EN English ES Español DE Deutsch FR Français PT Português JP 日本語 CN 中文 IT Italiano KR 한국어 NL Nederlands
← Blog
April 30, 2026 Esteve Castells 14 min

DNS Checker: How to Verify Your Domain's DNS Records

A DNS checker queries multiple resolvers worldwide to reveal whether your DNS changes have propagated and whether your records are consistent. Learn how to verify DNS records systematically instead of guessing.

DNSDNS CheckerPropagationDNS RecordsMonitoringInfrastructure

You just updated your A record to point to a new server. Your browser loads the site fine. You tell the team the migration is done. Then a customer in Frankfurt calls to say the site is down, another in Tokyo sees the old server, and your monitoring dashboard in Virginia shows everything green. The problem is not that your change failed. The problem is that you checked from one place and assumed the rest of the internet agreed.

A DNS checker solves this by querying multiple resolvers across different networks and geographies simultaneously. Instead of asking one resolver what it thinks, you ask dozens. The results show whether your change has propagated globally, whether all resolvers agree on the answer, and whether any are still serving stale cached data. It is the difference between checking whether your front door is locked and checking whether every door in the building is locked.

Why DNS Looks Different From Different Locations

DNS is not a single database that updates atomically. It is a distributed, hierarchical caching system where thousands of independent resolvers maintain their own copies of record data. When you change a DNS record at your authoritative nameserver, that change is immediately visible only at the source. Every recursive resolver in the world still holds its cached copy until that copy expires, and they all cached it at different times.

TTL expiry timing is the most obvious factor. If your A record had a TTL of 3600 seconds and a resolver in Sydney cached it 500 seconds ago, that resolver will keep serving the old answer for another 3100 seconds regardless of what your authoritative server now says. A resolver in London that cached it 3500 seconds ago will refresh in 100 seconds. Same record, same change, different visibility windows.

Anycast routing adds another layer of complexity. Large DNS providers like Cloudflare, Google, and Amazon Route 53 use anycast to route queries to the nearest data centre. The "same" resolver IP (like 8.8.8.8) actually runs on dozens of physical servers across the globe. Each maintains its own independent cache. A query to 8.8.8.8 from Singapore hits a different machine than the same query from Chicago, and they may hold different cached answers for the same domain.

Regional CDN differences compound this further. If your domain uses a CDN that returns different IP addresses based on the querier's location (GeoDNS), then different resolvers are supposed to get different answers. A DNS checker will show you those intentional regional differences alongside any unintentional inconsistencies, and you need to be able to tell them apart.

ISP resolver behaviour is the wildcard. Some ISPs run resolvers that ignore TTL values and cache records for longer than specified, sometimes hours beyond the stated TTL. Others run resolvers with aggressive pre-fetching that refresh popular records before TTL expiry. Corporate networks often run internal resolvers with their own caching policies, forwarding rules, and override zones. These are outside your control entirely.

What a DNS Checker Actually Tests

A single DNS lookup tells you what one resolver thinks right now. A DNS checker performs a structured comparison across many resolvers to surface problems that a single query cannot reveal. Here is what each check actually tells you.

Record Existence and Value

The most basic check: does the record exist, and does it contain the expected value? A checker queries each resolver for the same record type and domain, then compares the answers. If resolver A returns 203.0.113.10 and resolver B returns 198.51.100.5, you have an inconsistency that a single lookup would never reveal. This catches stale caches, incomplete migrations, and cases where a provider change was applied at the registrar but not yet reflected everywhere.

Consistency Across Resolvers

Consistency is the core value of a multi-resolver check. After a change, you expect some period of inconsistency while caches expire. But if resolvers still disagree after two full TTL cycles, something is wrong. Either the change was not applied to all authoritative nameservers, one nameserver is serving different data, or a resolver is pathologically caching. A checker with timestamps lets you distinguish between "still propagating" and "genuinely broken."

TTL Values

The TTL returned by a recursive resolver is the remaining time on its cached copy, not the authoritative TTL. If your authoritative TTL is 300 seconds and a resolver returns a TTL of 47, that resolver cached the record 253 seconds ago. Checking TTL values across resolvers tells you how fresh each cache is and roughly when you can expect full propagation. If a resolver returns a TTL higher than your authoritative TTL, that resolver or an upstream cache is overriding your settings.

