What TTL should I set for my DNS records?

For most records: 3600 seconds (1 hour) is a good default. Set 300 seconds (5 minutes) before planned migrations so changes take effect quickly. Set 86400 seconds (24 hours) for stable records like NS and MX that rarely change — this reduces resolver load. The tradeoff: lower TTL = faster changes + more DNS queries. Cloudflare recommends their "Auto" TTL (300 seconds) for proxied records.

Why does my domain resolve differently from different locations?

Three causes: (1) Caching — different resolvers have different cached values if you recently changed DNS. (2) GeoDNS — your DNS provider intentionally returns different IPs for different geographic regions to route users to the nearest server. Cloudflare and AWS Route 53 both offer GeoDNS. (3) Round-robin — if you have multiple A records, resolvers rotate through them. Use dig +short from different regions to confirm which applies.

DNS Lookup Tool: Check DNS Records for Any Domain (A, MX, TXT, CNAME)

Q: How do I check if DNS changes have propagated globally?

Query multiple public DNS resolvers in different regions. The fastest way: run dig @8.8.8.8, dig @1.1.1.1, and dig @9.9.9.9 against your domain and compare results. If they differ, propagation is still in progress. Online tools like dnschecker.org test from 20+ geographic locations simultaneously. Full global propagation typically takes 15 minutes to 48 hours depending on the previous TTL.

Picture this: you've just deployed a new site, updated the DNS A record, and told the client it's live. Two hours later they're asking why they still see the old site. Meanwhile your dig query shows the new IP. The problem isn't your DNS change — it's the 48-hour TTL the previous administrator set on the A record and never reduced.

This scenario plays out constantly. DNS is one of those systems developers interact with indirectly until something breaks — and when it breaks, the debugging tools and mental model matter enormously. This guide covers how DNS lookup tools work, what each record type tells you, and how to diagnose propagation issues systematically.

According to Cloudflare's 2025 radar data, Cloudflare alone processes over 4.3 trillion DNS queries per day. DNS is the phone book that the entire internet depends on, running billions of lookups per second without most developers ever thinking about it — until they need to.

Key Takeaways

• Online DNS lookup tools query authoritative nameservers directly — they bypass caches and show current records immediately
• dig @8.8.8.8 example.com +trace shows the full resolution chain from root servers to the final answer
• TTL controls how long resolvers cache records — reduce it to 300s before planned DNS changes, raise it after
• Propagation ≠ authoritative answer: "not propagated yet" means recursive resolvers still hold old cached values
• Reverse DNS (PTR records) affects email deliverability — mail from IPs without matching PTR records is routinely rejected

How DNS Lookup Works Under the Hood

A DNS lookup is not a single query — it's a hierarchical resolution chain. When you type a domain name, a series of queries flows through the DNS hierarchy until an authoritative answer is found.

# The full DNS resolution path (dig +trace output, abbreviated):

# Step 1: Browser checks its own cache (per-tab, typically short)
# Step 2: OS checks local cache (/etc/resolv.conf, /etc/hosts)
# Step 3: Recursive resolver (8.8.8.8, 1.1.1.1, or your ISP's)

# The recursive resolver asks root servers:
# "Who handles .com?"
;; Received 812 bytes from 198.41.0.4(a.root-servers.net) in 15 ms
com.   172800   IN   NS   a.gtld-servers.net.

# Then asks the .com TLD server:
# "Who handles example.com?"
;; Received 676 bytes from 192.5.6.30(a.gtld-servers.net) in 18 ms
example.com.   172800   IN   NS   a.iana-servers.net.

# Finally asks the authoritative nameserver:
# "What are the records for example.com?"
;; Received 56 bytes from 199.43.135.53(a.iana-servers.net) in 21 ms
example.com.   86400   IN   A   93.184.216.34

# Total: ~50ms uncached, <1ms from cache
# Run it yourself:
dig example.com +trace

The key distinction: an online DNS lookup tool goes straight to the authoritative nameserver, bypassing all caches. That's why it shows your new records immediately after you save them in your registrar's dashboard, while your browser might still be resolving to the old IP for hours.

DNS Record Types: What Each One Does

Every DNS lookup tool supports querying specific record types. Understanding what you're looking at is half the battle when debugging.

