mhost
More than host -- a modern, high-performance DNS Swiss Army knife and Rust library.
mhost queries many DNS servers in parallel and aggregates their answers. It supports UDP, TCP, DNS-over-TLS, and DNS-over-HTTPS, understands 20 record types, and ships with 84 pre-configured public resolvers. Beyond simple lookups it can profile an entire domain, discover subdomains, trace the delegation chain, validate your DNS configuration, check propagation, and diff records across nameservers -- all from a single binary.
Quick Start
# Install (pick one)
# Look up github.com using your system nameservers
# Add 84 public resolvers from 6 providers for broader results
# Get ALL record types + WHOIS info in one shot
# Pipe to jq for scripting
|

Pro tip: alias host="mhost l" and never look back.
What Can mhost Do?
| Command | Alias | What it does |
|---|---|---|
lookup |
l |
Look up DNS records for a domain, IP address, or CIDR block |
domain-lookup |
domain |
Profile a domain -- apex + 68 well-known subdomains in one operation |
discover |
d |
Find subdomains using 10+ strategies (wordlists, CT logs, AXFR, NSEC walking, ...) |
check |
c |
Validate DNS configuration against 13 lints (SOA, NS, SPF, DMARC, DNSSEC, ...) |
trace |
t |
Trace the delegation path from root servers, querying all servers at each hop |
propagation |
prop |
Check whether a DNS change has propagated across public resolvers |
diff |
-- | Compare DNS records between two sets of nameservers |
info |
-- | Built-in reference for record types, TXT sub-types, and well-known subdomains |
server-lists |
-- | Download public nameserver lists for large-scale queries |
completions |
-- | Generate shell completions (bash, zsh, fish) |
Use Cases
Simple Lookup

This uses your system nameservers and queries the default record types (A, AAAA, CNAME, MX).
More Nameservers, More Answers

-p adds mhost's 84 predefined public nameservers from Cloudflare, Google, Quad9, Mullvad, Wikimedia, and DNS4EU. More servers means more confidence that you're seeing the full picture.
Go Big -- Thousands of Nameservers

Download a community-maintained list of public resolvers, then fire queries at all of them. These settings are intentionally aggressive -- mhost defaults are much more cautious.
All Four Protocols at Once

Nameserver spec format: protocol:host:port,tls_auth_name=hostname,name=label
Profile an Entire Domain
One command queries the apex plus dozens of well-known subdomains: email auth (DMARC, MTA-STS, BIMI, TLS-RPT), SRV services (IMAP, SMTP, CalDAV, XMPP, Matrix, ...), DANE/TLSA records, and more.
Discover Subdomains

mhost chains 10+ discovery strategies automatically:
- Standard DNS record lookups
- Certificate Transparency logs (crt.sh)
- TXT record mining for referenced domains
- SRV service probing
- Wildcard detection via random subdomain probes
- Zone transfer (AXFR) attempts
- NSEC walking
- Wordlist brute force (424 built-in entries, or supply your own with
-w) - Subdomain permutation on discovered names
- Recursive discovery on found subdomains (
--depth 1..3) - Reverse DNS lookups on discovered IPs
You can also explore a domain's autonomous systems:

