UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

DNS Lookup Tool

Query public DNS records with SSRF-safe hostname validation

About DNS Lookup Tool

DNS Lookup Tool on UtilityKit queries live public DNS records for any domain directly from your browser — no terminal, no dig command, no local DNS resolver configuration required. Enter a hostname, pick a record type, and the tool returns a structured JSON response showing every record the authoritative nameserver returns for that query. Supported record types cover the full operational range: A records resolve IPv4 addresses for a hostname; AAAA records resolve IPv6 addresses; MX records list mail exchange servers and their priority weights; TXT records expose SPF, DKIM, DMARC, site verification tokens, and other policy strings; CNAME records follow alias chains to their canonical name; and NS records reveal which nameservers are authoritative for the domain. The backend performs SSRF-safe hostname resolution, blocking localhost, RFC1918 private ranges (10.x.x.x, 172.16–31.x.x,.

Why use DNS Lookup Tool

No Terminal Required

Get DNS record lookups from any browser without installing dig, nslookup, or any CLI tool. Works on Windows, macOS, Linux, and mobile — wherever you have a browser open.

All Six Critical Record Types

Query A, AAAA, MX, TXT, NS, and CNAME records in a single interface. Switch record types with a dropdown and re-query in one click without clearing the hostname.

Structured JSON Output

Results are returned as formatted JSON with type, value, and TTL fields for each record — easy to read, compare, and paste into documentation or incident reports.

Public Resolver Perspective

Queries go through a public DNS resolver and reflect what the global internet resolves — not your local network's potentially stale or split-horizon DNS cache.

SSRF-Safe

The backend validates and blocks all private, loopback, and link-local addresses before resolving, preventing the tool from being used to probe internal network infrastructure.

Instant Propagation Check

After a DNS change, query the same hostname repeatedly to watch TTL values decrease and confirm when new records have propagated to the public resolver being queried.

How to use DNS Lookup Tool

  1. Enter a hostname in the input field without a scheme or path — for example, utilitykit.tools or mail.example.com. Do not include https:// or trailing slashes.
  2. Select the DNS record type from the dropdown: A for IPv4, AAAA for IPv6, MX for mail servers, TXT for policy and verification strings, NS for nameservers, or CNAME for alias resolution.
  3. Click Lookup. The request is sent to the UtilityKit backend, which queries a public DNS resolver and returns the raw record set as JSON.
  4. Review the structured JSON result — each record shows the data value, TTL (time to live in seconds), and record type. MX records also include priority.
  5. To check a different record type for the same hostname, change the dropdown selection and click Lookup again without re-entering the hostname.
  6. Copy the raw JSON output for inclusion in incident reports, DNS audit documentation, or comparison against expected record values.

When to use DNS Lookup Tool

  • When you have just updated an A or AAAA record and want to verify the new IP address has propagated to public resolvers before updating your CDN or SSL certificate.
  • When debugging mail delivery failures by checking MX records and their priority order to confirm the correct mail exchange servers are listed and ranked correctly.
  • When verifying an SPF policy, DMARC policy, or domain ownership TXT record has been added correctly by the DNS administrator — especially useful after delegating DNS management to another team.
  • When auditing CNAME chains on a CDN or load balancer configuration to confirm the alias resolves to the expected canonical hostname without unexpected intermediate hops.
  • When checking nameserver delegation after a domain transfer — NS records confirm which nameservers are authoritative and whether the registrar update has propagated.
  • When investigating a DNS hijacking or cache poisoning incident and you need a clean public-resolver view of current records to compare against expected values.

Examples

A record lookup for a domain

Input: Hostname: utilitykit.tools | Type: A

Output: { "type": "A", "hostname": "utilitykit.tools", "records": [ { "address": "134.122.89.44", "ttl": 300 } ] }

MX records for a domain mail configuration

Input: Hostname: gmail.com | Type: MX

Output: { "type": "MX", "hostname": "gmail.com", "records": [ { "exchange": "alt1.gmail-smtp-in.l.google.com", "priority": 5, "ttl": 300 }, { "exchange": "alt2.gmail-smtp-in.l.google.com", "priority": 10, "ttl": 300 }, { "exchange": "alt3.gmail-smtp-in.l.google.com", "priority": 20, "ttl": 300 }, { "exchange": "alt4.gmail-smtp-in.l.google.com", "priority": 30, "ttl": 300 }, { "exchange": "gmail-smtp-in.l.google.com", "priority": 5, "ttl": 300 } ] }

TXT record lookup showing SPF policy

Input: Hostname: example.com | Type: TXT

Output: { "type": "TXT", "hostname": "example.com", "records": [ { "value": "v=spf1 include:_spf.google.com include:amazonses.com ~all", "ttl": 3600 }, { "value": "google-site-verification=abc123XYZverificationtoken", "ttl": 3600 } ] }

