DNS lookup. All records, one query.
Enter a domain. Get the live A, AAAA, MX, TXT, NS, CNAME, and CAA records — pulled in parallel from Cloudflare's public DNS-over-HTTPS endpoint. No signup, no log. Reads in 1-2 seconds.
All record types in one parallel query. Enter a domain; the form fans out seven simultaneous DNS-over-HTTPS calls to Cloudflare for A, AAAA, MX, TXT, NS, CNAME, and CAA. Renders each as its own card. Typical response: 1-2 seconds. SPF and DMARC presence is auto-detected and surfaced.
Sources used by this tool
- Cloudflare DNS-over-HTTPS at
cloudflare-dns.com/dns-query— public, CORS-enabled, free at sane volumes - RFC 8484 — DNS-over-HTTPS spec
- RFC 1035 — DNS record types
- RFC 7208 — SPF · RFC 7489 — DMARC · RFC 8659 — CAA
No data is sent to Digital Heroes servers. The query goes directly from your browser to Cloudflare's public DoH endpoint.
Privacy: query sent only to cloudflare-dns.com. Recent lookups stay in browser localStorage.
Seven record types. Three real concerns.
A and AAAA answer "where does this hostname resolve?" A is IPv4 (4-byte); AAAA is IPv6 (16-byte). Modern hosts publish both. If A is missing, the domain does not resolve at all over IPv4 — a critical fault. AAAA missing is fine for now but increasingly noticed by IPv6-only networks (mostly mobile carriers in some regions). The TTL value tells you how long resolvers cache the answer; a low TTL (300s) means changes propagate fast, a high TTL (86400s) means changes take a day.
MX is mail routing. Each MX record has a priority (lower wins) and a host. A domain with no MX cannot receive email, full stop. A domain with an MX but no SPF is spoofable — anyone can send mail "from" your domain to anywhere. SPF + DMARC together are the modern minimum; we surface their presence inline in the TXT card. The MX itself usually points to a provider — google.com mail (MX 1 aspmx.l.google.com), Microsoft 365 (MX 0 yourdomain-com.mail.protection.outlook.com), or your own mail server.
TXT is a catch-all bucket carrying SPF (v=spf1 …), DMARC (v=DMARC1 … at _dmarc.example.com), DKIM keys (at selector._domainkey.example.com), Google Workspace verification (google-site-verification=…), Microsoft 365 verification (MS=ms…), and any other arbitrary domain-ownership string a platform asks you to publish. We surface SPF and DMARC presence with a colored badge so the email-deliverability state is immediately visible.
NS records list the authoritative name servers for the zone — the actual servers that hold the master DNS records. A mismatch between the registrar's NS list (visible in WHOIS) and the live NS record (visible here) means DNS is being served from a different provider than the registrar thinks. Common during migrations; if this card shows ns1.cloudflare.com but WHOIS says ns1.namecheap.com, the registrar's setting needs updating before the next propagation cycle.
CNAME is canonical-name aliasing. www.example.com often CNAMEs to example.com. CDN setups CNAME to a vendor-provided host (yourdomain.cloudflare-dns.com, yourdomain.aws.cloud-cdn.com). CNAME and apex A cannot coexist on the same host — that's why apex-A is required for the root domain.
CAA (Certificate Authority Authorization) tells public Certificate Authorities which CAs are allowed to issue SSL certificates for the domain. A CAA record reading 0 issue "letsencrypt.org" means only Let's Encrypt may issue. Without any CAA record, any CA may issue — which is the cert-mis-issuance risk that prompted the standard. Setting CAA is a one-line zone change with significant security upside; very few domains do it.
Four jobs this tool does.
Job 1: Migration cutover validation. When you flip name servers from a legacy host to a new provider, you need to confirm the new NS records have actually replaced the old ones. Cloudflare's DoH bypasses your local resolver cache, so this tool shows you the propagated truth without waiting for your laptop's DNS cache to expire.
Job 2: Email deliverability triage. User reports "your emails go to spam." First check: does the sending domain have SPF? Does it have DMARC? If MX present but TXT missing those, you have an authentication gap. Set SPF + DMARC; deliverability often recovers within 24-48 hours.
Job 3: SSL certificate troubleshooting. Issuance failure? Check CAA. A misconfigured CAA record blocks every CA except the listed ones. If the cert provider isn't on the list, issuance silently fails. The fix is usually adding the right CA to the CAA record at the registrar's DNS panel.
Job 4: Subdomain-takeover risk audit. A CNAME pointing at a hosted resource you no longer control (a deleted Heroku app, an expired GitHub Pages repo, an unclaimed S3 bucket) is a subdomain-takeover vector. Periodic audits surface stale CNAMEs; this tool gives you the live record per host.
For deeper signals, our sibling tools cover them: WHOIS lookup for the registry record, Wayback archive viewer for first-capture history, Domain Health Checker for a five-signal composite.
Six questions users ask.
What is DNS-over-HTTPS?
DNS-over-HTTPS (DoH) is the IETF standard (RFC 8484) for sending DNS queries over HTTPS instead of plaintext UDP. It encrypts the query in transit and is supported by every major resolver. We use Cloudflare's public DoH endpoint at cloudflare-dns.com/dns-query, which is CORS-enabled and free at any sane volume. The query goes from your browser directly to Cloudflare; no Digital Heroes server is involved.
What does each record type tell me?
A returns IPv4 host addresses; AAAA returns IPv6. MX is mail exchanger records (where email for the domain routes). TXT is free-form text records, used for SPF (email anti-spoofing), DMARC (email policy), DKIM (email signing keys), and verification strings for Google Workspace, Microsoft 365, etc. NS is the authoritative name servers. CNAME is canonical-name aliases (e.g., www points to the apex). CAA is certificate authority authorization (which CAs may issue SSL certs for the domain).
Why doesn't this match my dig output?
Two reasons. First, DNS propagation: a record changed in the last few minutes may not have reached Cloudflare's resolver yet, while your local dig hits a different resolver that has the new value. Second, recursive vs authoritative: dig with default flags asks your configured resolver, which may have a cached older value with TTL not yet expired. To force-fresh, dig +trace queries the authoritative name servers directly. We always hit Cloudflare's public resolver, which has its own TTL behavior.
Can I check sub-domain records?
Yes. www.example.com, api.example.com, app.example.com — each is a distinct DNS name with its own record set. The tool accepts any valid DNS name. Note that some record types are inherited from the apex (NS most commonly) while others (A, MX, TXT) are usually distinct per host.
Does this tool log my domain query?
No. The query goes only to Cloudflare's public DoH endpoint. Cloudflare publishes a privacy commitment for the 1.1.1.1/DoH service. Nothing is logged on Digital Heroes servers. Recent lookups are stored in your browser's localStorage and stay on your device.
How do I read a TXT record like SPF or DMARC?
SPF records start with v=spf1 and list the IPs and includes that may send mail for the domain. DMARC records live at _dmarc.example.com and start with v=DMARC1, listing the policy (none/quarantine/reject), reporting addresses, and alignment rules. DKIM signing keys are at selector._domainkey.example.com (the selector varies per provider — google, mailgun, k1, etc.). Our tool surfaces SPF + DMARC inline when present at the apex; deeper SPF/DMARC inspection belongs to a dedicated email-deliverability tool.
Migration sequence? 30-min call.
DNS migrations require sequencing — registrar, NS, propagation, mail re-auth, SSL re-issue. A 30-minute call covers the order of operations and a fixed-price quote.