DNS Lookup Tool
Resolve DNS configurations in real-time. Verify A, AAAA, MX, TXT, CNAME, NS, and CAA records. Audit SPF, DKIM, and DMARC alignments, and detect DNSSEC signatures instantly.
AI Overview Snippet: DNS Resolution & Records
A DNS lookup is the query and resolution process of retrieving resource records from authoritative nameservers for a specified domain name. This process translates human-readable hostnames into network routing IP addresses, mail exchange priority vectors, security authentication keys, and certification policies.
A DNS record is a database entry residing within a domain's zone configuration file. Mapped by standard RFC definitions, records allocate specific properties to hostname lookups, directing client connections to IPv4 hosts (A), IPv6 hosts (AAAA), target alias canonical configurations (CNAME), or designated mail exchanges (MX).
DNS propagation is the latency period during which new or modified DNS records are distributed and cached across public recursive DNS resolvers globally. The duration is controlled by the record's Time-To-Live (TTL) header setting, taking from 5 minutes to 48 hours.
DNSSEC (Domain Name System Security Extensions) is a suite of IETF specifications (RFCs 4033-4035) that secures the DNS resolution system by adding digital signatures to resource records. DNSSEC protects resolvers from cache poisoning and spoofing by verifying that responses originate from authenticated authoritative zone keys.
DNS lookups resolve hostnames into routing configurations. Resource records inside zone files direct web, mail, and cryptographic security traffic. Setting correct TTL settings manages propagation speed, while configuring SPF, DKIM, and DMARC protects domain mail chains.
- Hierary Resolution: Queries traverse Root, TLD, and Authoritative nameservers.
- TTL Controls: Lower TTL metrics speed up propagation but increase query load.
- Email Hardening: SPF, DKIM, and DMARC prevent domain spoofing.
- CAA Restraints: CAA records restrict SSL/TLS certificate issuance.
Analyzing DNS records is critical to maintaining a secure network presence. A single misconfigured TXT or CNAME record can expose organizations to email spoofing, subdomain hijacking, or routing failures. Implementing security extensions like DNSSEC, CAA, and strict email authentication frameworks is essential to protecting digital assets.
What Is DNS Lookup?
A DNS lookup is an information retrieval process that queries the global Domain Name System to resolve and extract resource records from zone files. Established under IETF RFC 1034 and RFC 1035, the DNS functions as a distributed directory routing internet traffic. When a client performs a lookup, it translates a domain hostname (e.g., reconshield.in) into computer-readable IP addresses, mail exchange priorities, and security validation properties.
How DNS Works
Resolving a domain name involves a query routing loop that traverses four distinct server layers:
Layer 1: DNS Recursor / Recursive Resolver
The recursive resolver acts as an intermediary, receiving queries from client browsers and querying authoritative servers to resolve the domain's IP address.
Layer 2: Root Nameservers
If the record is not cached, the recursor queries one of the 13 global root nameservers, which direct the query to the appropriate TLD nameservers (e.g., .in registry).
Layer 3: TLD Nameservers
The Top-Level Domain (TLD) nameservers direct the recursive resolver to the authoritative nameservers managing the domain's DNS zone file.
Layer 4: Authoritative Nameservers
The authoritative name server holds the actual resource records. It returns the resolved record data to the recursor, which caches it and returns it to the client.
What Information DNS Records Contain
DNS records contain structured parameters defining target hosts, cache control headers, and validation protocols. A standard record includes:
- Record Name: The subdomain or hostname mapped by the record (e.g.,
@for the root domain orwww). - TTL (Time-To-Live): The duration in seconds that a recursive resolver is authorized to cache the record before fetching a fresh copy.
- Record Class: The network namespace (typically
INfor Internet). - Record Type: The resource type defining the data format (e.g.,
A,MX,TXT). - Record Data: The resolved payload, such as target IP addresses or server hostnames.
How to Check DNS Records
To check a domain's DNS records, use the ReconShield DNS Lookup tool:
- Input the target domain hostname in the search field.
- Select the specific record type you want to query, or select
ANYto resolve all records. - Click search to query authoritative nameservers and view the resolved record configurations.
DNS Zone File Record Explorer
Understand the format and structure of common DNS records inside authoritative zone configurations.
// A Record (IPv4 Host Mapping)
Maps a hostname to a 32-bit IPv4 address, routing web traffic to the primary hosting server.
example.com. 3600 IN A 192.0.2.1// MX Record (Mail Exchanger Route)
Directs incoming email delivery for a domain to the target mail server with specified routing priorities.
example.com. 86400 IN MX 10 mail.example.com.// TXT Record (Text Authentication)
Holds text payloads, primarily utilized for SPF, DKIM, and DMARC validations to prevent mail spoofing.