SOA Serial Numbers

The SOA (Start of Authority) record includes a serial number that should increment with every zone change. Querying SOA across all your authoritative nameservers confirms whether the zone transfer completed. If ns1.example.com reports serial 2026041501 and ns2.example.com still shows 2026041500, your secondary has not picked up the change yet. No amount of waiting will fix that -- it is a zone transfer problem.

NS Delegation

A checker should verify that the NS records at the parent zone (the registrar or TLD) match the NS records the domain itself returns. A mismatch means delegation is broken or partially updated. This catches the common migration mistake where nameservers were updated at the domain's zone file but not at the registrar, or vice versa.

Response Time

DNS response time affects every connection to your domain. A checker that measures latency from multiple locations reveals whether a particular nameserver is slow, unreachable from certain networks, or timing out. A 500ms DNS response adds 500ms to every new connection before the browser even starts the TLS handshake.

Step-by-Step: Verifying a DNS Change

Most DNS change failures come from skipping steps, not from the change itself being wrong. This sequence turns a DNS change from a hope-and-check operation into a verifiable procedure.

  1. Note the current TTL before changing anything. Query your authoritative nameserver for the record you plan to change. Write down the TTL. If it is 86400 (24 hours), you will be waiting a long time for propagation.
  2. Make the change at your DNS provider. Update the record. If you use multiple authoritative nameservers, verify the change is live on all of them, not just the primary. Use direct queries to each nameserver IP: dig @ns1.example.com example.com A and dig @ns2.example.com example.com A.
  3. Verify at your authoritative nameservers first. Before checking global resolvers, confirm the authoritative source is correct. If your own nameservers disagree, no amount of propagation time will fix the problem. Check that the SOA serial has incremented on all nameservers.
  4. Check global propagation with a DNS checker. Query resolvers in multiple regions. Expect some inconsistency during the TTL window. Focus on whether the new answer is appearing in at least some resolvers, which confirms the change is live at the source and propagation has started.
  5. Monitor for twice the old TTL. If the old TTL was 3600 seconds, monitor for 7200 seconds. This accounts for resolvers that cached the record just before you made the change and need the full TTL to expire, plus a margin for resolvers that aggressively cache beyond TTL.
  6. Confirm from the end-user perspective. Once propagation looks complete in the checker, test from actual client contexts: a browser with cleared DNS cache, a mobile device on cellular, a VPN exit in another country.

Common DNS Issues a Checker Reveals

A multi-resolver DNS check surfaces patterns that no single query can detect. These are the issues that most commonly appear when you check from enough locations.

Inconsistent Records Between Nameservers

If ns1.example.com returns 203.0.113.10 and ns2.example.com returns 198.51.100.5 for the same A record, different resolvers will receive different answers depending on which nameserver they query. This typically happens after a partial update, a failed zone transfer, or when one nameserver was manually edited while the other pulls from a zone file or API. The result is intermittent behaviour: the site works, then does not, then works again, depending on which nameserver the resolver happened to contact.

Lame Delegation

Lame delegation occurs when the parent zone (usually the TLD registry) points to a nameserver that does not actually host the zone. The NS record says ns1.dnshost.com is authoritative for example.com, but that server either does not respond or returns REFUSED/SERVFAIL. This happens after switching DNS providers without updating the registrar, or when a DNS hosting account expires. Some resolvers will fall back to a working nameserver; others will return SERVFAIL to the end user. A checker that queries the delegated nameservers directly makes lame delegation immediately obvious.

Missing Glue Records

If your nameservers are subdomains of the domain they serve (ns1.example.com is a nameserver for example.com), the parent zone needs glue records -- A records for the nameserver that are served alongside the NS delegation. Without glue, resolvers face a circular dependency: to resolve example.com, they need to contact ns1.example.com, but to find the IP for ns1.example.com, they need to resolve example.com. Some resolvers handle this gracefully; others fail silently. A checker that tests from resolvers without cached data for your nameservers will expose missing glue.

CNAME at Zone Apex

RFC 1035 prohibits CNAME records at the zone apex (example.com without a subdomain) because CNAME cannot coexist with other record types, and the apex always has SOA and NS records. Some DNS providers silently allow this violation; others reject it. When it exists, behaviour varies by resolver: some follow the CNAME, some ignore it, some return SERVFAIL. A checker will show inconsistent results across resolvers, which is the hallmark of this specific misconfiguration. The fix is to use an ALIAS, ANAME, or flattened CNAME record if your DNS provider supports it, or to use A/AAAA records directly.

