Query any domain for A, AAAA, MX, NS, TXT, CNAME, SOA, PTR, CAA and SRV records instantly. Powered by Google DNS over HTTPS. No signup, no install.
DNS Record Lookup
Enter a domain to begin
Type any domain name or IP address above. Select ALL to fetch every record type at once.
DNS Record Type Reference
Every DNS record type this tool can query, what it stores, its typical TTL, and the most common use case for each.
| Type | Full Name | What It Stores | Typical TTL | Primary Use Case |
|---|---|---|---|---|
| A | Address | IPv4 address (32-bit) | 300 to 3600 s | Maps hostname to IPv4. First record to check for website connectivity. |
| AAAA | IPv6 Address | IPv6 address (128-bit) | 300 to 3600 s | Maps hostname to IPv6. Required for dual-stack modern hosting. |
| MX | Mail Exchange | Mail server hostname + priority | 3600 to 86400 s | Routes email to the correct mail server. Lower priority value = higher preference. |
| NS | Name Server | Authoritative name server hostname | 86400 to 172800 s | Delegates a domain to its authoritative DNS servers. Rarely changes. |
| TXT | Text | Arbitrary text strings | 300 to 3600 s | SPF, DKIM, DMARC, domain ownership verification, BIMI, Google Search Console. |
| CNAME | Canonical Name | Alias pointing to another hostname | 300 to 3600 s | Subdomains (www, blog, shop) aliased to a main domain or CDN hostname. |
| SOA | Start of Authority | Zone master NS, contact email, serial, timers | 3600 to 86400 s | Defines authoritative info for a DNS zone. Contains refresh and retry intervals. |
| PTR | Pointer | Hostname mapped from an IP address | 3600 s | Reverse DNS lookup. Used by mail servers to verify sender IP legitimacy. |
| CAA | Certification Authority Authorization | Permitted SSL/TLS certificate issuers | 3600 to 86400 s | Restricts which CAs can issue SSL certificates for a domain. Security record. |
| SRV | Service | Service host, port, priority, weight | 300 to 3600 s | Locates services like SIP, XMPP, Microsoft 365, and game servers. |
How DNS Lookup Works
When you type a domain name into this tool, it sends a DNS over HTTPS (DoH) query directly from your browser to dns.google/resolve. Google's authoritative resolver queries the domain's name servers and returns the records. The full round trip from your browser to Google DNS typically takes under 100 ms.
The DNS Resolution Chain
Every DNS lookup follows the same chain: browser cache, operating system resolver, recursive resolver (ISP or public like 8.8.8.8), root name servers (.com / .net / .org zone), TLD name servers, authoritative name servers, and finally the zone file where records live.
DNS Propagation Explained
When you change a DNS record, the old record stays cached at every resolver worldwide until its TTL expires. A TTL of 3600 seconds (one hour) means resolvers worldwide can serve the old record for up to one hour after your change. To speed propagation before a planned change, lower the TTL to 300 seconds 24 to 48 hours in advance. Restore the TTL after the change stabilises.
TTL Strategy by Record Type
| Record | Stable TTL | Pre-migration TTL | Reason |
|---|---|---|---|
| A | 3600 s (1 hr) | 300 s (5 min) | Website traffic: lower TTL before host migration |
| MX | 3600 s | 300 s | Email: short window avoids mail loss during migration |
| NS | 172800 s (2 d) | 86400 s (1 d) | NS changes propagate slowly by design |
| TXT | 3600 s | 300 s | SPF/DKIM: low TTL allows rapid correction |
| CNAME | 3600 s | 300 s | CDN changes: short TTL for fast failover |
| SOA | 86400 s | 3600 s | Rarely needs manual change |
DNSSEC: DNS Security Extensions
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify responses were not tampered with in transit. This tool checks whether a domain's responses carry valid DNSSEC signatures (the AD flag in the DNS response). Domains without DNSSEC are still functional but are vulnerable to cache poisoning attacks.
