KernelHost Tools DNS Lookup

DNS Lookup / inspect DNS records

Reads all important DNS records of a domain in one query: A, AAAA, MX, TXT, CNAME, NS, SOA and CAA including TTL. SPF, DKIM and DMARC entries are parsed inline and shown with a validity badge. Lookup runs from the KernelHost node in Frankfurt FRA01.

Which domain to check?

How does DNS work?

The Domain Name System (DNS) is the phone book of the internet. When your browser opens tools.kernelhost.com, the domain is first translated into an IP address. DNS is not a single server but a hierarchical chain: root servers (.), TLD servers (.com, .de, .at) and finally the authoritative nameserver of the domain. The resolver walks this chain and caches the result locally.

A DNS query consists of question and answer: which records of type X exist for domain Y? The reply contains one or more records plus a TTL (time to live), which tells a resolver how long it may cache the entry. DNS changes therefore are not visible worldwide instantly, they propagate along the cache hierarchy.

Our tool starts a UDP/TCP lookup via the system resolver of the container in Frankfurt FRA01. There is no tracking, no logging of the queried domain and no third-party API. The reply usually returns within a few milliseconds because the Frankfurt node is connected directly to DE-CIX.

Which record types exist?

Each DNS record type has a specific job. Our tool shows the eight most common types you actually need to operate a domain.

  • A: Maps a domain to an IPv4 address. A domain can have multiple A records (round-robin DNS, load balancing).
  • AAAA: Maps a domain to an IPv6 address. Mandatory for modern web setups, Google ranks IPv6 connectivity positively.
  • MX: Mail exchanger. Which server accepts mail for this domain. Carries a priority (lower number is preferred) for failover.
  • TXT: Free-form text. In practice almost exclusively used for SPF, DKIM, DMARC, domain verification (Google, Microsoft) and _acme-challenge (Let's Encrypt).
  • CNAME: Alias to another domain. www.kernelhost.com may be a CNAME pointing to kernelhost.com. CNAME is not allowed on the apex domain itself.
  • NS: Which nameservers are authoritative for this domain. NS records are set during domain registration and define where all other records are managed.
  • SOA: Start Of Authority. Defines the primary nameserver, the admin email, and the refresh/retry/expire/minimum TTL values for zone transfers.
  • CAA: Certificate Authority Authorization. Which CAs may issue TLS certificates for this domain. Protection against unauthorized certificate issuance.

MX vs SPF vs DKIM vs DMARC: email setup explained

A complete email setup consists of four DNS components. If one is missing, your mail either does not arrive or lands in the spam folder.

  • MX (receive): Tells the world which server accepts incoming mail for your domain. Without MX, nobody can write to you. MX typically points to a hostname like mx.kernelhost.com which is then resolved via A/AAAA.
  • SPF (sender authentication): TXT record with v=spf1 specifying which IPs may legitimately send mail for your domain. -all at the end is mandatory (otherwise anyone can spoof your domain).
  • DKIM (cryptographic signature): Each outgoing mail is signed with a private key, the public key sits in DNS at selector._domainkey.your-domain.com as TXT v=DKIM1. Receivers verify the signature and detect tampering.
  • DMARC (policy + reporting): TXT under _dmarc.your-domain.com with v=DMARC1; p=reject; rua=mailto:dmarc@... DMARC combines SPF and DKIM, tells the receiver what to do with failed mail, and provides reports.

Our tool parses SPF, DKIM and DMARC inline and shows green, yellow or red badges so you immediately see whether the setup is clean or whether e.g. -all is missing, the DKIM key is too short, or DMARC is only in monitoring mode.

TTL and DNS caching

TTL (time to live) tells a resolver in seconds how long it may cache a DNS record. With TTL=3600 the resolver only re-queries the authoritative server after one hour. This saves bandwidth but makes DNS changes not immediately visible.

The right TTL depends on what you want. Stable production: high TTL (1 hour to 1 day). Upcoming server move: lower TTL to 60-300 seconds days in advance, then move, then raise again.

  • Short TTL (60-300s): Quick changes but more load on the authoritative server and slightly higher lookup latency.
  • Long TTL (3600-86400s): Less load, faster cache replies, but changes take hours to days to be visible worldwide.
  • For migrations: Lower TTL to 60-300 seconds at least 24 hours before the move so all resolver caches expire just before the cutover.

What is DNSSEC and do I need it?

