Free Tool

DNS Lookup Tool

Look up all DNS records for any domain - A, AAAA, MX, NS, TXT, SOA, CAA, and CNAME. Analyze email security and get a DNS health grade. Free, no signup required.

What You Get

Here's an example of the DNS records this tool reveals. Try it above with any domain.

A

DNS Health: A

example.com — 14 records found in 42ms

A Record93.184.216.34
AAAA Record2606:2800:21f:...
Nameserversa.iana-servers.net
MX Records10 mail.example.com
SPFFound
DMARCFound

The DNS lookup queries authoritative nameservers to retrieve every record type configured for your domain. You'll see A and AAAA records (your domain's IP addresses with TTL values), nameservers and SOA data (who manages your DNS zone), and MX records (where your email is routed).

The tool also performs an email security analysis, checking for SPF and DMARC records that protect your domain from email spoofing and impersonation. Combined with CAA record checks (which restrict certificate issuance), this gives you a comprehensive picture of your domain's DNS health.

How It Works

1

Enter Domain

Type any domain name or URL. We'll extract the hostname and look up its DNS records.

2

We Query DNS Servers

Our server resolves all record types in parallel — A, AAAA, MX, NS, TXT, SOA, CAA, and CNAME — plus DMARC.

3

Get Your DNS Report

View every record, email security analysis, and an overall health grade. Copy, download, or share results instantly.

DNS Record Glossary

Plain-language definitions of every record type you will see in a DNS lookup.

A vs AAAA

A records map a hostname to an IPv4 address (4 bytes, e.g. 93.184.216.34). AAAA records map to IPv6 (16 bytes). Modern domains should publish both — IPv6 traffic is now significant on every major network.

CNAME

An alias that points one hostname at another hostname (not an IP). The resolver follows the chain until it finds an A or AAAA. CNAMEs cannot coexist with most other record types at the same name and cannot live at the apex (use ALIAS or ANAME at the apex).

MX

Mail exchanger records — where email for the domain should be delivered. Each record has a priority (lower = preferred) and a target hostname. The target must itself resolve to an A/AAAA — never to a CNAME.

TXT, SPF, DKIM, DMARC

TXT records hold arbitrary text. Email authentication uses three of them: SPF (v=spf1 ...) lists allowed sending servers, DKIM publishes a public key for signing outgoing mail, and DMARC (_dmarc subdomain) tells receivers what to do when SPF or DKIM fails.

NS and SOA

NS records list the authoritative nameservers for the zone. SOA (Start of Authority) holds zone metadata — primary nameserver, admin email, serial number, and refresh/retry timers used by secondary nameservers.

CAA

Certificate Authority Authorization. Restricts which CAs are allowed to issue certificates for the domain. Without a CAA record, any public CA can issue. With one, only the listed CAs can — a cheap and effective defense against misissuance.

TTL (Time To Live)

How long resolvers may cache a record before re-querying. Low TTL (60s) makes changes propagate fast but increases DNS load. High TTL (24h) reduces load but means changes take longer to take effect. Lower TTLs before planned migrations.

Common DNS Issues

The misconfigurations and resolver errors that hurt DNS health — and how to spot them.

NXDOMAIN

Non-existent domain

The DNS resolver returned NXDOMAIN — the domain has no record at all. Either the domain is unregistered, the nameservers do not know it, or the apex record is missing. Confirm the domain is spelled correctly and the registrar's nameservers match what is configured at the registry.

SERVFAIL

Server failure

The authoritative nameserver could not produce an answer — usually a DNSSEC validation failure, an unreachable upstream, or a misconfigured zone. Re-check zone data and DNSSEC signing if you have it enabled.

No MX record

Domain cannot receive email

Without MX records, mail servers fall back to the A record (or refuse delivery entirely). If the domain should receive email, add MX records pointing at your mail provider with appropriate priorities (10, 20, ...).