Tips

  • Before changing a critical record like an A record or MX record, lower the TTL to 300 seconds (5 minutes) and wait for the current TTL to drain. This limits propagation delay after the actual change.
  • To check DMARC, query a TXT record for the subdomain _dmarc.yourdomain.com — for example, _dmarc.utilitykit.tools. DMARC records always live on that _dmarc subdomain, not the root domain.
  • DKIM public keys are published under the pattern selector._domainkey.yourdomain.com. Query TXT records for that subdomain using your actual selector name, which is typically shown in your email provider's DKIM setup instructions.
  • When debugging CNAME chains, follow each step manually — query the CNAME to get the target hostname, then query A records for that hostname. This reveals whether the chain terminates at the expected IP.
  • NS record results tell you which nameservers are authoritative for the domain. If the NS records point to unexpected nameservers after a registrar transfer, the zone may not have been re-delegated correctly.

Frequently Asked Questions

What is the difference between an A record and a CNAME record?
An A record maps a hostname directly to an IPv4 address. A CNAME record maps a hostname to another hostname (an alias), and the resolver then looks up the target hostname to find the final IP address. CNAME records introduce an extra resolution hop but are commonly used for CDN and load balancer configurations where the target IP is managed by the provider.
Why might the result differ from what I see locally?
DNS lookups are subject to caching at multiple layers — your OS resolver, your ISP's resolver, and your local network's DNS server may all return cached values that differ from what the authoritative nameserver currently serves. This tool queries a public resolver and reflects what the global internet sees, not your local cache. Wait for TTL to expire or flush your local DNS cache to reconcile differences.
What is TTL in DNS?
TTL (Time To Live) is the number of seconds a DNS record can be cached by resolvers before they must re-query the authoritative nameserver. A TTL of 300 means resolvers cache the record for 5 minutes. Lower TTLs allow faster propagation of DNS changes; higher TTLs reduce load on authoritative nameservers.
Why do TXT records contain SPF, DKIM, and DMARC data?
TXT records are a general-purpose text container at the DNS level, so email authentication standards like SPF, DKIM, and DMARC all use TXT records to publish their policies. SPF records typically look like 'v=spf1 include:... ~all', DMARC records start with 'v=DMARC1', and DKIM public keys are published under a subdomain selector._domainkey.example.com.
What is an MX record priority and how does it work?
MX records include a priority value (lower number = higher priority). When sending mail to a domain, a sending mail server queries MX records and connects to the server with the lowest priority number first. If that server is unavailable, it tries the next lowest priority. This enables primary and fallback mail server configurations.
Can I look up subdomains?
Yes. Enter the full subdomain hostname — such as mail.example.com, _dmarc.example.com, or www.example.com — exactly as you would in a dig command. The tool resolves whatever hostname you provide against the public DNS.
Why are private and localhost addresses blocked?
SSRF (Server-Side Request Forgery) protection prevents the backend from being used to probe internal network services. Allowing lookups for 192.168.x.x, 10.x.x.x, or localhost would let external users query internal infrastructure through the UtilityKit server. All such ranges are blocked before resolution.
How long does DNS propagation take after a change?
Propagation time depends on the TTL of the old record. If the old A record had a TTL of 3600 seconds (one hour), resolvers that cached it at its last refresh may serve it for up to another hour after the change. Lowering TTL to 300 before making a change (and waiting for the old TTL to expire) is standard practice for minimal-downtime migrations.

Explore the category

Reverse DNS Lookup Perform a reverse DNS lookup (PTR record query) to find the hostname associated with any IP address. SSL Certificate Checker Peek TLS certificate metadata with SSRF-safe hostname rules MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread. JSON Path Finder Query JSON values using JSONPath-style paths JavaScript String Escape Encode and decode JavaScript escape sequences for safe string handling.
How DNS Works: A Step-by-Step Journey from Domain to IP You type a domain and a page loads — but between those two events is a surprisingly elegant distributed lookup system. Here is exactly what Feb 2026 · 9 min

Glossary

A Record
A DNS record type that maps a hostname to an IPv4 address. The most fundamental record type — querying example.com for its A record returns the server's IP address.
MX Record
Mail Exchange record — specifies the mail server responsible for accepting email for a domain, along with a priority number. Lower priority numbers indicate preferred mail servers.
TXT Record
A general-purpose DNS record that stores arbitrary text strings. Used for email authentication policies (SPF, DKIM, DMARC), domain ownership verification, and service configuration hints.
CNAME Record
Canonical Name record — an alias that maps one hostname to another. The resolver follows the chain until it reaches an A or AAAA record with an actual IP address.
TTL (Time To Live)
The number of seconds a DNS record can be cached by resolvers before they must re-query the authoritative nameserver. Controls how quickly DNS changes propagate globally.
Authoritative Nameserver
The DNS server that holds the definitive, original records for a domain zone. Recursive resolvers ultimately fetch data from authoritative nameservers after following the delegation chain from root to TLD to domain.