DNS Lookup

free

GET/v1/dns/lookup

Performs comprehensive DNS lookups via DNS-over-HTTPS (RFC 8484) using Cloudflare's global anycast infrastructure. Returns structured JSON with TTL, priority values, and DNSSEC validation status across 22 record types — no output parsing required. Use type=ALL to query all record types in a single call.

What It Does

Queries DNS records via DNS-over-HTTPS (RFC 8484) across 22 record types: A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, CAA, PTR, DNSKEY, DS, TLSA, NAPTR, SSHFP, HTTPS, SVCB, DNAME, LOC, URI, CERT, and SMIMEA. HTTPS and SVCB records (RFC 9460) are parsed into structured SvcParams — `alpn`, `port`, `ipv4hint`, `ipv6hint`, and `ech` — so callers can confirm HTTP/3 readiness and Encrypted Client Hello key publication in a single lookup. Follows CNAME chains automatically per RFC 1034 §3.6.2 (up to 8 hops with loop detection) and returns the full chain so apex-CNAMEs through CDNs resolve to their final addresses. Use type=ALL to fan out across all 22 types in parallel; the response includes a per-type DNSSEC authenticated flag rather than collapsing to a single value.

Why It's Useful

Returns structured JSON instead of dig's text output — no parsing, no flag-juggling, no missing fields. The HTTPS/SVCB support (RFC 9460) means a single request can answer "is this site reachable over HTTP/3?" or "has the operator published an ECH key?" — questions that previously required multiple `dig` invocations and manual presentation-form parsing. CNAME-chain following surfaces the actual destination behind apex aliases. Per-type DNSSEC authentication on type=ALL means audit pipelines see exactly which record types are signed, not a misleading aggregate.

Use Cases

Email Marketing Team

Email Deliverability Pre-Check

Before sending campaigns, verify that recipient domains have properly configured MX records pointing to active mail servers and are not configured with Null MX (RFC 7505).

Reduce bounce rates by 15-20% by pre-validating recipient domains and detecting domains that explicitly reject email.

DevOps Engineer

Domain Migration Monitoring

During domain migrations, continuously query multiple record types to verify changes propagated correctly.

Catch misconfigurations before they impact users, reducing migration-related downtime.

Security Engineer

Security Configuration Audit

Automated scanning of TLSA (DANE), DNSKEY, DS, and CAA records across organization domains to verify DNSSEC chains, certificate pinning, and CA authorization policies.

Maintain security policy compliance across hundreds of domains with automated checks covering the full DNS security stack.

Parameters

Name	Type	Required	Description
`domain`	string	Required	The domain name to query (e.g., example.com)Example: `example.com`
`type`	string	Optional	DNS record type to query. Use ALL to query all 22 types at once. Defaults to A if not specified.Example: `A`Options: ALL, A, AAAA, CAA, CERT, CNAME, DNAME, DNSKEY, DS, HTTPS, LOC, MX, NAPTR, NS, PTR, SMIMEA, SOA, SRV, SSHFP, SVCB, TLSA, TXT, URI

Response Fields

Field	Type	Description
`domain`	string	The queried domain
`record_type`	string	The DNS record type queried (single type, or "ALL")
`records`	array	Array of DNS records with type, value, TTL, priority, weight (SRV), and port (SRV). HTTPS/SVCB records also include a parsed `svcb` object with priority, target, alpn[], port, ipv4hint[], ipv6hint[], has_ech, ech, no_default_alpn, raw_params (RFC 9460).
`authenticated`	boolean	DNSSEC AD bit for single-type queries; always false on type=ALL — see authenticated_by_type instead
`authenticated_by_type`	object	On type=ALL only: per-record-type AD bit (e.g., { A: true, MX: false }) so audits see exactly which types are DNSSEC-authenticated
`cname_chain`	array	CNAME hops followed (lowercased, FQDN-trimmed), present only when the queried name aliases via CNAME — e.g., ["www.example.com.cdn.cloudflare.net", "1234.cloudfrontnet"] (max 8 hops, loop-detected per RFC 1034 §3.6.2)
`resolver`	string	The DNS resolver used for the query
`duration_ms`	number	Time taken for DNS query in milliseconds

Code Examples

cURL

curl "https://api.edgedns.dev/v1/dns/lookup" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d "domain=example.com"

JavaScript

const response = await fetch(
  'https://api.edgedns.dev/v1/dns/lookup?domain=example.com',
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
    }
  }
);

const data = await response.json();
console.log(data);

Python

import requests

response = requests.get(
    'https://api.edgedns.dev/v1/dns/lookup',
    headers={'Authorization': 'Bearer YOUR_API_KEY'},
    params={
    'domain': 'example.com'
    }
)

data = response.json()
print(data)

Read the full DNS Lookup guide

Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.

Read the guide →

External References

Learn more about the standards and protocols behind this endpoint.

RFC 1035 - DNS Specification IANA DNS Parameters

Try This Endpoint

Test the DNS Lookup endpoint live in the playground.

Open in Playground Get API Key