An NS lookup retrieves the Name Server (NS) records for a domain - the authoritative DNS servers responsible for answering all queries about that domain. Every registered domain must have at least two NS records configured at the registrar, and those nameservers control the entire domain's DNS configuration: A records, MX records, TXT records, and everything else. Whoever controls the nameservers controls the domain.
Feature: Identify the authoritative nameservers a domain has been delegated to at the registrar level
Feature: Verify NS propagation after a DNS provider migration - a required check before decommissioning old infrastructure
Feature: Detect domain hijacking: unexpected NS changes are the first visible sign of a compromised registrar account
Feature: Compare against the WHOIS nameserver entry to spot delegation mismatches or in-progress propagation
For continuous nameserver-change monitoring across portfolios, registrar-account compromise alerts, and bulk NS verification at scale, the DNS Checker API for nameserver monitoring returns NS records with TTL data in JSON for thousands of domains per minute.
NS Lookup is the fastest way to answer two questions: "is this domain still using the nameservers it should be?" and "did anyone change the NS records when they shouldn't have?". The four use cases below are where these questions matter most.
After migrating a domain to a new DNS provider, NS Lookup verifies the delegation change has propagated globally - confirming the new nameservers are authoritative. This is a required check before decommissioning old DNS infrastructure. Compare NS results here against the nameserver field in WHOIS Lookup - they should match.
Unauthorized nameserver changes are the primary indicator of domain hijacking. If an attacker gains access to your registrar account or exploits a registrar vulnerability, the first thing they change is the NS records - redirecting all DNS to servers they control. Regular NS record monitoring and alerting on unexpected changes is a critical security control for any organization managing valuable domains.
Threat actors often reuse specific DNS hosting providers or even operate their own nameservers across multiple malicious domains. A Reverse DNS Lookup by nameserver hostname surfaces all domains using the same NS - an effective clustering technique for attributing campaign infrastructure. The WhoisFreaks Reverse DNS tool supports NS-based reverse lookups directly.
Registrars verify NS delegation is working correctly for customer domains. ISPs check NS configurations as part of domain troubleshooting. Hosting providers use NS Lookup to confirm customers have properly updated their domain delegation to point to the provider's nameservers before propagating changes.
WhoisFreaks queries authoritative DNS sources directly rather than relying on cached resolver data, returning NS records with TTL values and resolver-latency context. The tool also exposes both the registrar-level WHOIS nameserver entry and the live NS records, so delegation mismatches show up at a glance.
A mismatch between the nameservers shown in WHOIS and the actual NS records returned by DNS can indicate a propagation lag - or in serious cases, a domain hijack in progress. Always check both. For historical NS records to verify when a change occurred, use the Historical DNS Lookup.