Validate DNS Configuration

The check command runs 13 lints against a domain's DNS records:
| Lint | What it checks |
|---|---|
| SOA | Start of Authority record validity |
| NS | NS delegation, lame delegation, network diversity |
| CNAME | CNAME usage rules |
| MX | Null MX, duplicate preferences, target resolution |
| SPF | SPF record syntax and policy |
| DMARC | DMARC policy validation |
| CAA | Certificate Authority Authorization tags |
| TTL | TTL consistency across records |
| DNSSEC | DNSSEC presence and configuration |
| HTTPS/SVCB | Service binding record well-formedness |
| AXFR | Zone transfer exposure |
| Open Resolver | Open resolver detection |
| Delegation | Delegation consistency |
Disable any lint individually: --no-soa, --no-spf, --no-dnssec, etc.
Trace the Delegation Chain
Unlike dig +trace which queries one server per hop, mhost's trace command queries all nameservers at each delegation level in parallel. It detects referral divergence (where different root/TLD servers disagree), reports per-server latency, and resolves missing glue records automatically.
Check DNS Propagation
After making a DNS change, check whether it has reached all the major public resolvers. Uses the predefined nameserver set (Cloudflare, Google, Quad9, Mullvad, Wikimedia, DNS4EU).
Diff Records Between Nameservers
Compare what two different nameserver sets return for the same domain. Useful for debugging inconsistencies or verifying migrations.
Look Up Record Type Info
Built-in reference with summaries, details, and RFC references for every supported record type, TXT sub-type, and well-known subdomain.
Installation
Homebrew (macOS)
Docker
Debian / Ubuntu
Download the .deb from the latest GitHub Release:
Redhat / Fedora
Download the .rpm from the latest GitHub Release:
Cargo (Rust developers)
From Source
Global Options
mhost has a rich set of options that apply to all commands:
Nameserver selection:
-s, --nameserver <SPEC> Add a nameserver (IP, or protocol:host:port,...)
-p, --predefined Add 84 predefined public nameservers
--predefined-filter <PROTO> Filter predefined by protocol [udp, tcp, tls, https]
--list-predefined Show all predefined nameservers
-f, --nameservers-from-file <F> Load nameservers from file
--no-system-nameservers Skip /etc/resolv.conf nameservers
-S, --no-system-lookups Skip system nameservers for lookups
IP version filtering:
-4, --ipv4-only Only use IPv4 nameservers and return IPv4 results
-6, --ipv6-only Only use IPv6 nameservers and return IPv6 results
Concurrency & resilience:
--limit <N> Max nameservers to query [default: 100] (1-10000)
--max-concurrent-servers <N> Max concurrent nameservers [default: 10] (1-100)
--max-concurrent-requests <N> Max concurrent requests per server [default: 5] (1-50)
--retries <N> Retries per server [default: 0] (0-10)
--timeout <SECS> Response timeout [default: 5] (1-300)
--continue-on-error Continue on server errors
--continue-on-timeout Continue on server timeouts
--wait-multiple-responses Wait for additional responses until timeout
Output:
-o, --output <FORMAT> Output format: summary or json [default: summary]
-q, --quiet Only print results (no status messages)
--no-color Disable colored output
--ascii ASCII-only output (no Unicode symbols)
--show-errors Show error counts
-v Increase verbosity (repeat for more)
Command Reference
Lookup
| | |
-t, --record-type <TYPE> Record types [default: A,AAAA,CNAME,MX]
--all Query all record types
-s, --service Parse argument as SRV service spec
-w, --whois Include WHOIS information for A/AAAA/PTR results
Accepts domain names, IPv4/IPv6 addresses, CIDR blocks (reverse lookup of all IPs in range), and SRV service specs (smtp:tcp:example.com or dns:udp:example.com).
Domain Lookup
--all Include extended well-known subdomains (~68 total)
-p, --show-partial-results Show results incrementally
Queries the apex plus well-known subdomains covering:
- Apex: A, AAAA, MX, NS, SOA, CAA, HTTPS, TXT, CNAME, SVCB, NAPTR, SSHFP
- Email auth: DMARC, MTA-STS, TLS-RPT, BIMI
- Email services: submission, IMAP, POP3, autodiscover (SRV)
- TLS/DANE: TLSA for ports 443, 25, 587, 993, etc.
- Communication: SIP, XMPP, Matrix (SRV)
- Calendar/Contacts: CalDAV, CardDAV (SRV)
- Infrastructure: LDAP, Kerberos (SRV)