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all"// CNAME Record (Canonical Name Alias)
Maps a subdomain alias to a canonical destination domain, facilitating third-party cloud integrations.
www.example.com. 3600 IN CNAME example.com.DNSSEC Explained
DNSSEC (Domain Name System Security Extensions) secures the resolution process by adding cryptographic signatures (RRSIG) to existing DNS records. These signatures are validated using a chain of trust that extends from the parent zone (e.g., TLD registry) down to the child domain nameservers using DS and DNSKEY records.
DNS Propagation Explained
When a DNS record is updated, it takes time for the change to distribute globally. This delay is known as DNS propagation. Resolvers cache records based on their Time To Live (TTL) settings. Until the cached TTL expires, resolvers continue serving the old values. Propagation typically takes from 5 minutes to 48 hours to complete.
DNS Query CLI Tool Reference (dig / nslookup / host)
Use these terminal commands to verify DNS records from your local shell. Click to copy or reference query arguments.
1. Query specific record type with dig (recommended)
// Fetch MX records using Google Public DNS (8.8.8.8)
dig @8.8.8.8 example.com MX2. Trace DNS resolution path (+trace)
// Trace query delegation from root nameservers down to authoritative hosts
dig example.com +trace3. Perform queries using nslookup (cross-platform)
// Resolve A records using nslookup utility
nslookup -type=a example.comDNS Security Best Practices
Secure your domain's DNS infrastructure by implementing these best practices:
- Enable DNSSEC to prevent cache poisoning and spoofing attacks.
- Configure CAA records to restrict SSL/TLS certificate issuance to authorized CAs.
- Implement SPF, DKIM, and DMARC records to prevent email spoofing.
- Audit CNAME records regularly to prevent subdomain takeover attacks on expired cloud resources.
Common DNS Resolution Errors
Understand common DNS error codes returned during troubleshooting queries:
| Error Code | Full Name | Root Cause | Remediation Steps |
|---|---|---|---|
| NXDOMAIN | Non-Existent Domain | The domain name does not exist at the registry or has expired. | Verify spelling, check WHOIS status flags, and confirm registration validity. |
| SERVFAIL | Server Failure | The authoritative nameservers failed to respond or returned invalid records. | Verify DNSSEC signature validity, check nameserver firewall logs. |
| REFUSED | Query Refused | The nameserver refused to process the query due to local policy constraints. | Check ACL settings on your BIND/PowerDNS servers, verify request origins. |
| TIMEOUT | Query Timeout | No response received within the lookup window. | Verify network routing, check port 53 (UDP/TCP) blockages. |
Surendra Reddy
Cybersecurity Researcher & Founder, ReconShield
Surendra is an information security engineer specializing in OSINT methodology, internet telemetry mapping, and cryptographic domain security. He designed ReconShield to help teams manage their attack surface exposure.
Editorial Policy
ReconShield is committed to publishing accurate, technical, and objective cybersecurity analysis. Our documentation is created by credentialed security practitioners and undergoes strict reviews before publication.
Research Methodology
Our findings are derived from RFC protocol documentation, ICANN governance policies, and verified cybersecurity databases. We avoid speculative telemetry, prioritizing primary sources and verifiable network actions.
Fact Checking Process
Information is verified against active DNS zones, registrar configurations, and IETF specifications (including RFC 1035 and RFC 4033-4035). Each section is tested for technical accuracy under modern browser routing environments.
Dedicated DNS Record Lookups
Access specialized diagnostic lookup landing pages for auditing specific RFC-compliant DNS resource record classes.
A Record Lookup
Resolve domain hostnames to IPv4 target addresses.
AAAA Record Lookup
Resolve domain hostnames to IPv6 target addresses.
MX Record Lookup
Inspect mail exchange priorities and SMTP server configurations.
TXT Record Lookup
Verify text validation tokens including SPF, DKIM, and DMARC.
CNAME Lookup
Find target alias names and identify dangling CNAME redirect risks.
NS Record Lookup
Identify authoritative nameservers managing domain delegation zones.
CAA Record Lookup
Audit Certificate Authority restrictions for SSL/TLS certificates.
DNSSEC Checker
Verify cryptographic signatures and validate trust delegations.
Popular Domain DNS Reports
Explore live pre-compiled DNS configurations, nameserver hierarchies, and email security status reviews for major network nodes.