Google DNS vs Cloudflare DNS
| Feature | Google DNS (8.8.8.8) | Cloudflare DNS (1.1.1.1) |
|---|---|---|
| DoH API endpoint | dns.google/resolve | cloudflare-dns.com/dns-query |
| Average global latency | ~14 ms | ~11 ms |
| DNSSEC validation | Yes | Yes |
| Privacy policy (query logging) | 48-hour logs, anonymised | 24-hour logs, no IP sold |
| Malware filtering option | 8.8.8.8 / 8.8.4.4 | 1.1.1.2 / 1.0.0.2 |
How This Tool Compares
Most online DNS lookup tools query one record type at a time, return a plain text list with no context, and have no export or propagation checking. Here is how this tool fills those gaps.
| Feature | Typical competitors | This tool |
|---|---|---|
| Record types | 3 to 5 types | 10 types (A, AAAA, MX, NS, TXT, CNAME, SOA, PTR, CAA, SRV) |
| All records in one query | No, one at a time | Yes, ALL mode fetches all 10 types at once |
| Bulk lookup | No | Yes, unlimited domains, table output |
| Propagation checker | Separate tool or missing | Built-in, 12 global resolvers |
| DNSSEC validation | No | Yes, AD flag check per query |
| TTL display | Raw seconds only | TTL bar + human-readable (e.g. 1 hr 12 min) |
| Reverse PTR lookup | Separate tool | Enter any IP, auto-converts to PTR format |
| Raw JSON view | No | Full Google DNS response, syntax-highlighted |
| Export | No | JSON download, CSV download, Copy All |
| Analysis tab | No | Email config check, SPF/DKIM/DMARC detection |
| Resolver choice | Fixed resolver | Google DNS or Cloudflare DNS selectable |
| Shareable URL | No | ?domain= param, auto-lookups on load |
Frequently Asked Questions
A DNS lookup queries the Domain Name System to translate a human-readable domain name like example.com into the IP addresses, mail servers, name servers, and other records that computers use to route internet traffic correctly. Without DNS, every website URL would need to be an IP address like 93.184.216.34.
DNS propagation typically takes between 1 and 48 hours after a record change, depending on the TTL value set on the old record and how quickly upstream resolvers refresh their cache. A TTL of 3600 seconds means resolvers can serve the old record for up to one hour. Lower your TTL to 300 seconds 24 to 48 hours before a planned change to speed up propagation.
For email delivery problems, check MX records first to confirm mail server routing. Then check TXT records for SPF (v=spf1...), DKIM (_domainkey subdomain), and DMARC (_dmarc subdomain). A missing or misconfigured SPF record causes legitimate emails to land in spam folders. A missing PTR record on your sending IP is another common cause of delivery failures.
An A record maps a domain directly to an IPv4 address. A CNAME record maps a domain to another domain name (an alias), which then resolves to an IP. You cannot use a CNAME on a bare domain (apex or naked domain) because of the DNS standard. Use an A record for the root domain and CNAME records for subdomains like www, blog, or shop.
No. Queries are sent directly from your browser to Google DNS (dns.google) or Cloudflare DNS (cloudflare-dns.com) over HTTPS. No query data passes through WritoryBuzz servers. Google DNS logs queries for up to 48 hours in anonymised form per their privacy policy. Cloudflare logs for up to 24 hours without selling data.
A CAA (Certification Authority Authorization) record tells the world which Certificate Authorities are allowed to issue SSL/TLS certificates for your domain. For example, adding "0 issue letsencrypt.org" restricts certificate issuance to Let's Encrypt only. This reduces the risk of a rogue CA issuing a fraudulent certificate for your domain.
DNSSEC adds digital signatures to DNS records using public-key cryptography. When a resolver receives a signed response, it verifies the signature against published public keys in the DNS chain. This prevents cache poisoning attacks where an attacker injects fake DNS responses to redirect traffic. DNSSEC is configured at your domain registrar and requires support from your DNS hosting provider.