Protego

DNS Lookup Tool

Look up DNS records for any domain. Check A, AAAA, MX, CNAME, NS, TXT, and SOA records.

DNS Record Types Explained

A

A Record

Maps a domain to an IPv4 address. The most fundamental DNS record type.

AAAA

AAAA Record

Maps a domain to an IPv6 address. Essential for IPv6-enabled networks.

MX

MX Record

Specifies mail servers responsible for receiving email for the domain.

CNAME

CNAME Record

Creates an alias from one domain name to another (canonical name).

NS

NS Record

Specifies the authoritative name servers for the domain.

TXT

TXT Record

Holds text information. Used for SPF, DKIM, domain verification, etc.

Best DNS Providers & Services Compared (2026)

Your DNS provider directly impacts website speed, uptime, and security. A fast, reliable DNS service ensures visitors reach your site quickly while protecting against DDoS attacks and DNS hijacking.

ProviderTypePriceKey FeaturesLink
Cloudflare DNS
Recommended
DNS + CDNFree / $20/moFree DNS hosting, 1.1.1.1 resolver, DDoS protection, DNSSEC, analyticsVisit
AWS Route 53
Amazon Web Services
Cloud DNS$0.50/zone/moCloud DNS, health checks, traffic flow, latency-based routingVisit
Google Cloud DNS
Google Cloud Platform
Cloud DNS$0.20/zone/mo100% SLA, global anycast, auto-scaling, DNSSEC supportVisit
Namecheap DNS
Domain Registrar
Registrar DNSFree / $3.88/yrFree with domains, dynamic DNS, URL forwarding, email forwardingVisit
DNSimple
Developer-Focused
Managed DNSFrom $5/moDeveloper-friendly API, Let's Encrypt integration, DNS analyticsVisit

Our recommendation: For most websites, Cloudflare DNS offers the best combination of speed, security, and value. Their free tier includes DDoS protection, DNSSEC, and a global anycast network with sub-20ms response times. For enterprise workloads requiring advanced routing and health checks, AWS Route 53 or Google Cloud DNS are excellent choices.

Common DNS Issues & How to Fix Them

DNS Propagation Delays

DNS propagation is the time it takes for DNS changes to spread across all DNS servers worldwide. After updating DNS records, some users may see the old records while others see the new ones, leading to inconsistent behavior that can last up to 48 hours.

How to fix:

  • 1. Lower the TTL value to 300 seconds (5 minutes) at least 24 hours before making DNS changes
  • 2. Flush your local DNS cache using ipconfig /flushdns (Windows) or sudo dscacheutil -flushcache (macOS)
  • 3. Check propagation status with multiple resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, OpenDNS 208.67.222.222)
  • 4. After propagation completes, restore the TTL to a higher value (3600 or 86400 seconds)

Missing MX Records

If your domain cannot receive email, the most common cause is missing or misconfigured MX (Mail Exchange) records. Without proper MX records, mail servers have no way to know where to deliver messages destined for your domain.

How to fix:

  • 1. Add MX records pointing to your email provider's mail servers (e.g., aspmx.l.google.com for Google Workspace)
  • 2. Verify the priority values are set correctly — lower numbers indicate higher priority
  • 3. Use the DNS Lookup tool above to query MX records and confirm they resolve correctly
  • 4. Ensure SPF and DKIM TXT records are also configured to prevent emails from being marked as spam

DNSSEC Validation Failures

DNSSEC validation failures occur when the cryptographic chain of trust is broken between the parent zone and your domain. This can cause your domain to become completely unreachable for users behind DNSSEC-validating resolvers, including major public resolvers like Google and Cloudflare.

How to fix:

  • 1. Verify the DS (Delegation Signer) records at your domain registrar match the DNSKEY records on your authoritative nameservers
  • 2. Check DNSKEY records for correct key tags, algorithms, and digest types using a DNSSEC analyzer
  • 3. Use diagnostic tools like dnsviz.net or dnssec-debugger.verisignlabs.com to trace the chain of trust
  • 4. If switching DNS providers, remove the old DS records from the registrar before migrating and add new ones after

DNS Zone Transfer Issues

DNS zone transfers (AXFR) replicate DNS data between primary and secondary nameservers. If zone transfers are misconfigured, secondary servers may serve stale records. Worse, unrestricted zone transfers expose your entire DNS zone to attackers, revealing internal network structure.

