DNS inspector · runs in your browser
See exactly what a domain’s DNS is doing.
Look up every record for any domain, get a plain-English explanation of what each one does, and catch the misconfigurations that actually bite — subdomain takeover, CAA blocking your certificate, missing SPF.
What dnsxray checks
Beyond listing records, dnsxray runs heuristics for the problems that quietly break sites and email:
- Dangling CNAME / subdomain takeover — CNAMEs pointing at deletable third-party endpoints.
- CAA blocking your cert — a CAA policy that excludes the CA your host actually uses.
- SPF problems — mail set up with no SPF, or multiple SPF records (an RFC violation).
- CNAME conflicts — a CNAME coexisting with A/MX/TXT, which is invalid.
- Fragile nameservers — only a single NS published.
The DNS records, explained
Points the domain to an IPv4 server address. This is what most "where does this domain go" lookups resolve.
Points the domain to an IPv6 server address — the modern counterpart of an A record.
Makes this name an alias of another name. A CNAME must be the only record on a host — it cannot coexist with A, MX or TXT.
Tells the world which mail servers accept email for this domain, in priority order (lower number = tried first).
Free-form text used for verification and policy: SPF, DKIM, DMARC, and domain-ownership tokens all live here.
Lists the authoritative nameservers that answer DNS for this domain. You want at least two, on different providers ideally.
The "start of authority" record: the primary nameserver, the zone admin email, and the serial/timer values for the zone.
Restricts which Certificate Authorities may issue TLS certificates for this domain. If present, a CA not on the list will refuse to issue.
Frequently asked questions
Is dnsxray free?
Yes — completely free, no account, no sign-up. It runs entirely in your browser.
Do you store or log the domains I look up?
No. dnsxray has no backend. Your browser queries public DNS-over-HTTPS resolvers directly, so the domains you inspect never touch a server of ours.
Where does the DNS data come from?
From public DNS-over-HTTPS endpoints — Google (dns.google) with Cloudflare (1.1.1.1) as a fallback. Both are queried straight from your browser, no API key needed.
What is a dangling CNAME / subdomain takeover?
A CNAME that points to a third-party service (GitHub Pages, Heroku, S3, Azure…) which has since been deleted or was never claimed. An attacker can register that resource and serve their content on your subdomain. dnsxray flags CNAMEs pointing at takeover-prone providers so you can verify they’re still yours.
What does a CAA record do?
A CAA record lists which Certificate Authorities are allowed to issue TLS certificates for your domain. If a CAA record is present and your CA isn’t on the list, certificate issuance and renewal will fail — dnsxray warns you when that’s likely.
Why do I need an SPF record?
SPF tells receiving mail servers which hosts may send email for your domain. If you have MX records but no SPF, your mail is easier to spoof and more likely to land in spam. dnsxray flags missing or duplicated SPF records.
How many nameservers should a domain have?
At least two, ideally on independent infrastructure. A single nameserver is a single point of failure — if it goes down, your whole domain stops resolving. dnsxray warns when only one NS is published.