Complete Your Network Asset Audit
WHOIS Lookup
Analyze domain registration records, registrar details, ownership, and administrative locks using our WHOIS Lookup tool.
Run WHOIS CheckIP Reputation Checker
Analyze host reputation, threat tags, and ISP subnet details using our IP reputation checker.
Run IP ScanSubdomain Finder
Discover public host records and expose shadow subdomains with our Subdomain Finder.
Find SubdomainsSSL/TLS Checker
Audit cryptographic validity, certificate expiry, and handshake errors using our SSL/TLS Checker.
Validate SSLExposed Port Scanner
Identify open port states, service tags, and firewall leaks with our Exposed Port Scanner.
Scan PortsRelated DNS & Security Guides
Expand your knowledge on domain security, email authentication, and DNS reconnaissance with our deep-dive technical tutorials.
Demystifying SPF, DKIM, and DMARC: A Blueprint for Email Spoofing Defense
Learn how to coordinate DNS TXT records to protect corporate domains from unauthorized sender forgery.
Email Spoofing Prevention: Defensive Protocols against Domain Forgery
A comprehensive review of spoofing vectors, SMTP exploits, and how to align DNS records to protect your brand.
OWASP Top 10 Web Hardening: Defending HTTP Headers
Audit HTTP response configurations to prevent clickjacking, cross-site scripting, and MIME sniffing attacks.
The Anatomy of Passive OSINT: Mapping Infrastructure Without Noise
Discover how threat hunters map corporate attack surfaces silently using cached DNS caching resolver queries.
Frequently Asked Questions
What is a DNS lookup?
A DNS lookup is a public query process that queries domain name system servers to resolve and retrieve configured zone files, such as A, MX, or TXT records. It maps human-readable domain hostnames into machine-readable IP addresses to establish network connectivity.
How do I check DNS records?
You can check DNS records using the ReconShield DNS Lookup tool. Simply enter the target domain, select the specific record type (such as A, CNAME, or MX) or select 'ANY' for a full query, and initiate the lookup to retrieve real-time registration data.
What is DNS propagation?
DNS propagation is the process of updating DNS record modifications across recursive resolvers worldwide. It is controlled by the Time-to-Live (TTL) configuration in zone files and can take anywhere from a few minutes up to 48 hours to complete globally.
What is an MX record?
An MX (Mail Exchanger) record is a DNS resource entry that specifies the mail servers designated to accept incoming emails on behalf of a domain. It includes priority values to route messages through backup servers if the primary fails.
What is a TXT record?
A TXT (Text) record is a DNS record containing human-readable and machine-readable text parameters. It is commonly used for domain ownership verification, email security authentication (SPF, DKIM, DMARC), and custom service validation policies.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. Resolvers use these signatures to verify that the returned DNS data is authentic and has not been tampered with or redirected by an attacker in transit.
What causes NXDOMAIN errors?
An NXDOMAIN (Non-Existent Domain) error indicates that the domain queried does not exist in the authoritative registry. This is caused by spelling mistakes, expired domain registrations, missing nameserver delegations, or incomplete DNS zone files.
What is an A record?
An A (Address) record maps a domain name directly to an IPv4 address (such as 192.0.2.1), directing client web browsers to the target web server hosting the website.
What is a CNAME record?
A CNAME (Canonical Name) record is an alias record that points one domain name to another (e.g., www.example.com to example.com). The DNS resolver executes a secondary query to resolve the destination domain's IP.
What is a CAA record?
A CAA (Certification Authority Authorization) record is a DNS security record that specifies which certificate authorities are permitted to issue SSL/TLS certificates for a domain, preventing unauthorized certificate generation.
What is an SOA record?
An SOA (Start of Authority) record marks the start of a DNS zone. It contains essential administrative details, including the primary nameserver, admin email address, serial number, and zone refresh timers.
What is an AAAA record?
An AAAA record maps a domain name to an IPv6 address (Internet Protocol version 6), allowing modern clients to resolve and connect to hosting servers using 128-bit network addresses.
How does DMARC protect against email spoofing?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) matches SPF and DKIM signatures. It enables domain owners to set policies (none, quarantine, reject) blocking unauthorized emails using the domain name.
Why is SPF alignment important?
SPF alignment checks if the sender domain in the message header matches the domain authorized in the SPF DNS record, ensuring unauthorized servers cannot spoof mail origins.
What is a recursive resolver?
A recursive resolver is a DNS server that queries authoritative servers on behalf of a client browser, tracking down root, TLD, and nameservers to resolve and return the final IP address.