- Modern protocols: STUN, TURN (SRV)
- Verification: ACME challenge, AT Protocol, DNSLink, domain verification TXT records
Discover
-s, --subdomains-only Show only subdomains
-w, --wordlist-from-file <F> Custom wordlist file
--no-ct-logs Skip Certificate Transparency queries
--depth <N> Recursive discovery depth [default: 0] (0-3)
--rnd-names-number <N> Random names for wildcard check [default: 3] (1-20)
--rnd-names-len <N> Random name length [default: 32] (8-128)
-p, --show-partial-results Show results incrementally
Check
-p, --show-partial-results Show results after each lint
-i, --show-intermediate-lookups Show all DNS lookups made during checks
--no-soa Disable SOA check
--no-ns Disable NS delegation check
--no-cnames Disable CNAME lint
--no-mx Disable MX check
--no-spf Disable SPF check
--no-dmarc Disable DMARC check
--no-caa Disable CAA check
--no-ttl Disable TTL check
--no-dnssec Disable DNSSEC check
--no-https-svcb Disable HTTPS/SVCB check
--no-axfr Disable AXFR check
--no-open-resolver Disable open resolver check
--no-delegation Disable delegation check
Trace
-t, --record-type <TYPE> Record type to query [default: A]
--max-hops <N> Maximum delegation hops [default: 10] (1-20)
--show-all-servers Show per-server details (IP, latency, outcome)
-p, --show-partial-results Show each hop as it completes
Propagation
-t, --record-type <TYPE> Record types [default: A,AAAA,CNAME,MX]
--all Check all record types
-p, --show-partial-results Show results incrementally
Diff
--left <SERVER> Left nameserver(s) (repeatable)
--right <SERVER> Right nameserver(s) (repeatable)
-t, --record-type <TYPE> Record types [default: A,AAAA,CNAME,MX,NS,SOA,TXT]
--all Compare all record types
Predefined Nameservers
mhost ships with 84 configurations across 6 providers. All use unfiltered endpoints (no content filtering or blocking). Each provider is available over UDP, TCP, DoT, and DoH.
| Provider | Primary IPv4 | Secondary IPv4 | IPv6 | TLS/HTTPS Hostname |
|---|---|---|---|---|
| Cloudflare | 1.1.1.1 | 1.0.0.1 | 2606:4700:4700::1111 / ::1001 | cloudflare-dns.com |
| 8.8.8.8 | 8.8.4.4 | 2001:4860:4860::8888 / ::8844 | dns.google | |
| Quad9 | 9.9.9.10 | 149.112.112.10 | 2620:fe::10 / ::fe:10 | dns10.quad9.net |
| Mullvad | 194.242.2.2 | 193.19.108.2 | 2a07:e340::2 | dns.mullvad.net |
| Wikimedia | 185.71.138.138 | 185.71.139.139 | 2001:67c:930::1 / ::2 | wikimedia-dns.org |
| DNS4EU | 185.134.197.54 | 185.134.196.54 | -- | unfiltered.joindns4.eu |
Use mhost --list-predefined to see every configuration.
Supported Record Types
| Type | Description | Type | Description |
|---|---|---|---|
| A | IPv4 address | NS | Name server |
| AAAA | IPv6 address | OPENPGPKEY | OpenPGP public key |
| ANAME | ANAME / ALIAS | PTR | Pointer (reverse DNS) |
| ANY | Query all types | SOA | Start of Authority |
| CAA | CA Authorization | SRV | Service locator |
| CNAME | Canonical name | SSHFP | SSH fingerprint |
| HINFO | Host information | SVCB | Service binding |
| HTTPS | HTTPS service binding | TLSA | TLS/DANE certificate |
| MX | Mail exchange | TXT | Text record |
| NAPTR | Naming Authority Pointer | DNSSEC | DNSKEY, DS, RRSIG, NSEC, ... |
Using mhost as a Rust Library
mhost is also a reusable library. Build without the CLI:
Builder API (recommended)
use ;
use Uniquify;
use PredefinedProvider;
use RecordType;
use Duration;
async
Manual Construction
use NameServerConfig;
use ;
use Uniquify;
use RecordType;
use SocketAddr;
async
See docs.rs/mhost for the full API documentation.
JSON Output
Every command supports --output json for machine-readable output. Combine with -q (quiet) to suppress status messages:
|
|
|
Changelog
See the CHANGELOG for a full release history.
Limitations
- Only DNS class
INis supported.
Architecture Design Records
The docs/adr/ directory contains Architecture Decision Records for the project.
Thanks
Thanks to Benjamin Fry for Hickory DNS (formerly Trust-DNS), which does all the heavy DNS lifting.
License
MIT or Apache-2.0, at your option.
Postcardware
You're free to use mhost. If you find it useful, I would highly appreciate you sending me a postcard from your hometown mentioning how you use mhost. My work address is
Lukas Pustina
CenterDevice GmbH
Rheinwerkallee 3
53227 Bonn
Germany