How to fix:

  • 1. Restrict AXFR (zone transfer) requests to only authorized secondary nameserver IP addresses
  • 2. Use TSIG (Transaction Signature) authentication to cryptographically secure zone transfers between servers
  • 3. Monitor zone transfer logs for unauthorized attempts, which may indicate reconnaissance activity
  • 4. Consider using DNS NOTIFY to ensure secondary servers are promptly updated when zone data changes

Frequently Asked Questions

What is DNS and how does it work?
DNS (Domain Name System) is the internet's directory service that translates human-readable domain names like example.com into machine-readable IP addresses like 93.184.216.34. When you type a URL into your browser, your device sends a query to a recursive DNS resolver, which checks its cache and then queries root servers, TLD servers, and authoritative nameservers in sequence to find the correct IP address. This entire process typically takes only milliseconds and happens transparently every time you visit a website, send an email, or use any internet-connected service.
What are the different DNS record types?
The most common DNS record types are: A records (map a domain to an IPv4 address), AAAA records (map a domain to an IPv6 address), CNAME records (create an alias pointing to another domain), MX records (specify mail servers for receiving email with priority values), NS records (define the authoritative nameservers for a domain), TXT records (hold text data used for SPF email authentication, DKIM signatures, and domain verification), and SOA records (contain administrative information about the DNS zone including the primary nameserver, admin contact, and refresh intervals). Less common types include SRV records for service discovery, CAA records for certificate authority authorization, and PTR records for reverse DNS lookups.
How long does DNS propagation take?
DNS propagation typically takes anywhere from a few minutes to 48 hours to complete worldwide, though most changes propagate within 1-4 hours. The actual time depends primarily on the TTL (Time To Live) value set on your DNS records, as recursive resolvers cache records for the duration of the TTL. You can speed up propagation by lowering the TTL to 300 seconds at least 24 hours before making changes, then restoring it afterward. Using our DNS Lookup tool with different resolvers can help you verify whether your changes have propagated.
What is DNSSEC and why does it matter?
DNSSEC (Domain Name System Security Extensions) adds a layer of cryptographic authentication to DNS responses, ensuring that the data you receive from a DNS query is authentic and has not been tampered with in transit. Without DNSSEC, attackers can perform cache poisoning or man-in-the-middle attacks to redirect users to malicious websites by forging DNS responses. DNSSEC works by creating a chain of trust from the root DNS servers down to your domain using digital signatures, DS records, and DNSKEY records. While not all domains have DNSSEC enabled, it is increasingly recommended as a security best practice, especially for financial institutions and high-value targets.
How do I change my nameservers?
To change your nameservers, log into your domain registrar's control panel (e.g., Namecheap, GoDaddy, Hostinger), navigate to the DNS or nameserver settings for your domain, and replace the existing nameserver entries with the new ones provided by your DNS hosting provider. Most registrars require you to enter at least two nameserver addresses for redundancy. After saving the changes, propagation typically takes 24-48 hours to complete globally. During this transition period, some users may be directed to the old nameservers while others reach the new ones, so plan changes during low-traffic periods when possible.
What is DNS over HTTPS (DoH)?
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries by sending them through the HTTPS protocol on port 443, the same port used for regular encrypted web traffic. Unlike traditional DNS which sends queries in plain text over UDP port 53, DoH prevents ISPs, network administrators, and attackers from seeing or modifying your DNS lookups, significantly improving privacy and security. Major browsers including Chrome, Firefox, and Edge support DoH natively, and public resolvers like Cloudflare (1.1.1.1) and Google (8.8.8.8) offer DoH endpoints. A related protocol, DNS over TLS (DoT), provides similar encryption but uses a dedicated port (853).

Related Security Tools

SSL Checker

Verify SSL/TLS certificate validity, expiration, and security configuration

Vulnerability Scanner

Scan your website for security headers and misconfigurations

Subnet Calculator

Calculate IP subnets, CIDR ranges, and network address details