FREE · NO ACCOUNT REQUIRED

Free nameserver lookup — find every NS for any domain, measure response times, and detect single-provider risk.

Nameserver Lookup queries the authoritative NS records for a domain, resolves each nameserver to its IPv4 and IPv6 addresses, measures end-to-end response latency from multiple regions, infers the DNS provider behind each nameserver, and scores the configuration for redundancy. Detects the single-provider dependency that turned the 2016 Dyn attack, the 2021 Akamai outage, and the 2024 AWS Route 53 incident into multi-hour blackouts for some domains and zero-impact events for others.

01 · OVERVIEW

What gets analyzed

Six independent classes of output per NS lookup. The NS list and IP resolution are table stakes; the response-time measurements and the single-provider risk detection are the differentiators that distinguish 'I have nameservers' from 'I have resilient DNS'.

NS record retrieval (Authoritative)

Queries the authoritative nameservers for the zone (not a local resolver cache). Returns the complete NS RRset — typically 2 to 6 nameservers. Detects glue records — A/AAAA records for in-bailiwick nameservers that the parent zone returns alongside the NS delegation.

IP resolution (IPv4 + IPv6) (Per nameserver)

Resolves every nameserver hostname to both A and AAAA records. Flags IPv4-only configurations (a growing operational risk as IPv6-only paths become more common) and dangling NS records that don't resolve at all.

Response-time measurement (Per region)

Measures end-to-end query latency from multiple geographic vantage points to each nameserver. Surfaces nameservers that are fast in one region and slow in another — often a sign of nameservers concentrated in a single AS or missing IP-anycast deployment.

Provider inference (30+ providers detected)

Maps each nameserver back to its operator — Cloudflare, AWS Route 53, GoDaddy, Google Cloud DNS, Azure DNS, Dynect, NS1, DNSimple, deSEC, and 20+ more. Reveals single-provider dependency (all NS at one operator = single point of failure).

Propagation consistency (Cross-resolver)

Compares NS records as seen by multiple public resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9, OpenDNS). Inconsistency indicates either a recent delegation change still propagating, or a misconfiguration at the parent zone.

Health score (0 to 100)

Aggregate score weighing redundancy (multi-provider beats single-provider), latency (under 50ms preferred), reachability (all NS responding), and IPv6 coverage. A healthy production zone scores 80+ — most domains we see are at 50-70.

02 · WHY THIS MATTERS

Why nameserver choice is the most underrated infrastructure decision

Nameservers are where the entire domain resolves. If they go down, the domain goes down — DNS caching delays the blast radius but doesn't eliminate it. Yet most teams pick nameservers once at domain-registration time and never think about them again. Five reasons that's a problem in 2026:

  • Single-provider DNS is the single biggest outage vector. The 2016 Dyn attack took down GitHub, Twitter, Spotify, and dozens of others for hours — every affected company had Dyn as their only DNS provider. The companies with secondary DNS at a different provider were unaffected. The lesson has been re-taught at every major DNS outage since.
  • Most domains are at one provider by default. Domain registrars provision default nameservers automatically. GoDaddy gives you GoDaddy nameservers; Namecheap gives you Namecheap; Route 53 gives you four Route 53 nameservers. Multi-provider DNS requires explicit configuration that most teams never do.
  • Nameserver latency is on every uncached request. Slow nameservers add to every first-request page load. A 200ms nameserver lookup is 200ms before the user's browser even knows where to send the HTTP request. Anycast-deployed nameservers (Cloudflare, AWS) typically respond in 5-20ms; non-anycast nameservers can be 100-300ms from far regions.
  • IPv6 coverage on nameservers matters more than people think. Some resolvers (notably mobile-carrier resolvers in IPv6-only deployments) will refuse to query an IPv4-only nameserver. A domain with all IPv4-only nameservers is unreachable from those clients. Most major DNS providers ship IPv6 by default; legacy hosters often don't.
  • DNSSEC is harder with single-provider, easier with managed multi-provider. DNSSEC requires DS records at the parent zone matching DNSKEY at the child. With a single provider, the provider handles both halves. With multi-provider, you need either multi-signer DNSSEC (RFC 8901) — which most providers don't support — or a single signing provider with secondary providers serving signed zones via AXFR/IXFR. Architecture matters.
03 · HOW IT WORKS

Parent delegation → NS query → per-NS probe

An NS lookup is more than a single query — it's a walk down the DNS hierarchy from the root through the TLD to the authoritative zone. We do the same walk and surface what we find at each level.

