ns.lol API

Fast, API-first DNS toolkit. No accounts, no API keys, no tracking.

Base URL: https://ns.lol · JSON endpoint: /api/docs

Quick Start

curl -s https://ns.lol/example.com | jq

Endpoints

GET/:domain

Full DNS report — queries A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA, HTTPS, DS in parallel.

curl -s https://ns.lol/example.com | jq

GET/:domain/:type

Single record type lookup. Types: a aaaa cname mx txt ns soa srv caa https ds ptr dnskey naptr tlsa sshfp loc hinfo

curl -s https://ns.lol/example.com/mx | jq

GET/:domain/:number

Custom QTYPE — pass a numeric record type (1–65535).

curl -s https://ns.lol/example.com/65 | jq  # HTTPS record

GET/:domain/any

Simulated ANY query — queries all common types in parallel. RFC 8482 deprecated real ANY; this is the modern equivalent.

curl -s https://ns.lol/example.com/any | jq

GET/:domain/trace

Authority chain walk — traces delegation from root → TLD → authoritative NS → final answer. Shows each hop with nameserver, answer, and timing.

curl -s https://ns.lol/example.com/trace | jq

GET/:ip

Reverse DNS (PTR) lookup for IPv4 or IPv6 addresses.

curl -s https://ns.lol/8.8.8.8 | jq
curl -s https://ns.lol/2606:4700:4700::1111 | jq

GET/:domain/propagation

Global DNS propagation check across 17 resolvers in 2 regions (US + EU). Real UDP queries via dedicated Fly.io probes — not DoH approximations.

curl -s "https://ns.lol/example.com/propagation?type=MX" | jq

Param	Description
`?type=`	Record type to check (default: A)
`?expected=`	Expected value — resolvers flagged as matching or divergent

GET/:domain/health

Zone health report with letter grade (A–F). Checks DNSSEC, NS diversity, SOA values, delegation consistency.

curl -s https://ns.lol/example.com/health | jq

GET/:domain/email

Email DNS audit — MX, SPF, DKIM (common selectors), DMARC, MTA-STS, BIMI, DANE/TLSA. Returns a letter grade.

curl -s https://ns.lol/example.com/email | jq

GET/:domain/security

Security analysis — dangling CNAME/NS, NXDOMAIN hijacking, wildcard, CDN/WAF detection, NS diversity, CAA policy.

curl -s https://ns.lol/example.com/security | jq

POST/batch

Batch lookup — query up to 20 domains in one request.

curl -s -X POST https://ns.lol/batch \
  -H 'Content-Type: application/json' \
  -d '{"domains":["google.com","github.com"],"type":"A"}' | jq

GET/api/docs

Machine-readable API documentation (this page in JSON).

curl -s https://ns.lol/api/docs | jq

Query Parameters

Parameter	Type	Description
`?explain=true`	boolean	Add plain-English explanations to every record and signal. Bypasses cache.
`?force=true`	boolean	Bypass cache and force a fresh lookup.
`?expected=`	string	Expected DNS value for propagation — resolvers flagged as matching or divergent.
`?type=`	string	Record type for propagation checks (default: A).

Content Negotiation

Accept Header	Response
`application/json`	JSON (default for curl, httpie, wget)
`application/dns-json`	Alias for JSON (RFC 8484)
`text/plain`	dig-style plain text output
`text/html`	Interactive SPA (default for browsers)

Rate Limiting

120 requests per hour per IP, enforced via Cloudflare Durable Objects with a rolling window. DNS lookups are lightweight, so ns.lol allows more requests than certs.lol (60/hr) where each scan involves a TLS probe.

Rate limits exist for abuse prevention — they keep hosting costs near zero so ns.lol can stay free. Cached results still count toward the limit.

Every response includes rate limit headers:

Header	Description
`X-RateLimit-Limit`	Max requests per window (120)
`X-RateLimit-Remaining`	Requests remaining
`X-RateLimit-Reset`	Unix timestamp when window resets
`X-Cache`	`HIT` or `MISS` — whether result came from cache

When exceeded, returns 429 with Retry-After header.

Not rate-limited: /, /health, /docs, /api/docs, /about, /privacy, /terms.

Need unlimited lookups? Install the CLI — same engine, runs locally, no rate limits.

Caching

Endpoint	Cache TTL
Record lookups, full reports	1 hour
Health, security checks	6 hours
Propagation	Never — always live

Bypass with ?force=true or ?explain=true. The X-Cache response header shows HIT or MISS. The _meta.cache_hit field in JSON responses also indicates cache status.

Examples

# Full DNS report
curl -s https://ns.lol/example.com | jq

# Single record type
curl -s https://ns.lol/example.com/mx | jq

# Reverse DNS
curl -s https://ns.lol/8.8.8.8 | jq

# Propagation with expected value
curl -s "https://ns.lol/example.com/propagation?expected=93.184.216.34" | jq

# Zone health with explanations
curl -s "https://ns.lol/example.com/health?explain=true" | jq

# Email DNS audit
curl -s https://ns.lol/example.com/email | jq

# Security analysis
curl -s https://ns.lol/example.com/security | jq

# Authority trace
curl -s https://ns.lol/example.com/trace | jq

# dig-style output
curl -sH "Accept: text/plain" https://ns.lol/example.com

# Batch lookup
curl -s -X POST https://ns.lol/batch \
  -H 'Content-Type: application/json' \
  -d '{"domains":["google.com","github.com"]}' | jq

# Check rate limit headers
curl -si https://ns.lol/example.com 2>&1 | grep X-RateLimit

Infrastructure

Worker: Cloudflare Workers (global edge)
Probes: Fly.io machines in SJC (US-West) + AMS (EU) for real UDP propagation queries
Resolvers: 17 public DNS resolvers — 10 NA + 7 EU, queried in parallel
DNS method: RFC 8484 wireformat DoH for lookups; real UDP via probes for propagation
CORS: Full support — all origins, GET/POST/OPTIONS

Family

ns.lol — DNS toolkit (you are here)
certs.lol — TLS/SSL certificate scanner
yoke.lol — Full domain intelligence dashboard