Skip to main content
DNS-over-HTTPS · Cloudflare

DNS lookup — every record type.

Resolve any domain to A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR, or SRV records. Answers are unbiased and DNSSEC-validated when the upstream provides it.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa · PTRNXDOMAIN · 0 records · 9ms

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa does not exist (NXDOMAIN).

Resolved via cloudflare-dns.com (Cloudflare 1.1.1.1). JSON output.

What this tool does

DNS — the Domain Name System — is the internet's lookup layer: it translates the human-friendly names you type into the addresses and routing data machines actually use. This tool resolves any domain to a specific record type and shows you the raw answer, including the TTL for each record and whether the response was DNSSEC-validated. It is the fastest way to confirm what the public DNS currently says about a domain, independent of whatever your own machine or network has cached.

How the lookup works under the hood

Rather than asking your operating system's resolver, IPFerret forwards the query to Cloudflare's public resolver at 1.1.1.1 using DNS-over-HTTPS (DoH). Instead of a plain UDP datagram on port 53, the question travels inside an encrypted HTTPS request. Two things follow from that: the query is private in transit, and the answer comes from a large, well-connected recursive resolver rather than your ISP's — so you sidestep stale local caches and ISP-level filtering. The result is a neutral view of what authoritative name servers are publishing right now.

What does each record type do?

  • A / AAAA — the IPv4 and IPv6 addresses a name resolves to. The most common records on the internet.
  • MX — mail exchange servers for a domain, with priorities. Use this to check where email for a domain is delivered.
  • TXT — free-form text records. Holds SPF policies, DKIM keys, domain verification tokens (Google, Microsoft, Stripe, etc.), and DMARC.
  • NS — the authoritative name servers for the domain. The starting point for any DNS resolution.
  • CNAME — an alias from one name to another. Common for CDN-backed subdomains (e.g. www.example.com example.com.cdn.cloudflare.net).
  • SOA — administrative metadata for the zone (primary nameserver, serial number, refresh / retry intervals).
  • CAA — restricts which Certificate Authorities are allowed to issue TLS certificates for the domain. A small but important security record.
  • PTR — reverse DNS. Maps an IP back to a hostname (queried via the in-addr.arpa zone — IPFerret submits the query in the right form for you).

Reading the results: TTL, DNSSEC, and status

Each row shows the record data and its TTL — the number of seconds a resolver is allowed to cache that answer. A long TTL (say 86400, one day) means changes propagate slowly; a short TTL (300, five minutes) is what you switch to before a planned migration so the cutover is quick. If the response is signed and validated, the header shows DNSSEC ✓, meaning the chain of cryptographic signatures from the root zone down to this record checked out and the answer has not been tampered with in transit. An empty answer is not necessarily an error: a NOERROR status with zero records means the name exists but has no record of that type, whereas NXDOMAIN means the name does not exist at all.

Common use cases and pitfalls

  • Email troubleshooting. Check MX to see where mail is delivered, then read TXT for SPF, DKIM, and DMARC policies — the three records that decide whether your mail is trusted.
  • Verifying a migration. After changing a host, query the A/AAAA records here. Because this resolver does not share your machine's cache, it often shows the new value before your laptop does.
  • Don't confuse caches with authority. A clean answer here reflects what a public resolver sees; a different result on your own network usually means a stale local cache or an internal “split-horizon” DNS view, not a broken zone.
  • Shareable URLs. Send a teammate /dns?name=example.com&type=MX and they will see the same answer you did.

Frequently asked questions

What is DNS-over-HTTPS and why does this tool use it?

DoH wraps the DNS query inside an encrypted HTTPS request instead of plain UDP on port 53. IPFerret forwards your lookup to Cloudflare 1.1.1.1 over DoH, which keeps the query private in transit and bypasses any caching or filtering your local resolver might apply — so you see a fresh, neutral answer.

Why don't my DNS changes show up immediately?

Every record carries a TTL telling resolvers how long to cache it. Until that cache expires, resolvers keep returning the old value even after you publish a change. Lower the TTL before a planned change, and allow at least the old TTL to elapse afterward before expecting the new value everywhere.

What does an empty result or NXDOMAIN mean?

An empty answer with NOERROR means the name exists but has no record of the type you asked for. NXDOMAIN means the name itself does not exist in DNS at all. One is a missing record type; the other is a missing name.

JSON API

Same data, machine-readable: GET /api/dns?name=<domain>&type=<A|AAAA|MX|…>. CORS-enabled and cached for 30s at the edge. Example: /api/dns?name=example.com&type=MX.

Related tools

Pair this with the WHOIS / RDAP lookup to see who owns the address a name resolves to, reverse DNS to go from an IP back to a hostname, and the TLS certificate checker to confirm the host serves a valid certificate. For the background, read how DNS works and DoH versus DoT.