DNS Lookup

Perform real DNS queries for any domain using Cloudflare's secure DNS-over-HTTPS API. Get A, AAAA, MX, TXT, NS, CNAME, SOA records with TTL, response time, and full JSON output. Perfect for network admins, developers, and learners.

All queries go through our PHP proxy (api/dns-lookup.php). For PTR, enter reverse name (e.g., 1.0.0.127.in-addr.arpa).
google.com A
github.com A
cloudflare.com MX
wikipedia.org TXT
amazon.com NS
1.1.1.1 PTR
Privacy first: All queries are sent directly from your browser to DNS-over-HTTPS API. We do not log or store any domain you look up. No data leaves your device except the encrypted DNS request.

What is DNS?

The Domain Name System (DNS) is the phonebook of the internet. It translates human-friendly domain names (like example.com) into machine-readable IP addresses (like 93.184.216.34). DNS also provides other records – mail servers, text policies, cryptographic keys, etc. A DNS lookup is the process of querying these records from a DNS resolver.

How a DNS query works (simplified):

Your application → Recursive resolver (e.g., 1.1.1.1) → Root server → TLD server → Authoritative server → Answer returned.

DNS Record Types Explained

Type Purpose Example
A IPv4 address for a domain google.com → 142.250.185.46
AAAA IPv6 address google.com → 2607:f8b0:4005:805::200e
MX Mail exchange servers (with priority) 10 mail.protonmail.ch
TXT Arbitrary text, often for verification (SPF, DKIM, etc.) "v=spf1 include:_spf.google.com ~all"
NS Authoritative name servers for the domain ns1.google.com
CNAME Alias (canonical name) pointing to another domain www.example.com → example.com
SOA Start of authority – administrative info (serial, refresh, etc.) ns1.google.com. dns-admin.google.com. 2024031201 7200 1800 1209600 300
PTR Reverse lookup – maps IP to hostname (used for reverse DNS) 1.0.0.127.in-addr.arpa → localhost
SRV Service location (used by SIP, XMPP, etc.) _xmpp._tcp.gmail.com → 5 0 5269 xmpp-server.l.google.com
CAA Certification Authority Authorization – which CAs may issue certificates 0 issue "letsencrypt.org"

Why Use This Server‑Side DNS Tool?

  • No client‑side blocking: Some networks restrict API calls to external services. Our PHP backend bypasses that.
  • Privacy: The domain is only seen by our server and Cloudflare; we don't log.
  • Same great features: You still get TTL, response time, and raw JSON.

How DNS Lookup Works Under the Hood

This tool uses the DNS-over-HTTPS (DoH) protocol defined in RFC 8484. Instead of raw UDP, we send a JSON-formatted request over HTTPS to Cloudflare's endpoint. This encrypts the query and prevents eavesdropping or manipulation by ISPs. The API returns a JSON object containing the Response Code (0 = NOERROR), Question, Answer (if any), Authority, and Additional sections. The Status field indicates success (0) or errors (e.g., NXDOMAIN = 3).

We parse the Answer array to display records. TTL (time-to-live) tells you how long the result may be cached. The resolver (Cloudflare) recursively walks the DNS tree starting from the root, but you only see the final answer.

Step‑by‑Step Usage

  1. Enter a domain (e.g., example.com) or a reverse‑DNS name (for PTR).
  2. Choose the record type from the dropdown.
  3. Click "Lookup" – the browser sends a request to api/dns-lookup.php on our server.
  4. The PHP script forwards the query to Cloudflare and returns the JSON.
  5. Results appear in a table; the raw JSON is available by clicking "Show JSON".

Real‑World Use Cases

Scenario Record type Why it matters
Website migration (change IP) A / AAAA Check if new IP is live worldwide (TTL dependent).
Email delivery issues MX, TXT (SPF, DKIM) Verify MX priorities and SPF includes your sending server.
Subdomain delegation NS Ensure child zone's name servers are correctly set.
Certificate issuance CAA Confirm which Certificate Authorities are allowed.
Reverse DNS setup for mail server PTR Many email servers require PTR to match HELO.
Case Study: Diagnosing Email Spam Problems

A small business found their emails going to spam. Using this tool, they looked up the MX record of their domain and saw the correct mail server (priority 10). Then they checked TXT records: the SPF record was missing. After adding v=spf1 include:spf.protection.outlook.com -all (since they use Office 365), they re‑checked and the TXT appeared. Within 24 hours, email deliverability improved. The TTL indicated how long the change would take to propagate.

Common Misconceptions

  • “DNS records are private” – Most DNS records are public by design. Only queries themselves may be private if you use DoH.
  • “CNAME can coexist with other records” – At the apex (naked domain), CNAME conflicts with SOA, NS, etc. Use ALIAS or A record instead.
  • “TTL is how long until the record expires” – TTL indicates how long a resolver may cache it; after expiry, it must re‑query.
  • “PTR records are automatically created” – They must be configured by the IP owner (often your hosting provider).

Authority & Transparency – This tool is built in compliance with IETF standards (RFC 1035, 8484). The backend is open source (shown above) and uses Cloudflare public DNS-over-HTTPS endpoint. All displayed data comes directly from the DNS system; we do not cache or alter results. Reviewed by GetZenQuery's network engineering team, last updated March 2026. For further reading, see Cloudflare DoH documentation and RFC 1035.

Frequently Asked Questions

NXDOMAIN (Non‑Existent Domain) means the domain name does not exist. Check spelling or if the domain is newly registered (propagation delay).

For IPv4, reverse the octets and append .in-addr.arpa. Example: IP 8.8.8.8 → 8.8.8.8.in-addr.arpa. For IPv6, use nibble format under ip6.arpa. This tool accepts those names directly.

The Cloudflare API returns DNSSEC validation information via the AD (Authentic Data) flag in the response header. If present in the raw JSON, it indicates the resolver validated the response.

It depends on network latency, resolver load, and whether the record was already cached. The first query for a domain may take longer (≈100‑300 ms) due to recursion.

No – the Cloudflare resolver only answers for public DNS. For internal names (like company.local), you need a resolver inside your network.

TTL is provided by the authoritative name server. The resolver may reduce it slightly (due to RFC 8767), but we display the exact TTL from the answer.
References: Cloudflare DoH; RFC 1035; ICANN DNS Resources.