9 Best DNS Lookup Tools for Malware Analysis and Phishing Investigations
For cybersecurity researchers, the DNS hides a treasure trove of data. It offers insights to identify malicious domains, map attacker infrastructure, detect fast flux, and identify typosquatting domains. But it also requires knowing where to look and what to analyze.
In this post, we cover different the best DNS lookup tools for different types of lookups and what types of investigations they can help with.
Types of DNS Lookups
To simplify things, we can group DNS lookup tools into two categories, depending on the data point you want to query:
- Forward DNS lookups. These require a domain or a subdomain name as input and then retrieve values stored in DNS records, such as associated IP addresses (from A and AAAA records), nameservers (from NS records), mail servers (from MX records), and so on.
- Reverse DNS lookups. These require a value (an IP address, a nameserver, a mail server, or something else) and retrieve domain and subdomain names that have this value in their DNS records. This may involve querying DNS zones (e.g., PTR for IPs) or using passive DNS data that maps values to domains.
Forward DNS Lookup Tools
Forward DNS lookup tools let you pivot off a domain name, so you can find everything you want to know about it, DNS-wise. Here’s a quick list of WhoisXML API tools that enable you to perform forward DNS lookups.
- DNS Lookup API: This lookup tool retrieves the target domain’s DNS records, including A, NS, CNAME, SOA, and several other DNS record types.
- TXT Record Lookup: You may use this tool if you only need to obtain the TXT record of a domain name.
- MX Record Lookup: This free DNS lookup tool retrieves the MX records of any domain.
- CNAME Record Lookup: Use this tool to get the CNAME record of a target domain.
These tools can help when the starting point of an investigation is one or more domain names. We’ll get to specific use cases for them a little later.
Reverse DNS Lookup Tools
Sometimes, your starting point is an IP address. And investigations don’t usually take just one step, so at some point you probably end up with some DNS records collected from forward lookups. This is where reverse DNS lookups come in. Below are the tools that can help you:
- Reverse DNS API: This tool allows you to search for domains associated with an SOA, TXT, or CNAME record.
- Reverse IP API: This tool gives you a list of all domains that resolve to an IP address, along with the dates when the IP resolution was first and last detected.
- Reverse MX API: You can type in an email server address (e.g., smtp[.]google[.]com) and find out which fully qualified domain names (FQDNs) link back to it.
- Reverse NS API: This reverse DNS tool retrieves all domains that use a specific nameserver.
WhoisXML API also offers a tool that allows you to perform both forward and reverse DNS lookups with historical data. With the DNS Chronicle API, you can pivot off a domain to retrieve all its historical A and AAAA records or start with an IP address to get a list of historically associated FQDNs.
More About the DNS Lookup Tools
Let’s take a closer look at each of the tools named above, including their use cases and what the query responses look like.
1. DNS Chronicle API: Observe the Shifts in Attacker Infrastructure
The DNS Chronicle API is useful for historical DNS data analysis. It relies on passive DNS data and enables investigators to observe how an attacker's infrastructure has shifted—perhaps to evade detection or to set up new command-and-control (C2) servers.
The query response includes the date when the IP addresses connected to the queried domain (forward lookup) or the domains associated with an IP address (reverse lookup) were observed in chronological order. Here is an example of a reverse lookup on DNS Chronicle API:

A WHOIS lookup for the retrieved domains may reveal similarities, such as their creation dates, registrant contact details, and registrar information. You may also want to run DNS lookup queries for the domains to see which of them, if any, share the same IP addresses and DNS records. The goal is to find as many common data points as possible to increase the confidence in the domains being part of the same attacker infrastructure.
2. DNS Lookup API: A Starting Point for Cyber Reconnaissance
DNS Lookup API serves as an "all-in-one" DNS query tool, typically used during initial reconnaissance to get a comprehensive overview of a domain’s public DNS footprint. It can help determine hosting providers, email service providers, and other linked services.
When provided with a target domain, DNS Lookup API retrieves a wide range of DNS record types—52, to be exact. The output is structured and details all available DNS records for the queried domain, including its time-to-live (TTL) value, and associated information.

Now, you have several DNS records to work with and you can run reverse DNS lookups for them, which can lead to other domains that use the same DNS records. For example, you can do a reverse IP lookup for the IP address identified in the A record, or a reverse MX lookup for the mail server contained in the MX record.
3. TXT Record Lookup: Discover Malicious Arbitrary Text and Verify Domain Ownership
The TXT Record Lookup tool focuses on retrieving TXT records for a given domain name, helping with phishing investigations and malware analysis. These DNS records are commonly associated with email authentication mechanisms like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), which help prevent email spoofing and phishing. They can also sometimes hold arbitrary text data that attackers might use for command and control or data exfiltration.
This free tool presents the query response as a pop-up containing a list of TXT values and their TTL.