Record	Purpose	Typical TTL	dig Query
A	IPv4 address for domain	300–3600s	dig example.com A
AAAA	IPv6 address for domain	300–3600s	dig example.com AAAA
CNAME	Alias to another domain name	300–3600s	dig www.example.com CNAME
MX	Mail server routing (with priority)	3600s	dig example.com MX
TXT	SPF, DKIM, DMARC, verification	3600s	dig example.com TXT
NS	Authoritative nameservers	86400s	dig example.com NS
SOA	Zone authority metadata + serial	3600s	dig example.com SOA
PTR	Reverse lookup (IP → domain)	3600s	dig -x 8.8.8.8
SRV	Service location (port + weight)	3600s	dig _sip._tcp.example.com SRV
CAA	Allowed SSL certificate authorities	3600s	dig example.com CAA

Using dig: The Essential DNS Debugging Command

dig (Domain Information Groper) is the standard command-line DNS tool on Linux and macOS. It's pre-installed on most systems and provides the most detailed DNS output of any tool. According to the 2025 Stack Overflow Developer Survey, 74% of developers work on Linux environments where dig is available by default.

# Basic query (returns A record by default)
dig example.com

# Query specific record types
dig example.com MX
dig example.com TXT
dig example.com NS
dig example.com AAAA
dig example.com CAA

# Short output (just the answer, no metadata)
dig example.com +short
# 93.184.216.34

# Query a specific DNS server (bypass your default resolver)
dig @8.8.8.8 example.com     # Google Public DNS
dig @1.1.1.1 example.com     # Cloudflare DNS
dig @9.9.9.9 example.com     # Quad9 DNS (privacy-focused)
dig @208.67.222.222 example.com  # OpenDNS

# Trace the full resolution path from root servers
dig example.com +trace

# Check TTL of a cached record
dig example.com | grep -A5 "ANSWER SECTION"
# example.com.    3525    IN    A    93.184.216.34
#                  ^^^^
#               Seconds remaining in cache (3525s out of 3600s)

# Reverse DNS lookup (IP to hostname)
dig -x 8.8.8.8
# 8.8.8.8.in-addr.arpa. → dns.google.

# Query for all record types at once
dig example.com ANY

# Check DNSSEC validation
dig example.com +dnssec

Reading dig Output

$ dig bytepane.com

; <<>> DiG 9.18.24 <<>> bytepane.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
# ↑ status: NOERROR = record found; NXDOMAIN = domain doesn't exist

;; QUESTION SECTION:       ← What we asked
;bytepane.com.              IN    A

;; ANSWER SECTION:         ← The actual answer
bytepane.com.    300    IN    A    104.21.x.x
#               ^^^
#               TTL: 300 seconds (5 minutes) until cache expires

;; Query time: 12 msec           ← Resolution time
;; SERVER: 127.0.0.53#53         ← Which resolver answered
;; WHEN: Thu Apr 23 10:00:00 UTC 2026
;; MSG SIZE  rcvd: 58

# status values to know:
# NOERROR    → Success, record found (or doesn't exist but domain does)
# NXDOMAIN   → Domain doesn't exist at all
# SERVFAIL   → Nameserver error (often DNSSEC validation failure)
# REFUSED    → Nameserver refused the query (access policy)

nslookup and Windows Alternatives

On Windows, nslookup is the built-in tool, but PowerShell's Resolve-DnsName is more modern and provides structured output.

# nslookup (Windows / cross-platform)
nslookup example.com                    # A record
nslookup -type=MX example.com          # MX records
nslookup -type=TXT example.com         # TXT records
nslookup -type=NS example.com          # Nameservers
nslookup example.com 8.8.8.8           # Use Google DNS

# PowerShell (Windows — better structured output)
Resolve-DnsName example.com            # A record
Resolve-DnsName example.com -Type MX  # MX records
Resolve-DnsName example.com -Server 8.8.8.8  # Use specific resolver
Resolve-DnsName -Name 8.8.8.8 -Type PTR      # Reverse lookup

# host command (simpler than dig on Linux/macOS)
host example.com               # A + MX records
host -t MX example.com        # Just MX
host -t TXT example.com       # Just TXT
host 8.8.8.8                  # Reverse lookup

DNS Propagation: Why It Takes Time and How to Speed It Up

"DNS propagation" is a slightly misleading term. DNS records don't push out to the world — instead, cached records in resolvers around the world expire over time and get re-fetched. The propagation window is bounded by the TTL that was set on the record before you changed it.

# Pre-migration DNS TTL reduction strategy:

# Step 1: Check current TTL (do this 48-72 hours before migration)
dig example.com +short A
dig example.com | grep "IN A"
# example.com.  86400  IN  A  93.184.216.34
#               ^^^^^  ← 24 hours! Reduce this first.