  • Stage 1 — Query the parent zone For `example.com`, query the `.com` TLD nameservers for the NS delegation. The parent's view of the delegation is what receivers see first; if the parent's NS list differs from the child's NS list, that's a misconfiguration (called 'lame delegation' in extreme cases).
  • Stage 2 — Query the child zone Query each delegated nameserver directly for the zone's own NS records. The child should agree with the parent. The parent and child can briefly disagree during a delegation change — but persistent disagreement indicates one side wasn't updated.
  • Stage 3 — Resolve nameserver hostnames Each NS record is a hostname (e.g. `ns1.example.com`). Resolve each to both A (IPv4) and AAAA (IPv6) records. For in-bailiwick nameservers, the parent provides glue records to break the circular dependency.
  • Stage 4 — Probe each nameserver Send a DNS query (typically SOA or A for the zone) directly to each nameserver's IP. Measure round-trip time. Mark as down any nameserver that doesn't respond within 2 seconds. Repeat from multiple geographic vantage points for latency comparison.
  • Stage 5 — Infer providers Map each nameserver IP and hostname against a database of known DNS operators. Hostname patterns (`*.awsdns-*.com` = Route 53, `*.cloudflare.com` = Cloudflare, `*.googledomains.com` = Google Cloud DNS) are usually unambiguous; IP ownership via WHOIS/RDAP is a fallback.
  • Stage 6 — Score and report Weight redundancy, latency, reachability, and IPv6 coverage into a composite score. Surface the specific findings — single provider, slow nameserver, IPv4-only — with concrete recommendations.
04 · WHAT NAMESERVERS DO

Authoritative vs recursive vs caching — three different things

'Nameserver' is overloaded. In any given DNS flow there are three different kinds of nameserver doing different jobs. Knowing which is which clears up most confusion:

  • Authoritative nameserver Holds the actual records for a zone. When you publish a DNS record, it lives on an authoritative nameserver. The NS records returned by this tool point at the authoritative nameservers for the queried domain. Examples: Cloudflare, Route 53, NS1, GoDaddy DNS.
  • Recursive resolver What end users actually query. Walks the DNS hierarchy from the root on behalf of the user, caches the answer, and returns it. Examples: Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9), your ISP's resolver.
  • Caching nameserver Same as a recursive resolver in practice — caches answers from authoritative nameservers and serves them locally to speed up subsequent queries. Most recursive resolvers are also caching; the terms are often used interchangeably.
  • How they chain together User's browser asks the local recursive resolver. Resolver doesn't have it cached, so it walks the hierarchy: queries a root nameserver (gets TLD referral), queries the TLD nameserver (gets domain referral), queries the domain's authoritative nameserver (gets answer), caches it, returns to user. NS lookup tools query the authoritative end of that chain — bypassing recursive caches.
  • Why this tool queries authoritative Caching resolvers can return stale or wrong NS records — especially during a delegation change or if the resolver itself is misconfigured. Querying authoritative directly gives you ground truth. Other tools (whatsmydns-style propagation checks) deliberately query many recursive resolvers to see what most users would see — different question, different tool. For propagation, see the DNS Propagation Checker.
05 · MULTI-PROVIDER DNS

Why every production domain should have two DNS providers

Single-provider DNS is the single most preventable infrastructure outage. Every major DNS provider has had a multi-hour incident in the last five years. Multi-provider DNS makes those incidents invisible to your users. The tradeoff is operational complexity — but the complexity is manageable, and the failure mode without it isn't.

