Download Schedule Demo

Why Different DNS Tools Show Different IP Addresses OSINT Tool Guide

Understanding DNS-based load balancing, anycast routing, and why varying results don't mean a tool is wrong

Guide4 min read

If you've ever looked up a domain using multiple DNS tools and noticed they each return a different IP address, you might wonder which one is correct. The answer: they all are.

Recommended Tool

Domain to IP Lookup

Resolve all DNS record types for any domain, auto-detect CDN providers, and query both root and www subdomain — all processed client-side via DNS-over-HTTPS.

Open Domain to IP Lookup arrow_forward

What's Happening

Large cloud platforms and CDN providers like Azure Front Door, Cloudflare, AWS CloudFront, and Akamai use techniques called DNS-based load balancing and anycast routing to distribute traffic across their global network. When a DNS resolver asks "what's the IP for this domain?", the authoritative DNS server doesn't always give the same answer. It selects an IP based on factors like:

  • Geographic proximity — routing users to the nearest edge server for faster response times
  • Current server load — spreading traffic across multiple endpoints to avoid overloading any single node
  • Endpoint health — shifting traffic away from servers that are degraded or unresponsive

The result is that a DNS resolver in London may receive a different IP than one in New York, and a query made now may return a different IP than one made five minutes ago. All of those IPs belong to the same provider and ultimately serve the same content.

A Practical Example

We tested our own domain across three different DNS lookup tools in the same session. The results:

ToolIP Address Returned
Tool A (Cloudflare resolver)13.107.213.70
Tool B (own DNS servers)13.107.213.40 / 13.107.246.40
Tool C (nslookup.io)13.107.226.67 / 13.107.253.67

Five different IPs — all in the 13.107.x.x range, all owned by Microsoft Corporation, all serving Azure Front Door. Same domain, same provider, same content. Just different entry points into the same network.

What This Means for Investigators

When conducting infrastructure analysis using DNS lookups, don't assume a tool is broken or returning stale data just because its result differs from another tool. Instead, look at what the IPs have in common:

  • Do they belong to the same ASN or IP range? If so, they're almost certainly the same provider using load balancing.
  • Does a WHOIS lookup on each IP return the same organisation? That confirms they're part of the same network.
  • Is the domain using a CDN or cloud platform? If yes, varying IPs per query is expected behaviour, not an error.
lightbulb

Tip: A single IP address is a snapshot. The full picture often requires checking the ownership of the IP range rather than fixating on the specific address returned. Use the IP Lookup tool to check the ISP, ASN, and organisation for any resolved IP.

The Takeaway

key

DNS lookups return what's true at that moment, from that resolver. For domains behind CDNs and cloud platforms, the specific IP will vary — but the provider behind it stays the same. Understanding this distinction is what separates a useful lookup from a misleading one.

Related Guides

dns

How DNS Records Reveal Website Infrastructure

Use DNS data to map hosting, email providers, CDN usage, and security posture.

layers

Why a Domain's IP Might Not Show Where It's Hosted

Understanding layered infrastructure — CDNs, reverse proxies, and partial migrations.

location_off

Why IP Address Location Is Often Wrong

Understanding the limitations of IP geolocation data from DNS-resolved addresses.

Start Your Investigation

Use the free Domain to IP Lookup tool to resolve DNS records, detect CDN providers, and check both root and www subdomain for any domain.

Open Domain to IP Lookup →Browse All Guides →

Minimum Requirements:

  • 8 Characters
  • 1 Upper
  • 1 Lower
  • 1 Digit