking Attack Vectors
| Attack Type | How It Works | Defense |
|---|---|---|
| Cache Poisoning | Attacker injects false records into a resolver's cache | DNSSEC, QNAME minimisation, randomised source ports |
| Registrar Hijacking | Attacker gains control of domain registrar account | Registrar lock, 2FA, registry lock for high-value domains |
| BGP Hijacking | Attacker announces more-specific routes to intercept traffic | RPKI, monitoring (BGPmon), anycast DNS |
| ISP Interception | ISP redirects NXDOMAIN responses to their own search page | DoH/DoT bypasses ISP resolver entirely |
| Malware DNS Changer | Malware changes system's DNS server to attacker-controlled server | DoH at browser level, network monitoring |
When to Use DNS Lookup: Developer Workflows and Sysadmin Use Cases
A DNS lookup tool isn't just for troubleshooting — it's a core part of deployment verification, security auditing and infrastructure planning.
Developer Deployment Checklist
# Before deploying a new domain/subdomain:
# 1. Verify A record points to correct server
dig +short api.myapp.com A
# Expected: 198.51.100.42
# 2. Confirm TLS cert can be issued (check CAA)
dig myapp.com CAA
# 0 issue "letsencrypt.org" ← Only Let's Encrypt can issue certs
# 3. Verify CDN CNAME is set correctly
dig +short static.myapp.com CNAME
# myapp.azureedge.net.
# 4. Check email infrastructure
dig myapp.com MX
dig myapp.com TXT # SPF, DKIM, DMARC
# 5. Confirm HTTPS redirects work (check both A and AAAA for dual-stack)
dig +short myapp.com AAAA
Sysadmin Use Cases
- Post-migration validation — Confirm all records updated after server move
- Reverse DNS for email reputation —
dig -x 198.51.100.42confirms PTR record matches your mail server hostname - Monitoring nameserver health — Query each NS directly to ensure all are returning consistent answers
- Subdomain enumeration (authorized) — Use DNS zone transfer attempts or tooling like
subfinderduring security audits - Cloud infrastructure verification — Confirm AWS Route53/Cloudflare records match Terraform-defined state
# Check all 4 nameservers return the same answer (consistency check)
for ns in ns1.cloudflare.com ns2.cloudflare.com ns3.cloudflare.com ns4.cloudflare.com; do
echo -n "$ns: "
dig @$ns +short example.com A
done
# Reverse DNS lookup
dig -x 140.82.114.4 +short
# lb-140-82-114-4-fra.github.com.
# Zone transfer attempt (legitimate on your own zones)
dig @ns1.example.com example.com AXFR
# SOA serial check across nameservers (should match)
for ns in ns1 ns2; do
dig @$ns.example.com example.com SOA +short | awk '{print "$ns:", $3}'
done
Automation and CI/CD Integration
#!/bin/bash
# DNS health check script for CI/CD pipeline
DOMAIN="api.myapp.com"
EXPECTED_IP="198.51.100.42"
ACTUAL_IP=$(dig +short $DOMAIN A | head -1)
if [ "$ACTUAL_IP" = "$EXPECTED_IP" ]; then
echo "✓ DNS OK: $DOMAIN → $ACTUAL_IP"
exit 0
else
echo "✗ DNS MISMATCH: expected $EXPECTED_IP, got $ACTUAL_IP"
exit 1
fi
How to Use the Tool (Step by Step)
- 1
Enter a domain name
Type any domain (e.g., github.com or api.stripe.com) into the DNS Lookup tool input field. You can include subdomains.
- 2
Select the record type
Choose from A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV or ALL. Select ALL to see every record type in a single lookup.
- 3
Choose a DNS resolver (optional)
Optionally override the default resolver. Use 8.8.8.8 (Google), 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9) to bypass your local cache.
- 4
Run the lookup
Click 'Lookup' and the tool queries DNS in real time. Results appear within 1–3 seconds showing record values, TTL and response status.
- 5
Interpret the results
Review each record's value, TTL (seconds until cache expiry) and class (should be IN). Check the status code — NOERROR means success; NXDOMAIN means the record doesn't exist.
- 6
Compare across resolvers
Run the same lookup against different resolvers to check for propagation inconsistencies — if answers differ, your change is still propagating.
Frequently Asked Questions
How long does DNS propagation take in 2026?+−
Propagation time equals the TTL of the old record at the time you make the change. If your old A record had a TTL of 3600 (1 hour), full propagation takes up to 1 hour. With a TTL of 86400 (24 hours), it can take 24–48 hours. Best practice: lower TTL to 300 seconds 24–48 hours before any planned DNS change.
What is the difference between A record and CNAME record?+−
An A record maps a domain directly to an IPv4 address (e.g., example.com → 93.184.216.34). A CNAME record creates an alias pointing to another domain name (e.g., www.example.com → example.com). CNAME records add one extra DNS lookup but let you point multiple subdomains to the same target and update them all by changing one A record. You cannot use a CNAME at the zone apex (root domain).
Why does my DNS lookup show a different IP than what nslookup shows?+−
Different tools use different resolvers and may have different cached values. dig and nslookup can be configured to query different servers. Your OS resolver may have a cached old value. Use `dig @8.8.8.8` to bypass your local cache and query Google's resolver directly for a ground-truth answer.
What does TTL 0 mean in a DNS record?+−
A TTL of 0 means the record should not be cached at all — every query must go to the authoritative nameserver. This is extremely rare in practice because it creates massive load on authoritative servers and increases latency for every user. It's sometimes used for failover scenarios where you need instant switching.
Can I use DNS lookup to check email configuration?+−
Yes — query MX records to see email routing, TXT records for SPF (v=spf1...) and DMARC (_dmarc.example.com TXT), and the DKIM selector TXT record (e.g., google._domainkey.example.com TXT). Correct SPF, DKIM and DMARC records are essential for email deliverability and preventing spoofing.
What is DNSSEC and do I need it?+−
DNSSEC adds cryptographic signatures to DNS records so resolvers can verify the records haven't been tampered with. For most websites, it provides meaningful protection against cache poisoning attacks. Major TLDs (.com, .net, .org) support DNSSEC. If your registrar and DNS provider both support it, enabling DNSSEC is recommended for any production domain, especially for financial, healthcare or government sites.
Run a DNS Lookup Now
Query A, AAAA, MX, CNAME, TXT and all DNS record types for any domain. Free, no login required, real-time results from multiple global resolvers.
Open DNS Lookup ToolRelated Guides
URL Encode & Decode — What It Is, How It Works & When to Use It
Developer guide to URL encoding: percent-encoding, query strings, and common pitfalls
JSON Formatter Guide
A complete developer reference for JSON syntax, common errors, formatting options, and how to validate JSON in any language or tool.
Regex Tester — Test Regular Expressions Online Free (2026)
Test and debug regex patterns with real-time matching, syntax highlighting, and cheat sheet. Free, browser-based.