ZeroTool Workbench

DNS Lookup

Look up DNS records for any domain via DNS-over-HTTPS. A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, PTR, and SRV via Cloudflare or Google. 100% browser-based, no upload.

100% Client-Side Your data never leaves your browser Free · No Sign-Up
Try:

Related Tools

HTTP Header Analyzer Paste raw HTTP request or response headers and instantly inspect security, caching, CORS, content, and auth metadata. 100+ header descriptions with compliance hints, JSON export. 100% client-side. SSL Certificate Decoder Decode X.509 PEM certificates instantly — view Subject, Issuer, validity, SANs, public key, signature algorithm, and SHA-256/SHA-1/MD5 fingerprints. 100% client-side. URL Parser Parse any URL into its components: protocol, host, port, path, query parameters, and hash. Instant browser-native parsing. JWT Decoder Decode and inspect JWT header, payload, and signature. Highlights expiry status and timestamp claims. HTTP Status Codes Searchable reference for all HTTP status codes (1xx–5xx) with descriptions and use cases. HMAC Generator Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Hex and Base64 output. Runs entirely in your browser.

How to Use

  1. Enter a domain — bare hostname, full URL, or trailing-dot form all work; the tool normalises automatically.
  2. Pick a record type. ALL fans out parallel queries for A, AAAA, CNAME, MX, TXT, NS, SOA, and CAA in one click.
  3. Pick a resolver: Cloudflare (1.1.1.1) or Google (8.8.8.8).
  4. Click Lookup or press Enter.
  5. Switch between Records, Raw (dig-style output), and JSON (raw DoH response) tabs.

Record types supported

  • A — IPv4 address.
  • AAAA — IPv6 address.
  • CNAME — canonical alias pointing at another name.
  • MX — mail exchanger with priority.
  • TXT — arbitrary text. Hosts SPF, DKIM, DMARC, domain verification, and HTTP/3 origin signals.
  • NS — authoritative name servers for the zone.
  • SOA — Start of Authority: primary NS, contact, serial, refresh timers.
  • CAA — which Certificate Authorities may issue for the domain.
  • PTR — reverse DNS. Query the x.y.z.w.in-addr.arpa name yourself; the tool issues a plain PTR query.
  • SRV — service location with priority, weight, port, and target.

Why DNS-over-HTTPS

Browsers cannot open raw UDP/53 sockets, which is why no in-browser tool can speak classic DNS. DoH wraps DNS messages in HTTPS, so a regular fetch() call can ask a public resolver for any record. Cloudflare and Google both expose a JSON profile (application/dns-json for Cloudflare, native JSON for Google) with permissive CORS — this tool does nothing more than call those endpoints and render the response.

Reading the summary pills

  • NOERROR / NXDOMAIN / SERVFAIL — the DNS RCODE. NXDOMAIN is a valid answer meaning “domain does not exist”; SERVFAIL means the resolver could not answer.
  • N records — how many answer records came back. Zero with NOERROR means the type exists for the zone elsewhere but not for the requested name.
  • DNSSEC ✓ — the AD flag is set. The resolver validated signatures.
  • Resolver — which DoH endpoint served the response.
  • Latency — round-trip time from fetch() start to JSON parse.

Typical use cases

  • Verifying that an A or CNAME change has propagated past a specific resolver.
  • Confirming MX, SPF (TXT), DKIM (TXT), and DMARC (TXT) before launching a new sending domain.
  • Comparing the records two public resolvers see — Cloudflare vs Google can disagree during a propagation window.
  • Checking CAA before issuing a certificate to avoid the “CAA mismatch” failure mode.
  • Sanity-checking NS delegation when moving zones between registrars.

Limits by design

This is a single-shot resolver client. It does not perform automatic ARPA conversion for reverse IP lookups (input the in-addr.arpa name yourself for PTR), it does not query authoritative servers directly (it asks a public recursive), and it does not run history, WHOIS, blocklist, or propagation comparisons across many resolvers. For propagation maps use whatsmydns.net; for authoritative-only lookups use dig @ns1.example.com locally.

Related tools on ZeroTool

FAQ

Does this tool send my queries to a ZeroTool server?

No. The browser issues the DoH request directly to cloudflare-dns.com or dns.google. ZeroTool has no DNS proxy and never sees the query. Your IP and the queried name are visible only to the resolver you pick.

Which DoH providers does it use, and can I change them?

Cloudflare (1.1.1.1) and Google (8.8.8.8). Pick from the resolver dropdown. The tool ships with these two by design — they have stable JSON DoH endpoints and CORS enabled. For private resolvers, run dig +https=https://your-doh-endpoint locally.

Why is the result different from `dig` on my machine?

Two reasons. First, you are asking a public recursive resolver that may have a cached or geo-routed answer different from your local recursive. Second, your local dig may pick up split-horizon records that public DoH cannot see (corporate VPN, /etc/hosts, internal DNS). The DoH result reflects what the public internet sees.

What does the DNSSEC indicator (the AD flag) mean?

AD = Authenticated Data. The flag is true when the resolver successfully validated DNSSEC signatures up to a trust anchor. False means the zone is unsigned, the signature failed, or DNSSEC validation was disabled. ZeroTool sends cd=0 so the resolver always performs validation.

Why does a long TXT record arrive split into multiple quoted strings?

DNS limits each TXT string to 255 bytes (RFC 1035). Long SPF, DKIM, or DMARC records are stored as multiple strings inside one TXT record. The DoH JSON preserves the quoted segments verbatim — concatenate them (without separator) to get the logical value.