DNSSEC (DNS Security Extensions) signs DNS records cryptographically so a resolver can verify whether the answer was tampered with on the way. Without DNSSEC, a malicious ISP or public-WiFi resolver can return forged IPs (DNS spoofing).

DNSSEC uses two keys: ZSK (zone signing key) signs the records, KSK (key signing key) signs the ZSK. The KSK hash is published as a DS record at the registrar, closing the chain of trust up to the root.

Do you need it? For banks, public services, mail providers and anyone using SMIMEA, TLSA or OPENPGPKEY records (DANE): yes. For a normal webshop DNSSEC is a nice-to-have that costs nothing if your provider supports it. KernelHost DNS supports DNSSEC out of the box.

Common debugging use cases

What you actually need this tool for in everyday life:

  • Mail does not arrive: Check MX records, then SPF, DKIM, DMARC. If any of the four is broken, mail ends up in spam or is rejected by the receiver.
  • Domain points to wrong IP: Check A and AAAA records. Often during a server move only A records were updated and old AAAA records remain.
  • Subdomain does not respond: Check the CNAME or direct A record on the subdomain. Common bug: the subdomain was created in the hosting panel but DNS still points nowhere.
  • Check DNS propagation: After a change, run several lookups spaced in time. Once the TTL has expired, all resolvers should see the new records.
  • Lets Encrypt refuses certificate: Check CAA records. If they only list another CA and Lets Encrypt is missing, Lets Encrypt refuses to issue.

DNS at KernelHost

KernelHost web hosting includes complete managed DNS: all records are managed via our control panel, DNSSEC is enabled by default, and geographically redundant anycast nameservers in Frankfurt and Vienna deliver fast responses worldwide.

If you only need DNS hosting without webspace, our domain service plans do the job. Domain registration, transfer and DNS management are included in every KernelHost hosting tier. For more complex setups (split horizon, geo DNS, high TTL precision) a VPS plus your own authoritative server is an option, and you can use this tool any time for diagnostics.

Frequently asked questions

Which record types are queried?

A, AAAA, MX, TXT, CNAME, NS, SOA and CAA. These are the eight most common types you actually need to operate a domain. Special records like SRV, PTR, DS, DNSKEY or TLSA are available in the Check-Host tool under DNS mode with dig.

Are DKIM selectors found automatically?

No. DKIM records live at <selector>._domainkey.<domain>, and the selector is arbitrary (google, k1, default and so on). Without knowing the selector, DKIM entries cannot be enumerated. If you know the selector, enter e.g. google._domainkey.kernelhost.com directly and the tool will show the TXT entry with parser.

Is DMARC checked automatically?

Yes. DMARC always sits at _dmarc.<domain> and is queried automatically alongside the main domain. You will see the entry in the TXT block with a DMARC badge and an explanation of the policy (none / quarantine / reject), pct, aspf, adkim and rua.

What does 'no MX records' mean?

This domain does not receive email. If you send mail to e.g. info@this-domain.com it will bounce. MX is the mandatory prerequisite for receiving mail; without MX you cannot receive mail for the domain even if there is an A record.

Which TTL values make sense?

In production 3600 seconds (1 hour) up to 86400 seconds (1 day). Before changes, lower to 60-300 seconds at least 24 hours in advance so caches are short and the change becomes visible quickly worldwide. Raise back afterwards.

Are inputs stored?

No. There is no logging of queried domains, no tracking cookies, and no third-party API. The lookup runs locally in the container via dns_get_record(). We see no query history and cannot reconstruct it from logs.

Why are no DNSSEC records shown?

The tool shows eight standard record types. DNSSEC-specific records (DS, DNSKEY, RRSIG, NSEC) are available in the Check-Host tool under DNS mode (dig +dnssec). The focus here is on records every domain owner usually manages personally, not the validation chain.

Can I use the tool for subdomains?

Yes. Just enter the subdomain (e.g. www.kernelhost.com or mail.kernelhost.com). On subdomains CNAME records are common, A/AAAA are then resolved through the CNAME and combined into one reply by the resolver.

All KernelHost Products

Need more than just tools? Take a look at our commercial hosting lineup.

KVM-Rootserver from 4,99 €/mo Dedicated-Server from 69,99 €/mo Minecraft-Server from 4,00 €/mo Webhosting from 3,99 €/mo Private VPN-Server Dedicated IP DDoS Protection 3.2 Tbps Arbor