iToolVerse Logo
iToolVersev4.2

DNS Lookup

Every record type in one scroll, with SPF / DMARC / CAA / DNSSEC health checks

Look up A, AAAA, MX, TXT, NS, CNAME, SOA, and CAA records for any domain in a single query. Each record type comes with a plain-language explanation, TTL, and DNSSEC validation status. The health-check summary auto-flags common misconfigurations — multiple SPF records (a silent break), missing CAA, weak SPF terminators, DKIM selector hints, DMARC reminders. Filter to any subset of types using the chips, or hit ?types=CNAME in the URL for direct linking. Runs in your browser against Cloudflare DNS-over-HTTPS — no logs.

Try these

Click any example to run the lookup with that exact configuration.

google.comFull lookup, every type

Default behavior — all 8 record types in parallel. Shows MX with multiple priority levels, a long SPF chain, several verification TXT records, and CAA locking down certificate issuance.

_dmarc.google.comDMARC enforcement

DMARC records live at _dmarc.<domain>, not the apex. This is how you check whether a domain publishes DMARC and at what enforcement (p=none monitors only, p=quarantine sends to spam, p=reject blocks).

google._domainkey.google.comDKIM public key

DKIM lives at <selector>._domainkey.<domain>. Selectors are vendor-specific — google for Google Workspace, k1 for Mailchimp, selector1 / selector2 for Microsoft 365. This is how you verify a published DKIM key.

cloudflare.com&types=CAACAA only

Single record type via the types URL parameter. Useful when you only need to verify a specific record after a config change. Double-clicking a chip in the form does the same thing.

github.com&types=A,AAAAJust the IPs

A + AAAA filter. Useful for IP allowlist verification before a firewall change. Note that both Cloudflare and Google's anycast addresses return whichever edge POP is closest to the resolver.

example.invalidNXDOMAIN

.invalid is reserved by RFC 2606 and never resolves. Triggers the NXDOMAIN path with a deep-link to the Domain Inspector for registration check.

Related tools

Domain Inspector
WHOIS / RDAP lookup with registrar, registration and expiry dates, EPP status flags explained in plain language, nameservers, and DNSSEC
What Is My IP
See your public IPv4 and IPv6 with geo, ISP, ASN, reverse DNS, and a map — plus what your browser leaks (local IP, GPU, screen, timezone)
IP Address Lookup
Look up any IPv4 or IPv6 — geo, ISP, ASN, reverse DNS, lat/long on a map, with bulk mode (up to 50 IPs) and CSV export
URL Decode
Decode URLs, parse query parameters, and strip tracking codes (utm_*, fbclid, gclid)
Hash Calculator
MD5, SHA-1, SHA-256, SHA-512, SHA-3 and HMAC for text or files — plus a verify mode that auto-detects the algorithm from a published hash
Regex Tester
Test and validate regular expressions with real-time highlighting

What DNS records do (in 200 words)

Every domain has a set of DNS records that tell the internet what to do with it. A and AAAA records point the domain at a server's IPv4 and IPv6 addresses, respectively. MX records say where to deliver mail. NS records list the authoritative nameservers that hold the zone. CNAME records alias one name to another. SOA is the zone's metadata. CAA restricts which Certificate Authorities can issue SSL certs. TXT is a catch-all used by anti-spoofing protocols (SPF, DMARC, DKIM), service verification (Google, Microsoft, Facebook), and ad-hoc metadata.

Each record has a TTL (Time-to-Live) — how long resolvers can cache it before re-checking. Low TTL means changes propagate fast (minutes); high TTL means slow (hours to a day). Lower the TTL before a planned change.

Email auth in one glance

  • SPF (TXT at the apex starting with v=spf1) — lists which servers may send mail as you. Should end in ~all (softfail) or -all (hard fail). Only one SPF record per domain.
  • DKIM (TXT at <selector>._domainkey.example.com) — public key for signing outbound mail.
  • DMARC (TXT at _dmarc.example.com) — policy for receivers when SPF/DKIM fails. Start at p=none for monitoring, escalate to p=reject.

The health-check card flags SPF / DMARC issues automatically.

DNSSEC and CAA

DNSSEC signs DNS responses cryptographically so a resolver can verify they came from the legitimate registry. If your registrar and DNS host both support it, enabling DNSSEC is one click and protects against cache-poisoning attacks.

CAA records lock down which Certificate Authorities can issue SSL certs for your domain. Without a CAA record, ANY public CA can issue a cert in your name. A simple CAA 0 issue "letsencrypt.org" blocks all others.

Why a record might look wrong

  • Anycast services (Cloudflare, Fastly, Google) return different IPs depending on which edge POP answered. That's normal.
  • TTL caching — a recent DNS change may not appear until the old record's TTL expires at every resolver in the chain.
  • Geographic differences — some sites use DNS-based geo-routing. Your view of an MX record may differ from someone in another country.
  • Subdomain shadowingwww.example.com and example.com often have entirely different records.

How to use this tool

  • Mass migration audit — paste the new domain after the cutover, compare against expected records.
  • Email deliverability triage — your DMARC reports are noisy? Look at the TXT records here, the health summary will surface SPF / CAA / DNSSEC issues.
  • Phishing investigation — paste a suspicious domain. Mismatched MX, no SPF, no DMARC, and a fresh registration are all red flags (combine with the Domain Inspector for the registration angle).
  • Certificate issuance debugging — your CA refusing to issue? Check CAA. Refusing because of CAA being wrong is the #1 reason Let's Encrypt fails after correct DNS-01.

How this tool handles your data

Every DNS query goes from your browser directly to Cloudflare's DNS-over-HTTPS endpoint at cloudflare-dns.com/dns-query. Our server is not in the path — we don't see, log, or store the domains you look up. Cloudflare's public DNS resolver commits in its privacy policy to not log client IPs in association with queries.

If you also need WHOIS / RDAP for a domain, use Domain Inspector. For IP-side investigation, use IP Address Lookup. The three tools together cover the full "what is this domain doing on the internet" question.

Frequently Asked Questions

DNS record types, TTL, DNSSEC, SPF / DMARC / DKIM gotchas, CAA, why a change might not propagate, and how this tool handles your data.