Conflicting Record Types

A CNAME record at a given name cannot coexist with any other record type at the same name (except DNSSEC-related records). If you have both a CNAME and an MX record at mail.example.com, resolver behaviour is undefined. Some will return the CNAME, some will return the MX, and some will return an error. A DNS checker that queries for multiple record types at the same name will flag these conflicts.

Dangling CNAME

A dangling CNAME points to a target that no longer exists or no longer resolves. For example, blog.example.com CNAME to example.herokuapp.com, but the Heroku app has been deleted. The CNAME still exists in your zone, so it resolves -- but to nothing, or worse, to a domain that someone else can claim. Dangling CNAMEs to cloud services are a well-known subdomain takeover vector. A checker that follows CNAME chains and verifies the final target catches these before an attacker does.

DNS Checker vs DNS Lookup: Different Tools for Different Questions

A DNS lookup queries a single resolver (or your configured default) and returns the current answer. It answers the question: "What does this resolver think the record is right now?" That is useful for debugging a specific client's experience, inspecting record values, or exploring a domain's configuration. DomScan's DNS Lookup Tool gives you this view instantly.

A DNS checker queries many resolvers across different networks and locations and compares the results. It answers a different question: "Does the internet agree on what this record is?" That is the question you need answered after a change, during a migration, or when diagnosing intermittent failures that only affect some users.

  • Use a DNS lookup when you need to inspect record values, debug what a specific resolver returns, or explore a domain's DNS configuration.
  • Use a DNS checker when you need to verify propagation after a change, confirm consistency across resolvers, or diagnose location-dependent failures.
  • Use both together after a migration: the lookup to verify the authoritative answer is correct, then the checker to verify it has reached resolvers worldwide.

The DNS Lookup API supports programmatic single-resolver queries. For propagation verification, combine it with multiple resolver targets or use a dedicated propagation check.

Example: Multi-Location DNS Check Results

Here is what a DNS checker output looks like after changing the A record for example.com from 198.51.100.5 to 203.0.113.10. The change was made 20 minutes ago with a TTL of 300 seconds.

DNS checker results for example.com A record, 20 minutes after change
Domain: example.com
Record: A
Expected: 203.0.113.10
Check time: 2026-04-30T09:22:14Z

Location         Resolver          Result          TTL   Status
─────────────────────────────────────────────────────────────────────
New York         8.8.8.8           203.0.113.10    187   ✓ Propagated
New York         1.1.1.1           203.0.113.10    241   ✓ Propagated
London           8.8.8.8           203.0.113.10     53   ✓ Propagated
London           9.9.9.9           198.51.100.5    114   ✗ Stale
Frankfurt        1.1.1.1           203.0.113.10    299   ✓ Propagated
Tokyo            8.8.8.8           203.0.113.10    162   ✓ Propagated
Tokyo            1.1.1.1           198.51.100.5     88   ✗ Stale
Sydney           9.9.9.9           203.0.113.10    211   ✓ Propagated
Sao Paulo        8.8.8.8           203.0.113.10    275   ✓ Propagated
Singapore        1.1.1.1           203.0.113.10    130   ✓ Propagated
Mumbai           8.8.8.8           198.51.100.5     42   ✗ Stale
Johannesburg     1.1.1.1           203.0.113.10    195   ✓ Propagated
─────────────────────────────────────────────────────────────────────
Propagation: 9/12 resolvers (75%)
Stale caches remaining: London/Quad9, Tokyo/Cloudflare, Mumbai/Google
Estimated full propagation: ~5 minutes (based on remaining TTLs)

This output tells a clear story. The change is live at the authoritative servers and most resolvers have picked it up. Three resolvers still hold cached copies of the old answer, but their remaining TTLs are low (42-114 seconds), so full propagation is minutes away. If those resolvers still showed the old answer after 600+ seconds (two full TTL cycles), that would indicate a real problem rather than normal cache expiry.

Reading the Results

TTL values tell you how fresh the cache is. A resolver showing TTL 299 out of a 300-second authoritative TTL just refreshed. One showing TTL 42 cached it 258 seconds ago. If a resolver shows a TTL higher than your authoritative TTL, something upstream is overriding your settings.

