ZeroTrace OSINT
DNS Lookup
Full DNS record analysis with DMARC / SPF / DKIM, DNSSEC chain validation, CAA records, and multi-resolver cross-checks.
The DNS lookup tool returns every record type for a domain — the standard A / AAAA / MX / NS / TXT / CNAME / SOA, plus the security-focused records that most lookup utilities skip: DMARC, SPF, DKIM, CAA, and DNSSEC chain status.
It also cross-resolves across multiple public resolvers and highlights any difference, so you can spot DNS poisoning, propagation lag, or geo-DNS behaviour at a glance.
Record types
| Type | What it tells you |
|---|---|
| A | IPv4 address(es) |
| AAAA | IPv6 address(es) |
| MX | Mail exchanger(s) and priority |
| NS | Authoritative nameservers |
| TXT | Text records (SPF, ownership verification, arbitrary metadata) |
| CNAME | Aliases — what the domain redirects to at the DNS level |
| SOA | Start-of-authority — primary nameserver, contact, serial, refresh interval |
| CAA | Certificate-authority authorisation — which CAs are allowed to issue certs |
| PTR | Reverse DNS (when querying an IP) |
You can request a single type or all of them. All-types is the default.
Email-security extras
When you query a domain, the tool automatically fetches and parses:
- SPF —
TXTrecord at the apex, parsed for mechanisms (include:,ip4:,ip6:,~all,-all). - DMARC —
TXTat_dmarc.<domain>, parsed for policy (p=), reporting addresses (rua=,ruf=), and percentage (pct=). - DKIM —
TXTat common selectors (default._domainkey,selector1._domainkey), parsed for algorithm and key length.
A composite email reputation score combines:
- SPF presence + strict mode (
-all) - DMARC policy of
rejectorquarantine - DKIM presence
- TTL signals
This is the same score the Email Analyzer surfaces.
DNSSEC chain validation
The tool fetches the DS and DNSKEY records and verifies the DNSSEC trust chain. Result statuses:
| Status | Meaning |
|---|---|
| Valid | Chain verifies up to the root. Domain is DNSSEC-signed and the signatures verify. |
| Insecure | Domain has no DNSSEC. Common, not a problem. |
| Bogus | Chain exists but does not verify. Indicates misconfiguration or active attack. |
| Indeterminate | Resolver could not determine the status (often a network condition). |
CAA records
CAA tells you which certificate authorities the domain owner has authorised to issue certificates. A domain with 0 issue "letsencrypt.org" is saying: only Let's Encrypt may issue certs for this domain. If you find a cert from a different CA in the TLS inspector, CAA is a useful cross-check.
Multi-resolver cross-check
By default, the tool resolves through the system resolver. A toggle switches on cross-resolution against:
- Cloudflare DNS over HTTPS (
1.1.1.1) - Google DNS over HTTPS (
8.8.8.8) - Quad9 DNS over HTTPS (
9.9.9.9)
Differences across resolvers light up — useful for spotting:
- Geo-DNS (different answers per resolver IP).
- DNS poisoning at the local network.
- Stale caches during a DNS migration.
TTL column
Every record shows its TTL. Low TTLs (60s, 300s) tell you the operator expects to change the record soon — common for active load-balancing and for migration windows. High TTLs (24h+) indicate a stable, long-running record.
A sudden drop in TTL is one of the few public signals that a domain operator is preparing for a migration. Check it before vendor switches if you are doing competitor / supply-chain reconnaissance.
Pivots from DNS results
| Click on... | Pivot to |
|---|---|
| A / AAAA address | IP geolocation, ASN lookup, reverse DNS, IP reputation |
| MX hostname | DNS lookup again (resolve the MX) |
| NS hostname | DNS lookup, then IP geolocation on the NS IP |
| CNAME target | DNS lookup |
| TXT record content | (no pivot — copy and paste) |
Bulk DNS
Bulk paste mode runs the same record-type request against many domains at once. Aggregate table shows one row per domain with the IPs, MX, NS, and SPF strict / DMARC policy at a glance — perfect for an external-attack-surface inventory.
Sources
- System resolver (default).
- Cloudflare DNS over HTTPS (when cross-resolution is on).
- Google DNS over HTTPS (when cross-resolution is on).
- Quad9 DNS over HTTPS (when cross-resolution is on).
- DNSSEC validation runs locally against the signed responses.