  • What multi-provider means Two or more DNS providers each operating authoritative nameservers for the same zone. Typical setup: 2 nameservers at Provider A, 2 at Provider B. Resolvers pick nameservers from the full set; if all of Provider A's nameservers go down, resolvers fall over to Provider B.
  • How zone data stays in sync One provider is primary (hidden or visible); secondaries pull the zone via AXFR or IXFR. Some providers (NS1, Dyn-now-Oracle, Akamai Edge DNS) explicitly support this. Or use a managed multi-provider DNS service (Constellix, NS1, ClouDNS) that wraps the complexity.
  • DNSSEC complications Multi-provider DNSSEC is hard. Two providers can't easily co-sign a zone unless they support RFC 8901 (multi-signer DNSSEC) — and most don't. Common workaround: one provider signs, others serve the signed zone via AXFR. Cloudflare and Route 53 both support this in different ways.
  • Operational gotchas Zone updates must propagate to both providers — usually instantaneous via AXFR, but mismatched TTLs or API timing can briefly leave the providers out of sync. Some advanced features (geo-routing, traffic steering) don't translate across providers — multi-provider often means lowest-common-denominator DNS features.
  • Who's already doing it Cloudflare uses six nameservers across three providers internally. Microsoft.com uses multiple namesservers across Microsoft, Markmonitor, and others. Most Fortune-100 companies are now multi-provider. Most smaller companies aren't — and learn the hard way during an incident.
06 · API

Use this programmatically

Every field — NS list, IP resolution, latency measurements, provider inference, health score — is available as JSON. Useful for change validation after a registrar update, monitoring for delegation drift, and continuous DNS-health observability.

cURL
curl 'https://api.domainscan.in/v1/domain/ns?domain=cloudflare.com'
JavaScript (fetch)
const res = await fetch(
  'https://api.domainscan.in/v1/domain/ns?domain=cloudflare.com'
);
const ns = await res.json();

console.log(ns.nameservers.length);              // 4
ns.nameservers.forEach(n => {
  console.log(n.host, '@', n.ipv4, '·', n.provider, '·', n.responseMs + 'ms');
});

// Alert if single-provider
const providers = new Set(ns.nameservers.map(n => n.provider));
if (providers.size === 1) {
  console.warn(`Single-provider DNS: ${[...providers][0]} — consider adding a secondary`);
}

// Alert if any NS is slow
ns.nameservers
  .filter(n => n.responseMs > 100)
  .forEach(n => console.warn(`Slow NS: ${n.host} (${n.responseMs}ms)`));
Response schema (abridged)
{
  "domain":      "cloudflare.com",
  "nameservers": [
    {
      "host":       "ns3.cloudflare.com",
      "ipv4":       ["162.159.0.33"],
      "ipv6":       ["2400:cb00:2049:1::a29f:21"],
      "provider":   "Cloudflare",
      "responseMs": 12,
      "reachable":  true
    }
  ],

  "summary": {
    "count":            4,
    "providers":        ["Cloudflare"],
    "singleProvider":   true,
    "ipv4Coverage":     1.0,
    "ipv6Coverage":     1.0,
    "medianResponseMs": 14,
    "healthScore":      85
  },

  "AiAnalysis": {
    "issues": [
      {
        "severity":       "warning",
        "title":          "Single-provider DNS",
        "description":    "All nameservers operated by Cloudflare",
        "recommendation": "Add a secondary DNS provider for resilience against provider outages"
      }
    ]
  }
}
07 · USE CASES

How teams use Nameserver Lookup

Six patterns we see most often:

Post-migration verification (Change validation)

Just moved DNS providers? Verify the new NS records are live at the registrar, the new provider is actually serving authoritative responses, and the old provider has been removed from delegation. Run this immediately after the change and again 24 hours later.