# Step 2: Lower TTL to 300 seconds (5 minutes) in your DNS panel
# Wait for the old TTL (86400s = 24 hours) to expire everywhere

# Step 3: Verify the low TTL has propagated
dig @8.8.8.8 example.com +short     # Should show 300s TTL
dig @1.1.1.1 example.com +short
dig @9.9.9.9 example.com +short

# Step 4: Make your DNS change (update A record to new IP)

# Step 5: Verify from multiple resolvers
dig @8.8.8.8 example.com +short     # New IP
dig @1.1.1.1 example.com +short     # New IP
dig @208.67.222.222 example.com +short  # New IP

# Step 6: After migration is stable, raise TTL back to 3600
# (Keeping it at 300 permanently increases DNS query load)

The worst case scenario: a domain with TTL 86400 (24 hours) that you change without pre-reducing. Some resolvers may cache the old record for the full 24 hours. In practice, most resolvers use the TTL as a maximum and re-query sooner under load, but you can't rely on that.

DNS Lookup Tools Compared

Command-line tools give you the most control, but online DNS lookup tools are invaluable for checking propagation from multiple geographic locations simultaneously.

Tool	Type	Best For	Limitation
dig	CLI	Full details, scripting, +trace	Not on Windows by default
nslookup	CLI	Quick cross-platform checks	Less detail than dig
Resolve-DnsName	PowerShell	Windows scripting	Windows only
dnschecker.org	Web	Global propagation check (20+ locations)	No scripting
MxToolbox	Web	Email records (MX, SPF, DMARC)	Focuses on email records
1.1.1.1/dns	Web	Fast Cloudflare resolver check	Single resolver only

For API-based DNS lookups (querying DNS in your application), consider the Google DNS-over-HTTPS API (dns.google/resolve?name=example.com&type=A) or Cloudflare's equivalent. These return structured JSON over HTTPS — no UDP socket handling required.

When debugging email deliverability alongside DNS, check your DNS record configuration guide for the complete TXT record setup (SPF, DKIM, DMARC).

Common DNS Problems and How to Diagnose Them

Problem 1: Site resolves to wrong IP after migration

# Check what different resolvers see
dig @8.8.8.8 example.com +short   # Returns old IP? Cached.
dig @1.1.1.1 example.com +short   # Returns new IP? Propagated here.

# Check TTL on the cached record
dig @8.8.8.8 example.com
# example.com.    3180    IN    A    93.184.216.34
#                 ^^^^
#                 Seconds until this resolver re-fetches (3180s ≈ 53 min)

# Fix: nothing to do but wait for TTL expiry.
# Prevention: reduce TTL BEFORE migration

Problem 2: Email not being delivered

# Check MX records exist and are correct
dig example.com MX +short
# 10 aspmx.l.google.com.   ← Priority 10, Google Workspace mail server
# 20 alt1.aspmx.l.google.com.

# Check SPF record
dig example.com TXT +short | grep spf
# "v=spf1 include:_spf.google.com ~all"

# Check DMARC record
dig _dmarc.example.com TXT +short
# "v=DMARC1; p=reject; rua=mailto:[email protected]"

# Common issues:
# - No MX records → No mail can be received
# - MX pointing to CNAME → RFC violation, may cause delivery failure
# - SPF missing or too permissive (~all vs -all)
# - DMARC missing → spam filters may deprioritize your mail

Problem 3: SERVFAIL errors

# SERVFAIL means the nameserver failed to resolve the query
dig example.com
# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL

# Most common cause: DNSSEC misconfiguration
# Check if DNSSEC is the issue:
dig example.com +dnssec
dig example.com +cd  # +cd = checking disabled (bypass DNSSEC validation)

# If +cd resolves but normal query fails → DNSSEC validation failure
# Fix: check DS records at registrar match DNSKEY in zone

# Also check: is the nameserver responding at all?
dig @ns1.example.com example.com  # Query the authoritative NS directly
# If this fails → nameserver is down, not a DNSSEC issue

DNS Lookup in Code

Sometimes you need to perform DNS lookups programmatically — in health checks, service discovery, or validating domain ownership. Here's how to do it across common languages.

// Node.js — built-in dns module
import dns from 'dns/promises'

// A record lookup
const addresses = await dns.resolve4('example.com')
// ['93.184.216.34']

// MX record lookup
const mxRecords = await dns.resolveMx('example.com')
// [{ priority: 10, exchange: 'aspmx.l.google.com' }]

// TXT record lookup (SPF, DKIM verification)
const txtRecords = await dns.resolveTxt('example.com')
// [['v=spf1 include:_spf.google.com ~all']]

// Reverse lookup (PTR)
const hostnames = await dns.reverse('8.8.8.8')
// ['dns.google']

// Use a specific resolver (not system default)
const resolver = new dns.Resolver()
resolver.setServers(['8.8.8.8'])
const addrs = await resolver.resolve4('example.com')

