DNS Packet Analyzer — Response Fields, TTL & Record Breakdown
Dissect live DNS answers into typed records with TTL, host labels, and byType breakdown
How to Use This Tool
- Enter the apex domain or hostname whose DNS response you want to analyze.
- The tool validates and normalizes the public DNS name.
- lookupAllDnsRecords queries A, AAAA, MX, TXT, NS, CNAME, SOA, SRV, and CAA in parallel.
- Each answer becomes a record row with type, host, value, and TTL when available.
- byType groups rows; summary aggregates ipv4, ipv6, mailServers, nameservers, and auth flags.
- queriedAt timestamps the capture; note clarifies snapshot is current public DNS only.
About This Tool
Wireshark captures show DNS as UDP payloads with headers, flags, and RDATA sections — but operators troubleshooting zones more often need structured answers than hex dumps. VSPIC DNS packet analyzer calls the dns-history action with lookupAllDnsRecords for the domain you enter and returns records with type, host, value, and TTL fields, grouped in byType, plus summary flags for SPF, DMARC, mail, and IP targets with queriedAt timestamp.
Treat the output like an application-layer packet decode: each row is an RRset element the resolver returned, TTL shows cache lifetime, and byType mirrors how authoritative servers bucket answers in responses. This page does not ingest PCAP files — it analyzes live public DNS responses through the same snapshot backend as DNS record history, framed for packet-oriented investigation workflows.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Structured RR breakdown with TTL per answer — packet-analyzer mental model.
- byType grouping mirrors DNS response section organization.
- summary flags accelerate triage without parsing every RDATA string.
- Multi-type sweep in one run — A through CAA in parallel.
- Free instant analysis with JSON export for tickets.
- Same dns-history backend as sibling snapshot tools.
DNS packets versus structured record analysis
On the wire, DNS responses bundle a header, question section, and answer/authority/additional sections with type-specific RDATA. Most incident tickets need which A, MX, or TXT strings published and for how long — not opcode bits.
Our DNS packet analyzer maps live resolver answers into typed rows with TTL. Think of it as the answer section expanded into a spreadsheet: each record is one RR the resolver would place in the response body.
Reading type, host, value, and TTL fields
type is the QTYPE name — A, AAAA, MX, TXT, NS, CNAME, SOA, SRV, or CAA. host is the owner name (QNAME or CNAME chain target). value is formatted RDATA — MX includes priority and hostname; TXT may span authentication strings.
TTL shows seconds the resolver will cache that RR. Low TTL on A records during cutover is intentional; unexpectedly low TTL on NS may signal instability. Compare TTL across types when planning cache flush windows.
byType as answer-section grouping
byType mirrors how engineers mentally bucket DNS responses: all A answers together, all TXT together. Bloated TXT sections often correlate with slow mail receiver SPF expansion — visible when TXT array length dwarfs A count.
Empty byType keys mean NXDOMAIN or no answers for that type on the public path. Absence is data — document negative results in incident notes.
summary flags for fast triage
summary.ipv4 and summary.ipv6 list address targets. summary.mailServers parses MX priorities. summary.hasSpf and summary.hasDmarc booleanize authentication posture without reading every TXT string.
nameservers in summary reflect NS RRset at the queried name — compare against trace tools when delegation looks wrong.
Relationship to PCAP and dig workflows
Packet capture tools show retransmits, truncation, and EDNS buffer sizes our page does not surface. Use dig +tcp or Wireshark when UDP truncation is suspected. This analyzer excels when you need multi-type RR inventory faster than six separate dig commands.
Pair with DNS trace lookup when NS in summary disagrees with registrar expectations — delegation issues precede answer-section analysis.
Incident response decoding
During suspected hijack, export analyzer output immediately. TTL and value columns prove what resolvers cache. Attach queriedAt to tickets for audit trails.
Compare two exports minutes apart when TTL was lowered — changing values with stable TTL suggest authoritative edits; changing values with dropping TTL suggest active attacker rotation.
API action dns-history
Automate with GET /ip-tools/api/extended?action=dns-history&domain=example.com. Parse records, byType, summary, and queriedAt from JSON. Integrate post-deploy verification in CI.
Same action powers DNS record history and DNS monitoring tool — choose page by workflow vocabulary, not different backend behavior.
Privacy and authorization
Queries hit public DNS for names you submit. TXT may include DKIM and verification material — treat exports as sensitive.
Analyze domains you own or are authorized to investigate.
When to escalate beyond this analyzer
Persistent SERVFAIL, truncated responses, or DNSSEC validation failures need resolver-specific tooling. This page assumes NOERROR-style answers through Google Public DNS JSON API.
Authoritative-only records never published to public resolvers will not appear — AXFR or provider panel exports remain necessary for hidden staging records.
Important notes & limitations
- Does not parse raw PCAP or UDP header fields.
- Reflects one public resolver path — not authoritative AXFR.
- TTL values come from resolver cache, not always authoritative origin.
- No EDNS OPT pseudo-section display — see EDNS checker for related context.
- TXT exports may contain verification tokens — handle exports carefully.
Frequently Asked Questions
Yes. VSPIC offers this DNS packet analyzer at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It structures live DNS lookup answers into typed records with TTL. Upload PCAP to Wireshark for raw packet analysis.
dns-history with a domain parameter — same backend as DNS record history.
Displayed TTL may reflect resolver cache remaining lifetime, not always the authoritative TTL you configured.
A, AAAA, MX, TXT, NS, CNAME, SOA, SRV, and CAA when returned on the public resolver path.
No. This tool focuses on answer RR content. Use dig or packet capture for opcode, AA, and TC flags.
Identical dns-history API and JSON. DNS packet analyzer emphasizes TTL and RR field breakdown language for packet-oriented searches.
Next step for your check
Continue with dns record history on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNS Record History
Current DNS snapshot with change-tracking guidance
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →EDNS Checker
EDNS Checker — free online tool
Use Free →DNS Trace Lookup
Walk delegation chain from TLD to domain with NS and SOA at each step
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →Hostname Lookup
Resolve a domain name to its hostname and IP addresses
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS