Network

DNS Lookup Tool

This DNS lookup tool queries authoritative records for any domain directly from your browser using Cloudflare's DNS-over-HTTPS endpoint. Inspect A, AAAA, CNAME, MX, TXT, NS, SOA, and CAA records without installing dig or nslookup. Every query runs client-side, so your lookups never touch our servers — they travel encrypted to Cloudflare's 1.1.1.1 public resolver and back. Useful for debugging propagation issues, verifying SPF/DKIM/DMARC records, checking mail routing, auditing CAA policies, and confirming nameserver delegation during domain migrations or DNS provider switches.

Last updated: March 2026
Enter a domain and press Lookup to query DNS records.
Privacy note: Queries are sent from your browser directly to Cloudflare's public DNS-over-HTTPS resolver (1.1.1.1 / cloudflare-dns.com). Nothing is logged by this site. See Cloudflare's resolver privacy policy for their logging practices.
Copied!

Frequently Asked Questions

What is a DNS lookup?
A DNS lookup queries the Domain Name System to translate a human-readable hostname (like example.com) into machine-readable metadata — most commonly IP addresses for an A (IPv4) or AAAA (IPv6) record, but also mail servers (MX), text metadata (TXT — used for SPF, DKIM, DMARC, domain verification), authoritative name servers (NS), or certificate authority policy (CAA). Every time you load a web page, send an email, or open an app, a chain of DNS lookups happens behind the scenes before a single byte of application data is exchanged.
How does this DNS lookup tool work?
The tool is 100% client-side JavaScript. When you click Lookup, your browser issues a fetch() request to https://cloudflare-dns.com/dns-query?name=DOMAIN&type=TYPE with the Accept: application/dns-json header. Cloudflare responds with a standard DoH JSON payload, which we parse to build the results table. Because the request goes straight from your browser to Cloudflare over HTTPS, neither this site nor any intermediate network can see the domain you looked up.
What DNS record types can I query?
Eight core types are supported: A (IPv4 address), AAAA (IPv6 address), CNAME (canonical alias — points one name at another), MX (mail exchanger with priority), TXT (free-form text, often used for SPF, DKIM, DMARC, site verification, and domain ownership proofs), NS (authoritative name servers for the zone), SOA (start of authority, containing serial and timing data), and CAA (which CAs are allowed to issue TLS certificates). These cover essentially every day-to-day DNS troubleshooting need.
Why are my DNS changes not showing up?
DNS is aggressively cached at every layer — your OS stub resolver, your ISP's recursive resolver, and every public resolver in between. Each cached answer has a TTL (time-to-live) measured in seconds. After editing a record at your registrar, propagation typically takes anywhere from a few minutes to several hours, occasionally up to 48 hours for records with long TTLs (86400 = 24 h is common). Lower the TTL a day or two before a planned migration so changes go live faster. This tool always queries Cloudflare's live cache, which usually updates quickly after authoritative changes.
What is DNS-over-HTTPS (DoH)?
DNS-over-HTTPS (DoH, defined in RFC 8484) encrypts DNS queries over a standard HTTPS connection instead of the traditional plaintext UDP port 53. This prevents ISPs, coffee-shop Wi-Fi, or on-path attackers from seeing or tampering with which domains you resolve. Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) all operate DoH endpoints. Browsers like Firefox and Chrome can be configured to use DoH for all lookups. This tool uses Cloudflare's because it returns a clean JSON response format that parses nicely in-browser.
How do I read MX, TXT, and SOA record answers?
MX records look like 10 mail.example.com. — the number is the preference (lower = higher priority). TXT records are arbitrary strings shown in quotes; SPF records start with v=spf1, DMARC with v=DMARC1, and DKIM with v=DKIM1. SOA records contain seven fields: primary NS, admin email (with . in place of @), serial number, refresh, retry, expire, and minimum TTL. The serial number typically increments on every zone edit — useful for confirming a DNS change has been pushed.
What does an NXDOMAIN response mean?
NXDOMAIN ("non-existent domain") is DNS response code 3, signaling that the queried name definitely does not exist in the zone. It's distinct from an empty answer (code 0 with no records) — NXDOMAIN means the name itself has no entries of any type. Common causes: the domain is unregistered, you have a typo, or the authoritative nameservers genuinely don't list it. Also check for the CD (checking disabled) or AD (authenticated data) flags if you're debugging DNSSEC.

Related Tools

IP
IP Lookup
Geolocate and inspect IPs
200
HTTP Status Codes
Reference for every HTTP code
%20
URL Encoder
Encode and decode URIs