Single-provider risk audit (Resilience)

Audit your entire domain portfolio for single-provider DNS. Most companies discover that 80%+ of their domains are at one provider — usually the registrar's default. Multi-provider conversion is operationally cheap and outage-prevention significant.

Acquisition due diligence (M&A)

Acquiring a company? Their DNS architecture is a leading indicator of operational maturity. All NS at GoDaddy's defaults? Expect to spend weeks consolidating to a real DNS platform post-close.

Performance debugging (Latency)

First-byte latency is higher than expected from one region. NS lookup measures per-region nameserver response time — if your NS is 250ms from Singapore and you have Singaporean users, that's part of why.

Delegation-drift monitoring (Operations)

Cron the API against your domains. Alert when the NS set changes unexpectedly — that's either a successful migration you weren't told about or a registrar hijack. Both worth knowing.

Phishing-infrastructure investigation (Threat intel)

Suspicious domain impersonating yours? Check its nameservers. Cheap-bulletproof-hoster NS patterns (Namecheap defaults, Hostinger DNS, certain Russian providers) are a strong signal of low-budget phishing infrastructure.

08 · QUESTIONS

Common questions

  • What is a nameserver? A nameserver is a DNS server that holds authoritative records for one or more zones (domains). When a client queries DNS for a domain, the resolution path eventually reaches the domain's authoritative nameservers, which return the actual records (A, AAAA, MX, TXT, etc). Every domain must have at least two nameservers per ICANN policy.
  • How many nameservers should a domain have? ICANN requires at least two. Best practice is two to four, with diversity across networks. More than six nameservers is unusual and can hit response-size limits on DNS-over-UDP. Most production domains run two to four authoritative nameservers; high-traffic domains often have four to six across multiple providers.
  • What's the difference between authoritative and recursive nameservers? Authoritative nameservers hold the actual zone data — they're the source of truth for a domain. Recursive nameservers (Google 8.8.8.8, Cloudflare 1.1.1.1, your ISP's resolver) walk the DNS hierarchy on behalf of end users, query authoritative nameservers, cache the answers, and serve them. Authoritative = source. Recursive = client-facing cache. This tool queries authoritative.
  • Why are my new nameservers not working? After changing nameservers at the registrar, propagation takes time — typically 24 to 48 hours, sometimes longer. Two things must happen: (1) the parent zone (`.com`, `.io`, etc) must publish the new NS delegation, and (2) recursive resolvers worldwide must expire their cached old delegation. Until both happen, some users see old nameservers, some see new. For propagation checking, see the DNS Propagation Checker.
  • What is a glue record? A glue record is an A or AAAA record served by the parent zone alongside an NS delegation, used to break the circular dependency when a nameserver is in-bailiwick (i.e. `ns1.example.com` is the nameserver for `example.com`). Without the glue, resolving `example.com` would require querying `ns1.example.com`, which requires resolving `example.com` first. Glue records are configured at the registrar and live in the parent TLD zone.
  • Should I use my registrar's nameservers or external DNS? Almost always external. Registrar default nameservers are designed for parking pages, not production traffic. Move to Cloudflare, Route 53, NS1, Google Cloud DNS, or another DNS-focused operator. The features (anycast, geo-routing, DNSSEC, API access) and reliability are dramatically better.
  • What is anycast DNS? Anycast is a routing technique where the same IP address is advertised from multiple geographic locations. Queries are routed to the topologically nearest instance. Major DNS providers (Cloudflare, Route 53, Google) use anycast so a single nameserver hostname (e.g. `1.1.1.1`) resolves to the nearest of 100+ physical servers worldwide. Result: faster queries and built-in DDoS resilience.
  • Can I have nameservers at multiple providers? Yes — and you should for production domains. Multi-provider DNS is the single biggest resilience improvement available. Common pattern: 2 nameservers at Provider A (primary), 2 at Provider B (secondary). The secondary pulls the zone via AXFR or runs as a managed secondary at services like NS1 or Constellix. DNSSEC adds complexity but is solvable.