Inconsistent results with low remaining TTLs are normal during propagation. Inconsistent results with high remaining TTLs (or results that persist beyond two TTL cycles) point to a configuration problem: mismatched nameservers, failed zone transfer, or a resolver that is ignoring TTL.

Geographic patterns matter. If all resolvers in one region show stale data while others are current, check whether your DNS provider has a regional point of presence that is lagging or whether a regional resolver is overriding TTL. If one specific resolver brand (say, all Quad9 nodes) lags behind while Google and Cloudflare are current, the issue may be with that resolver's refresh behaviour.

Automated DNS Monitoring

Running a DNS checker manually after a change is necessary but not sufficient. DNS records change for reasons beyond your planned updates: expired domains get re-registered, hosting accounts lapse, zone files get edited by other team members, registrar accounts get compromised, and cloud resources get deprovisioned while CNAME records still point to them.

Automated DNS monitoring runs the same multi-resolver consistency check on a schedule and alerts you when results change unexpectedly. The value is not in catching your own planned changes -- you know about those. The value is in catching the changes you did not make and did not expect.

  • NS record changes could indicate a domain hijack or unauthorized registrar transfer.
  • A/AAAA record changes on domains you did not touch could mean a compromised DNS provider account or an expired hosting IP being reassigned.
  • MX record changes could redirect your email to an attacker-controlled server.
  • TXT record disappearance (SPF, DKIM, DMARC) degrades email authentication and may indicate someone cleaned up records they did not understand.
  • New CNAME records on subdomains you do not recognise could indicate subdomain takeover attempts.
  • SOA serial decrements suggest a zone rollback or restore from an old backup.

DomScan's Domain Monitor tracks DNS, SSL, WHOIS, and availability changes for your domains continuously. Rather than running manual checks after each change, you define which domains matter and get alerted when their DNS state diverges from the expected baseline. Combined with DNS History, you can see exactly when a record changed and correlate it with other events.

Monitoring Frequency and Thresholds

Not every domain needs the same monitoring cadence. A domain that handles authentication (login.example.com) or payment processing deserves checks every few minutes. A marketing landing page might need hourly checks. A parked domain that should never change can be checked daily. The goal is to detect unexpected changes within a window where you can respond before users or email systems are affected.

Set alert thresholds based on what should and should not change. An A record change on your production domain is always worth investigating. A TTL fluctuation on a CDN-managed subdomain is probably noise. Good monitoring distinguishes between the two and only pages your team when the signal warrants action.

Putting It Together

A DNS checker is not a luxury tool you reach for when something breaks. It is a verification step that belongs in every DNS change procedure. The sequence is straightforward: check authoritative servers first, then check global resolvers, then monitor until propagation is confirmed, then set up ongoing monitoring so you know if the records change again without your involvement.

The operational discipline matters more than the tool. Teams that verify DNS changes from multiple locations, track propagation against expected TTL windows, and monitor for unexpected changes catch problems in minutes. Teams that check from one location and assume the rest of the internet agrees catch problems when customers call.

Start with the DNS Lookup Tool for a quick single-resolver check, use the DNS Lookup API to automate multi-resolver queries, review DNS History to understand what changed and when, and set up Domain Monitor for continuous verification. Run a Domain Health check to see DNS alongside SSL, email, and broader domain posture in one view.

Further reading: RFC 1035 covers the DNS message format and record semantics. The Cloudflare DNS TTL Reference provides practical guidance on TTL values and resolver caching behaviour.

Key Takeaways

  • A DNS checker queries multiple resolvers worldwide, not just one, which is the only reliable way to confirm propagation after a change.
  • DNS can look correct locally while failing for users in other regions due to resolver caching, TTL timing, and anycast routing differences.
  • Always verify at your authoritative nameservers first, then check global resolvers to distinguish between a bad change and slow propagation.
  • Common issues like lame delegation, CNAME-at-apex violations, and dangling CNAMEs are invisible from a single lookup but obvious from a multi-resolver check.
  • One-time DNS checks are not enough for production domains. Automated monitoring catches drift, hijacking, and misconfigurations before users notice.
  • Lower your TTL before making changes, wait for the old TTL to expire, then make the change and monitor for at least twice the old TTL.

Related Articles

April 14, 2026 8 min

How Long Does DNS Propagation Take? The Technical Reality

DNS propagation is not one global timer. It is the practical effect of caches, TTLs, resolver behaviour, and where the change was made. This guide explains what actually determines visibility after a DNS update.