~/tools/dossier-dns

> dossier / dns

resolve a, aaaa, ns, soa, caa, and txt records for a domain in one shot. part of the drwho.me domain dossier.

## overview

a single pass that fans out six parallel doh queries against cloudflare's resolver and gathers the answers into one view. the same pure function powers the domain dossier page (`/d/<domain>`), the standalone tool, and the mcp tool — no logic duplication. this is the first satellite of the domain dossier; more sections (tls, email auth, headers, cors, redirects) are landing across subsequent plans.

## how to use

  1. enter a bare domainpublic fqdn only. no schemes, no ports, no paths. ips and rfc1918 ranges are rejected.
  2. run the checkthe tool queries a, aaaa, ns, soa, caa, txt in parallel via cloudflare doh. results stream in together.
  3. inspect the recordseach record type is shown with its ttl and rdata. empty types render a dash.

## examples

$ example 1 — most public sites return a, ns, soa at minimum.
$ in
example.com
# out
A ttl=300 93.184.216.34 · NS ttl=86400 a.iana-servers.net. · SOA ttl=3600 ns.icann.org. …
$ example 2 — a typical vercel-hosted site — short ttls, cloud-managed nameservers.
$ in
drwho.me
# out
A ttl=60 76.76.21.21 · NS ttl=3600 ns1.vercel-dns.com. · TXT ttl=60 v=spf1 -all …

## common mistakes

  • no subdomain enumeration herethis tool queries record types for the exact name you enter. for subdomain discovery (via ct logs) see the upcoming subdomains check in a later dossier bundle.
  • resolver cachingcloudflare doh caches per ttl. fresh changes to your zone may not appear for up to the record's ttl window.
  • empty txt doesn't mean brokenmany domains have no txt records at all. an empty txt block is a finding, not an error. email auth (spf/dmarc) lives in a dedicated section, not here.

## faq

why these six record types?

they are the ones that almost every real domain has something interesting to say about. mx lives in a separate section because the email-auth group (spf, dkim, dmarc, mx) is cohesive enough to deserve its own view.

do you support dnssec / caa semantics?

caa records are returned verbatim; full dnssec chain validation is out of scope for v1. the upcoming tls and email-auth sections will surface related signals.

can i use this with an agent?

yes. the `dossier_dns` mcp tool returns the same result as a structured checkresult json payload, so an llm agent can pattern-match on status (ok / error / timeout / not_applicable) and drill into records.

why not ptr / reverse dns?

ptr lookups are bound to ip addresses, not domains. the dossier is domain-scoped; ip-centric checks belong in the ip-lookup tool.

how is this different from the regular dns tool?

the plain dns tool resolves one record type at a time and is optimised for quick ad-hoc checks. dossier/dns fans out six queries in parallel and returns a single structured result designed for composition (with tls, headers, email auth, etc.) into a domain-wide view at `/d/<domain>`.

## related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • ip lookup look up any IP's geolocation, ASN, and ISP (via ipinfo.io).

## references

  1. RFC 1035 — domain names
  2. RFC 6844 — caa records
  3. RFC 8484 — dns over https (doh)
ad slot · tool-dossier-dns
dossier / dns — drwho.me