DNS Records Lookup

Every domain has a DNS footprint that determines where its mail goes, which IPs serve its web traffic, who's authorized to send on its behalf, and whether the records are cryptographically protected. Our DNS lookup tool resolves all common record types in a single check and surfaces the data in a structured format — useful when you're debugging a failed email delivery, confirming a DNS migration has propagated, or auditing what TXT-based verification tokens (Google, Microsoft, Stripe, SendGrid, etc.) are still attached to your domain.

What tends to surprise people: orphaned TXT records from services they stopped using years ago (delete them — clutter increases the chance of an SPF lookup-limit error), CNAME chains that go three or four hops deep before resolving (every hop adds latency), MX records with priorities that don't match what the documentation said to set, and missing DNSSEC where the registrar offers it for free.

DNSSEC is worth a paragraph on its own. When enabled, every DNS response your authoritative servers return is cryptographically signed, and recursive resolvers (your ISP, 1.1.1.1, 8.8.8.8) verify the signature before returning the answer to the user's browser. Without DNSSEC, an attacker who can intercept DNS responses (cafe wifi, compromised router, BGP hijack) can forge any record — point your domain at their mail server, their fake login page, their wallet-draining contract address. With DNSSEC, the forgery fails verification and is dropped. The downside is operational: rolling KSK/ZSK keys requires careful coordination with the registrar, and a misconfigured DNSSEC chain causes the entire domain to disappear (SERVFAIL) rather than just degrade.

If you need ongoing visibility into DNS changes (record drift, unauthorized modifications, new TXT records added by an integration without your knowledge), SteelSuit's continuous monitoring captures DNS state on every scan and diffs it — you get a webhook/email/Slack ping when anything changes.