#dns

Every top-level domain in the IANA root zone as an API — the authoritative list a registrar, domain validator or analytics tool needs. For each TLD: whether it is a country-code TLD (ccTLD), a generic TLD (gTLD) or an internationalized (IDN) domain, its A-label, its Unicode form (e.g. xn--p1ai resolves to .рф) and, for ccTLDs, the country it belongs to. Validate a TLD or whole domain, find a country's ccTLD, filter by type, search, or list the entire root zone. Sourced from IANA's official tlds-alpha-by-domain.txt and served from memory — always fast.

api.oanor.com/tld-api

Convert internationalized domain names (IDNs) between their human-readable Unicode form and the ASCII Punycode form (xn--…) that DNS actually uses. Encode a Unicode domain like münchen.de or 例え.jp (or even an emoji label like ☕.example) to ASCII, decode an xn-- domain back to Unicode, and convert a whole URL's host in either direction. Handles accents, non-Latin scripts and emoji. Useful for IDN domain handling, email and URL validation, DNS tooling, and spotting homograph / look-alike domains. Pure local IDNA conversion — no key, no third-party service, instant. Live. 4 endpoints. Distinct from Public-Suffix-List domain parsing and from generic text encoders.

api.oanor.com/punycode-api

Inspect a domain's SMTP transport-security posture — whether mail servers are required to deliver inbound mail over authenticated TLS, protecting it from downgrade and man-in-the-middle attacks. Pass a domain and the service fetches the MTA-STS policy file from mta-sts.<domain>/.well-known/mta-sts.txt (its version, mode, the permitted MX hosts and max_age), the _mta-sts DNS TXT record (its policy id) and the _smtp._tls TLS-RPT record (the rua reporting address), then reports whether MTA-STS is actually enforced and a prioritised list of issues — no policy file, no DNS record, a mode of only "testing", or a missing TLS-RPT record. A second endpoint returns just the parsed policy file. The request is made server-side and private/internal targets are refused (SSRF-guarded). Built for email-deliverability and anti-downgrade-attack audits, vendor and third-party assessment, and compliance. An MTA-STS / TLS-RPT checker — the SMTP transport-security counterpart to the email-authentication analyzer (emailsec, which covers SPF, DKIM and DMARC), and distinct from raw DNS lookup (dns). No upstream key, no cache.

api.oanor.com/mtasts-api

Check DNS propagation by querying a record across several major public resolvers at once — Google (8.8.8.8), Cloudflare (1.1.1.1), AdGuard and dns.sb — and seeing whether they all return the same answer. Pass a domain and a record type and the service queries every resolver in parallel and reports each resolver's answers, whether they are consistent (the change has fully propagated) or still differ (mid-propagation, stale caching or split-horizon DNS), the number of distinct answer sets and the union of all answers. Supported record types: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA and PTR. A single-resolver endpoint queries one named resolver on its own, and a failing resolver is reported per-resolver without failing the whole call. Live DoH (DNS-over-HTTPS) JSON queries, always current. Built for verifying DNS changes after a migration or launch, debugging split-horizon or stale-cache issues, and uptime/propagation monitoring. A DNS propagation checker — distinct from single-resolver record lookup (dns), the email-authentication analyzer (emailsec) and WHOIS (whois). No upstream key, no cache.

api.oanor.com/dnspropagation-api

Inspect any domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. Pass a domain and the service looks up and validates SPF (the v=spf1 record, its all-qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, plus sp, pct and rua/ruf reporting addresses), DKIM (probing the common selectors at selector._domainkey, or pass your own), BIMI and the MX servers — then returns an A+-to-F grade with a prioritised list of issues and concrete advice. A second endpoint parses the DMARC record tag by tag with a plain-English interpretation of the policy. Built for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, security onboarding and continuous monitoring. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). Pure live DNS, no upstream key, no cache.

api.oanor.com/emailsec-api

Parse any hostname or URL with the Public Suffix List. Split a domain into its subdomain, registrable domain (eTLD+1) and public suffix (eTLD), or fetch just the suffix or just the registrable domain. Handles full URLs, internationalized (punycode) domains, IP addresses, multi-level suffixes like co.uk and com.au, and — when you ask for it — private suffixes such as github.io and s3 buckets. Built on an always-current Public Suffix List and served entirely in-memory, so responses are instant and the service is always available. Ideal for cookie and domain scoping, analytics attribution, email and link validation, security and anti-abuse, and devops tooling.

api.oanor.com/domain-api

Resolve DNS records — A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR — for any domain, fetch all common records in a single call, or run a reverse PTR lookup for an IPv4 address. Backed by Google DNS-over-HTTPS. Ideal for devops tooling, uptime and email-deliverability checks (SPF/DKIM/DMARC), security research and domain monitoring.

api.oanor.com/dns-api

Domain and IP registration lookups via RDAP — the modern, structured successor to WHOIS. Get the registrar, registration / update / expiry dates, status codes, nameservers, DNSSEC state, and IP network ownership (CIDR, organization, country).

api.oanor.com/whois-api