# Python — built-in socket + dnspython library
import socket
import dns.resolver  # pip install dnspython

# Simple A lookup via socket
ip = socket.gethostbyname('example.com')

# Full DNS querying with dnspython
resolver = dns.resolver.Resolver()

# A records
answers = resolver.resolve('example.com', 'A')
for a in answers:
    print(a.address)  # 93.184.216.34

# MX records
answers = resolver.resolve('example.com', 'MX')
for mx in sorted(answers, key=lambda r: r.preference):
    print(f"Priority {mx.preference}: {mx.exchange}")

# TXT records
answers = resolver.resolve('example.com', 'TXT')
for txt in answers:
    print(txt.to_text())

# Use specific nameserver
resolver.nameservers = ['8.8.8.8', '1.1.1.1']

For working with the results of DNS lookups in JSON format, BytePane's JSON Formatter is useful for pretty-printing DNS API responses from services like Google's DNS-over-HTTPS API.

DNS Security: DNSSEC, DoH, and DoT

Standard DNS queries are sent in plaintext over UDP port 53 — they can be intercepted, modified, or spoofed. Three mechanisms address this:

Mechanism	What It Does	Adoption (2026)	Port
DNSSEC	Cryptographically signs DNS records — verifies data integrity	~20% of domains	53 (UDP/TCP)
DoH	DNS over HTTPS — encrypts queries in HTTPS traffic	Chrome, Firefox default	443
DoT	DNS over TLS — encrypts DNS on dedicated port	Android 9+ default	853

# Test DNS-over-HTTPS (DoH) with curl
curl -s "https://dns.google/resolve?name=example.com&type=A" | jq .

# Response:
# {
#   "Status": 0,       ← 0 = NOERROR
#   "Answer": [
#     { "name": "example.com.", "type": 1, "TTL": 3600, "data": "93.184.216.34" }
#   ]
# }

# Cloudflare DoH
curl -s "https://cloudflare-dns.com/dns-query?name=example.com&type=MX"   -H "accept: application/dns-json" | jq .

# Check if your domain has DNSSEC enabled
dig example.com +dnssec | grep -E "RRSIG|AD flag"
# If you see RRSIG records → DNSSEC is signing records
# If you see "flags: ... ad;" → Resolver validated DNSSEC

Frequently Asked Questions

How does a DNS lookup tool work?

A DNS lookup tool sends a query to the authoritative nameserver for a domain and returns the DNS records stored there. Unlike your browser, which uses a recursive resolver that may return cached results, online DNS lookup tools query the authoritative source directly, so changes appear immediately. They support all standard record types: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, and CAA.

Why do DNS changes take time to propagate?

DNS propagation delay comes from caching at multiple levels: your OS, your ISP's recursive resolver, and intermediate caches. Each cached record has a TTL (Time to Live) value — after that duration, caches expire and re-query the authoritative server. Reduce TTL to 300 seconds before planned changes, wait for the old TTL to expire, then make the change.

What is the difference between dig and nslookup?

Both query DNS records, but dig is the modern standard for DNS debugging. dig provides detailed output including the full DNS response, TTL values, authority section, and additional records. nslookup is older, available on Windows and Unix, but provides less detail. For scripting, dig's output is easier to parse. On Windows without WSL, PowerShell's Resolve-DnsName is the closest equivalent.

How do I check if DNS changes have propagated globally?

Query multiple public DNS resolvers in different regions: run dig @8.8.8.8, dig @1.1.1.1, and dig @9.9.9.9 against your domain. If they differ, propagation is still in progress. Full global propagation typically takes 15 minutes to 48 hours depending on the previous TTL.

What TTL should I set for DNS records?

For most records: 3600 seconds (1 hour) is a good default. Set 300 seconds (5 minutes) before planned migrations. Set 86400 seconds (24 hours) for stable NS and MX records. The tradeoff: lower TTL = faster changes + more DNS queries per second against your nameservers.

What is a reverse DNS lookup?

A reverse DNS lookup resolves an IP address back to a domain name, using PTR records in the special in-addr.arpa domain. Run: dig -x 8.8.8.8. Reverse DNS is used by mail servers to verify sender identity — many spam filters reject mail from IPs without valid PTR records.

Explore More Developer Networking Tools

Look up your current IP address with BytePane's IP lookup tool. Decode JWT tokens from your authentication flow with the JWT Decoder. Encode and decode Base64 DKIM keys with the Base64 tool. Format JSON responses from DNS APIs with the JSON Formatter.

Check Your IP Address

DNS Lookup Tool: Check DNS Records for Any Domain