Free. Powered by Cloudflare 1.1.1.1.

Free DNS Lookup Tool

See every public DNS record for any domain — A, AAAA, CNAME, MX, NS, TXT, SOA, CAA — in a single query. Useful for diagnosing email problems, verifying DNS migrations, and confirming that recent changes have propagated. Built by Datastrive, a Chicago managed IT and cybersecurity provider.

  • All record types in one query
  • Smart TXT classification (SPF, DMARC, DKIM)
  • Click any value to copy

What each record type does

DNS is the layer that turns human-readable names like example.com into the addresses, mail servers, and trust statements your software actually uses. Each record type does one specific job.

A

IPv4 address

Maps a hostname to an IPv4 address. The bedrock record — if your A record is wrong, nothing else works.

AAAA

IPv6 address

The IPv6 equivalent of A. Increasingly important as ISPs and cloud providers default to dual-stack.

CNAME

Canonical name

An alias from one hostname to another. Cannot exist at the apex of a domain (use ALIAS/ANAME at most providers for that).

MX

Mail exchange

Where email for this domain should be delivered, with priority values for ranking among multiple servers.

NS

Name servers

The authoritative DNS servers for this domain. Changing these is what “moving DNS providers” actually means.

TXT

Text records

Free-form strings used for SPF, DMARC, DKIM, and dozens of domain-verification protocols (Google, Microsoft, Stripe, etc.).

SOA

Start of authority

Zone metadata: primary nameserver, contact email, serial number, and refresh timing for secondary servers.

CAA

Certificate authority auth

Restricts which Certificate Authorities are allowed to issue SSL certs for this domain. A small but powerful security control.

DNS best practices for businesses

DNS is one of those layers that’s invisible when it works and catastrophic when it doesn’t. The basics aren’t difficult; they’re just easy to skip until you’ve had your first 2 AM outage caused by a misconfigured TTL.

  1. Use a real DNS provider, not your registrar’s free DNS Move authoritative DNS to Cloudflare, AWS Route 53, NS1, or DNSimple. The “free DNS included” service from a registrar like GoDaddy or Namecheap is fine for personal sites but slower, has weaker DDoS protection, and limits your record types. Better DNS is one of the cheapest reliability upgrades you can buy — usually free.
  2. Set TTLs intentionally, not by accident Default TTLs are often 1 hour or more. Before making a change, lower the TTL on the affected record to 300 (5 minutes) the day before. After the change is verified, raise it back. This gives you a fast rollback without leaving short TTLs everywhere (which slightly increases query load and costs).
  3. Add CAA records to lock down certificate issuance A CAA record like 0 issue "letsencrypt.org" tells every CA in the world that only Let’s Encrypt may issue certs for your domain. If an attacker tries to obtain a cert from a different CA — including via a domain-validation hijack — the CA must refuse. CAA is one of the highest-leverage security controls almost nobody uses.
  4. Use at least two diverse nameservers Per RFC 2182, your domain should have multiple authoritative nameservers in different network locations. Modern DNS providers handle this for you (Cloudflare gives you two, AWS Route 53 gives you four). Avoid running both on the same provider’s single region or, worse, on infrastructure you control yourself.
  5. Document every record’s purpose For each non-obvious record — especially TXT records and CNAMEs to third parties — note who owns it and what would break if it were removed. Without documentation, “let’s clean up old records” inevitably breaks something six months later when nobody remembers what the random TXT record was for.
  6. Monitor for unexpected changes Set up DNS monitoring with a service like DNSCheck, Constellix, or even a simple cron job that alerts you when records change unexpectedly. Most domain hijacks show up first as DNS changes — if you catch them in minutes you can intervene before customer email or web traffic is rerouted.

Frequently asked questions

What’s a DNS record?

A DNS record is a single piece of information stored at a domain name — an IP address, a mail server hostname, a string of text, etc. When your computer needs to find example.com, it asks a DNS resolver, which walks the DNS hierarchy until it finds the authoritative nameservers for that domain and reads the relevant records.

The record types in this tool are the most common ones; there are about 50 defined record types in total, but most domains only use a handful.

Why do some records have weird names like _dmarc or _domainkey?

Names starting with an underscore are reserved for protocol-specific records that don’t represent actual hosts. _dmarc.yourdomain.com is where the DMARC policy lives. selector1._domainkey.yourdomain.com is where the DKIM public key lives. _acme-challenge.yourdomain.com is used by Let’s Encrypt for validation.

These names are never typed by humans — they’re queried programmatically by mail servers, ACME clients, and security tools. The underscore prefix prevents collisions with real subdomain names.

What’s TTL and why does it matter?

TTL (Time To Live) is how long, in seconds, a DNS resolver is allowed to cache a record before re-querying. A TTL of 3600 means resolvers may serve cached answers for up to an hour. Lower TTLs mean faster propagation of changes; higher TTLs mean less query load and slightly faster lookups.

Practical guidance: lower TTLs (300 = 5 minutes) before any planned change so you can verify and roll back quickly. Raise back to 3600 or higher (up to a day) after the change has stabilized.

How long does a DNS change take to propagate?

Best case: as fast as the TTL on the old record. If the record’s TTL was 300, expect most resolvers to pick up the change within 5 minutes. If the TTL was 86400, plan for up to a day.

“DNS propagation” sites that show different answers from different resolvers around the world are showing exactly this caching behavior — not actual replication delay. The authoritative servers update instantly; what takes time is each resolver’s cache expiring.

Why doesn’t CNAME work at the apex of my domain?

RFC 1034 says a name with a CNAME record cannot also have other records of any other type. The apex of a domain (e.g., example.com) must have NS records and SOA records, so it can’t also have a CNAME — that would violate the spec.

To work around this, most modern DNS providers offer a non-standard record called ALIAS, ANAME, or CNAME flattening. The provider performs the CNAME resolution at query time and returns the resulting A/AAAA records, working around the apex restriction. Cloudflare, Route 53, DNSimple, and others support this.

What’s DNSSEC and should I enable it?

DNSSEC adds cryptographic signatures to DNS records so resolvers can verify they haven’t been tampered with in transit. Without DNSSEC, an attacker who controls a network path or compromises a resolver can return forged DNS answers.

Worth enabling if you handle sensitive data (banking, healthcare, government) or operate critical infrastructure. For most small-to-mid-sized business sites, the operational complexity outweighs the practical risk — misconfigured DNSSEC is a more common cause of outages than DNS hijacking. If you do enable it, do so on a provider with strong DNSSEC tooling (Cloudflare, Route 53) rather than rolling it manually.

Need DNS that doesn’t break at 2 AM?

Datastrive manages DNS, email security, and domain hygiene for businesses across the Chicago area — including monitoring, planned-change support, and recovery for the inevitable “someone deleted the wrong record” call. We’re a managed IT and cybersecurity provider for small and mid-sized businesses.

Talk to Datastrive →