~/tools/dns-records-lookup

> dns records lookup

resolve a, aaaa, ns, soa, caa, and txt records for a domain in one shot. part of the drwho.me domain dossier.

## dns[ok]

open standalone →

A: ttl=28 170.114.52.2
AAAA: ttl=58 2407:30c0:182::aa72:3402
NS: ttl=164319 ns-1137.awsdns-14.org.
ttl=164319 ns-1772.awsdns-29.co.uk.
ttl=164319 ns-387.awsdns-48.com.
ttl=164319 ns-888.awsdns-47.net.
SOA: ttl=900 ns-1137.awsdns-14.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
CAA: ttl=300 \# 30 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 73 65 63 75 72 69 74 79 40 7a 6f 6f 6d 2e 75 73
ttl=300 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6d
ttl=300 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6d
ttl=300 \# 18 00 05 69 73 73 75 65 67 6f 64 61 64 64 79 2e 63 6f 6d
ttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67
ttl=300 \# 15 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67
ttl=300 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6d
TXT: ttl=3600 "HaFoSdUeCSdJo9U8lG@NWZ6vnoRltUteEAl&yuY$$eE25sKJguFH58Lss%9@e73OK#XigH^i3mCDjax&gfZq*90lw4k4Vi3UMpC"
ttl=3600 "SFMC-FEDGKE8lGkIFM2TngfZtUoES_Ep-nR1DSOvRZFxz"
ttl=3600 "adobe-idp-site-verification=7116ab50a89b2c2402382aea3362209410eac90f2a590f358ce1189d0ca1a8c4"
ttl=3600 "anthropic-domain-verification-8fadf7=uwajz3dDn6eAq3Yl6LtArZNBA"
ttl=3600 "apple-domain-verification=CbBNkhNvbPFzgvvv"
ttl=3600 "atlassian-domain-verification=4y6yoGrdYbj4zq5bMXvpGI1KFVEzSVuWMYG4/Gv4BuFjIthTVBWnV8qf47TYfL5Q"
ttl=3600 "atlassian-domain-verification=o4YG+mXlOE6uTJb7uGimcl9DJZnVg4aimBCf/4UrplRJvMk84JnXh2zF8jZz21Fx"
ttl=3600 "autodesk-domain-verification=oPP5RpbpIX2AL7W7H2p2"
ttl=3600 "canva-site-verification=Fxuo9x2-ohLElGZ9w9XYHw"
ttl=3600 "csb6c7cn6kf21c5xvwmhnn347fczbr9x"
ttl=3600 "cui69v35i9t5lj9360gajgt1tc"
ttl=3600 "docker-verification=e55e0281-9c6f-4cba-8788-e50c50899b3f"
ttl=3600 "docusign=256ed1dc-9832-46f5-b724-82a1e17e5796"
ttl=3600 "docusign=b21dec83-4d62-479c-b2aa-43a0cd4c125a"
ttl=3600 "dropbox-domain-verification=3s15m13l23wp"
"facebook-domain-verification=r9u6lu6z5wy3yokf7yd52l6k08xqsx"

fetched 2026-04-24T09:29:47.489Z

## dns[not_applicable]

open standalone →

resolving…

## overview

a single pass that fans out six parallel doh queries against cloudflare's resolver and gathers the answers into one view. the same pure function powers the domain dossier page (`/d/<domain>`), the standalone tool, and the mcp tool — no logic duplication. this is the first satellite of the domain dossier; more sections (tls, email auth, headers, cors, redirects) are landing across subsequent plans.

## how to use

enter a bare domain — public fqdn only. no schemes, no ports, no paths. ips and rfc1918 ranges are rejected.
run the check — the tool queries a, aaaa, ns, soa, caa, txt in parallel via cloudflare doh. results stream in together.
inspect the records — each record type is shown with its ttl and rdata. empty types render a dash.

## examples

$ example 1 — most public sites return a, ns, soa at minimum.

$ in
example.com

# out
A ttl=300 93.184.216.34 · NS ttl=86400 a.iana-servers.net. · SOA ttl=3600 ns.icann.org. …

$ example 2 — a typical vercel-hosted site — short ttls, cloud-managed nameservers.

$ in
drwho.me

# out
A ttl=60 76.76.21.21 · NS ttl=3600 ns1.vercel-dns.com. · TXT ttl=60 v=spf1 -all …

## common mistakes

no subdomain enumeration here — this tool queries record types for the exact name you enter. for subdomain discovery (via ct logs) see the upcoming subdomains check in a later dossier bundle.
resolver caching — cloudflare doh caches per ttl. fresh changes to your zone may not appear for up to the record's ttl window.
empty txt doesn't mean broken — many domains have no txt records at all. an empty txt block is a finding, not an error. email auth (spf/dmarc) lives in a dedicated section, not here.

## faq

why these six record types?

they are the ones that almost every real domain has something interesting to say about. mx lives in a separate section because the email-auth group (spf, dkim, dmarc, mx) is cohesive enough to deserve its own view.

do you support dnssec / caa semantics?

caa records are returned verbatim; full dnssec chain validation is out of scope for v1. the upcoming tls and email-auth sections will surface related signals.

can i use this with an agent?

yes. the `dossier_dns` mcp tool returns the same result as a structured checkresult json payload, so an llm agent can pattern-match on status (ok / error / timeout / not_applicable) and drill into records.

why not ptr / reverse dns?

ptr lookups are bound to ip addresses, not domains. the dossier is domain-scoped; ip-centric checks belong in the ip-lookup tool.

how is this different from the regular dns tool?

the plain dns tool resolves one record type at a time and is optimised for quick ad-hoc checks. dossier/dns fans out six queries in parallel and returns a single structured result designed for composition (with tls, headers, email auth, etc.) into a domain-wide view at `/d/<domain>`.

## related tools

dns lookup — resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
ip lookup — look up any IP's geolocation, ASN, and ISP (via ipinfo.io).

## references

ad slot · tool-dns-records-lookup