Investigators typically analyze the content and context of the TXT data uncovered from this tool to determine if the record is random-looking, which could be a sign of DNS tunneling.
4. MX Record Lookup: Pivot to Phishing Network Detection
The MX Record Lookup tool enables investigators to trace email spoofing incidents by identifying the legitimate servers for a domain so they can assess if a suspicious email originated from an unauthorized server. Query results can also help investigators understand the email infrastructure of a phishing campaign.
Like the TXT Record Lookup tool, the query response is displayed in a pop-up that lists the mail server hostnames responsible for handling email for the domain, along with their preference numbers (lower numbers indicate higher priority). The tool is also free to use without any limits.

Running a reverse MX lookup will return a list of domains associated with the mail server hostname.
5. CNAME Record Lookup: Investigate Redirects and Alias Networks
The CNAME Record Lookup tool retrieves CNAME records, which are aliases that point one domain to another domain name rather than an IP address. This tool helps investigators with phishing analysis, particularly with tracing redirect chains in suspicious URLs where a legitimate-looking but compromised domain might CNAME to a domain hosting phishing infrastructure.
The tool’s query results are presented as a pop-up that lists the domain’s CNAME and TTL values.

In one recent investigation, the FBI identified CNAME records used across several malicious domains. Using them in a reverse DNS lookup, they were able to identify hundreds of thousands of other domains belonging to the same infrastructure. Researchers from WhoisXML API have also contributed to this investigation.
6. Reverse DNS API: Map SOA, TXT, and CNAME Records to Malicious Domains
Instead of simply mapping an IP to any associated domain, the Reverse DNS API allows you to search for domains that are configured with a particular SOA, TXT, or CNAME record. This enables highly targeted investigations, allowing users to find domains that share the same configuration fingerprints or content in their DNS records.
The result of a query for domains containing the string ns.google in their SOA records, for instance, would look like this:

Running WHOIS lookups for the domains obtained using a reverse DNS lookup can help identify common ground, such as whether the domains were registered by the same registrant.
7. Reverse IP API: Uncover Malicious Websites Sharing an IP
If you only have an IP address to start an investigation, the Reverse IP API can give you a list of domains that have ever resolved to that IP, along with the dates when the resolutions were first and last detected.

Cyber investigators can use the Reverse IP Lookup to determine if the IP address can host multiple domains, whether legitimately (like shared hosting) or maliciously (like bulletproof hosting or a compromised server hosting many phishing sites or C2 domains).
If the IP is indeed malicious (a threat intelligence lookup can tell you if it is), then investigators can find other domains linked to the malicious IP address. They can then run WHOIS lookups for those domains to identify important registration details such as date and time, as well as nameservers and registrar names to use this information for correlation when they discover more potentially associated domains.
8. Reverse MX API: Investigate Malicious Domains Sharing Mail Infrastructure
When you only have a mail server associated with a phishing or spoofed email address, you can use the Reverse MX API to identify all FQDNs that link back to that mail server. This could help uncover related phishing or spam campaigns.

A WHOIS lookup query for the associated domains will help investigators find out more about the domains. Additionally, they can find which domains are still active by running DNS lookups.
9. Reverse NS API: Map Malicious Domains by Name Server
The Reverse NS API allows you to pivot from a nameserver address to identify all domains that use that specific nameserver. This tool helps in mapping attack infrastructures by identifying large clusters of domains under the control of a particular entity or threat actor by their shared nameserver infrastructure.
The query response lists the domain names that have NS records pointing to the queried nameserver address, along with the date when the record was first seen and last updated.

The fact that certain domains share a name server is not enough to name them all malicious, even if one of them is known to be such. As in the case for other tools that return a list of domains, a WHOIS lookup on the domains is ideally the next step, along with DNS lookup queries to uncover and pivot off of other DNS records so that you can get more information, more correlations, and more certainty.
Conclusion
Combining different DNS lookup tools and pivoting between them, investigators can expand their findings and build a full picture of the internet infrastructure used in malicious campaigns.
Some of the tools listed above are completely free to use without any limitations, some require you to spend API credits (which you also can get for free, even though in limited amounts).
To simplify pivoting between the tools, we’ve also built the Domain Research Suite that offers many of these tools in one place and allows you to pivot between them with a single click.