Missing SPF

Anyone can spoof email from your domain

An SPF TXT record (v=spf1 ...) tells receivers which servers are allowed to send mail as you. Without it, your domain is trivial to spoof in phishing campaigns and your legitimate mail is more likely to land in spam.

Missing DMARC

No policy for failed authentication

DMARC tells receiving servers what to do with email that fails SPF or DKIM checks (reject, quarantine, or none). A _dmarc TXT record with at least p=none gives you reporting; p=quarantine or p=reject actually stops spoofing.

Missing CAA

Any CA can issue a certificate for your domain

CAA records restrict which certificate authorities can issue SSL/TLS certificates for your domain. Without CAA, a misissuance attack against any trusted CA can produce a valid cert for your domain. Adding 'CAA 0 issue "letsencrypt.org"' (or your CA of choice) closes that gap.

Single nameserver

No DNS redundancy

Best practice is at least two nameservers, ideally on different networks. A single NS is a single point of failure — when it goes down, your entire domain becomes unreachable.

Frequently Asked Questions

This tool queries DNS servers to retrieve all DNS records for a domain. It shows A (IPv4), AAAA (IPv6), CNAME, MX (mail), NS (nameservers), TXT, SOA (start of authority), and CAA records. It also analyzes your email security configuration (SPF and DMARC) and gives your DNS setup a health grade.

Yes, completely free with no signup required. Enter any domain and get instant results. There are no daily limits.

A records map a domain to an IPv4 address. AAAA records map to IPv6. CNAME creates an alias pointing to another domain. MX records specify mail servers and their priority. NS records define the authoritative nameservers for the domain. TXT records hold text data often used for email authentication (SPF, DKIM, DMARC). SOA contains zone authority information like the primary nameserver and admin contact. CAA restricts which certificate authorities can issue SSL certificates for the domain.

The grade evaluates your DNS configuration across several criteria: whether you have A/AAAA records for availability, multiple nameservers for redundancy, MX records for email delivery, SPF and DMARC records for email security, CAA records for certificate security, and a proper SOA record. An A+ grade means your DNS is well-configured across all categories.

SPF (Sender Policy Framework) is a TXT record that specifies which mail servers are authorized to send email for your domain, helping prevent spoofing. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to tell receiving servers what to do with unauthenticated emails. Both are essential for protecting your domain from email impersonation and improving deliverability.

CAA (Certificate Authority Authorization) records specify which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Without CAA records, any CA can issue a certificate, increasing the risk of unauthorized certificate issuance. Adding CAA records is a simple but effective security measure.

DNS records can vary depending on which DNS resolver you query, due to caching and propagation delays. After making DNS changes, it can take anywhere from minutes to 48 hours for changes to propagate globally, depending on the record's TTL (Time To Live). This tool queries from the server's perspective, which may differ from your local resolver.

Yes! exit1.dev is rolling out continuous DNS monitoring. You can track DNS record changes, get alerts when records change unexpectedly, and monitor DNS resolution health around the clock — catching misconfigurations and hijacking attempts before they affect your users.

Learn More About DNS

Guides on DNS record types, email authentication, propagation, and domain security.

DNS Record Types Explained

A, AAAA, MX, CNAME, TXT, NS, SOA, CAA — what every record type does and when you need it.

SPF, DKIM, and DMARC Guide

Protect your domain from email spoofing with three DNS records. Step-by-step setup guide.

How to Check DNS Records

Three free methods to look up DNS records for any domain — web tools, command line, and more.

DNS Propagation Explained

Why DNS changes take time, how TTL and caching work, and how to speed up propagation.

Last updated · Built and maintained by exit1.dev — uptime, SSL, and domain monitoring with instant alerts.

Need Continuous DNS Monitoring?

Stop checking manually. exit1.dev monitors your DNS records around the clock and alerts you when something changes. Catch misconfigurations and hijacking attempts before they affect your users.

Start Free Monitoring
Start Monitoring