ToolBelt

DNS Lookup

Resolve A, AAAA, MX, TXT, NS, CNAME and SOA records via DNS-over-HTTPS.

Open tool

Overview

The DNS lookup tool resolves the standard record types — A, AAAA, MX, TXT, NS, CNAME, and SOA — for any hostname using DNS-over-HTTPS. Type a domain, pick a record type, and the answer arrives in seconds with TTL values, authoritative source, and the raw response intact. No dig install, no SSH session, no network admin access required.

Web developers verifying a deployment, sysadmins debugging mail delivery, and security analysts checking SPF or DKIM records all need a fast DNS resolver online. Long-tail keywords covered: look up MX record for a domain, check TXT records over HTTPS, and verify CNAME points to the right host.

How it works

DNS-over-HTTPS (DoH) is defined in RFC 8484. Instead of sending a UDP query on port 53, the client wraps the same DNS message in an HTTPS request to a resolver like Cloudflare's 1.1.1.1 or Google's 8.8.8.8. The response is the standard DNS wire format encoded as JSON or binary, and the resolver does the heavy lifting of walking the DNS tree on your behalf.

DoH gives two practical wins for a browser-side tool. It works even when corporate networks block UDP 53, and it returns a structured JSON answer that is easy to parse. The trade-off is that you see what the public resolver sees — not necessarily what your local network sees — which is usually what you want when debugging anyway.

Examples

  • A example.com → returns the IPv4 address (or addresses, for round-robin DNS).
  • MX gmail.com → the priority-ordered list of mail exchangers.
  • TXT _dmarc.example.com → the DMARC record published for the domain.
  • NS example.com → the authoritative nameservers, useful for verifying a delegation.

FAQ

Why does the answer differ from dig on my laptop?

Your local resolver may use a different upstream or have a cached answer. DoH always asks a public resolver, so the response reflects authoritative DNS as that resolver sees it.

How accurate is the TTL?

The TTL returned is the remaining lifetime in the resolver's cache, not the original TTL set by the authoritative server. To see the true value, query the authoritative server directly (use the NS answer to find it).

Can I look up DNSSEC signatures?

Standard DoH queries return the same data as plain DNS by default. The response indicates whether the resolver validated DNSSEC for you; the raw RRSIG records are out of scope for this tool.

Why is CNAME returning the target's A record?

When you query an A record on a CNAME-aliased name, the resolver follows the chain and returns the final A record. Query the CNAME type explicitly to see the alias itself.

Try DNS Lookup

An unhandled error has occurred. Reload ×