Introduction
CNAME records are the quiet connectors in a domain's DNS zone. They point a hostname at another hostname: a CDN edge, a SaaS tenant, a documentation platform, a customer portal, a marketing tool, a static hosting service, or an old integration nobody remembers.
That makes CNAME data useful for both operations and security. A live alias can explain which vendor powers a subdomain. A stale alias can point at a decommissioned external service. If that external service can be claimed again, the result may become a subdomain takeover risk.
WhoisJSON exposes CNAME records through the documented DNS Lookup API /nslookup endpoint. Query a domain, read the CNAME array, and combine it with subdomain discovery when you need broader attack surface coverage.
What Is a CNAME Record Lookup API?
A CNAME record lookup API accepts a domain or hostname, queries DNS, and returns canonical name aliases as structured JSON. Instead of running dig, nslookup, or host from a server and parsing text output, your application receives a normal API response that can be stored, compared and scored.
GET /api/v1/nslookup?domain=example.com. The OpenAPI schema documents CNAME as an array of strings in the Nslookup response.The same response can include A, AAAA, MX, NS, TXT, SOA, CAA, DMARC, BIMI, MTASTS and TLSRPT. For the broad record-type guide, start with DNS Lookup API: Query Any Record Type Programmatically.
Why CNAME Records Matter
CNAME records are common in modern web infrastructure because teams rarely host every service directly. They delegate hostnames to vendors and platforms, then DNS carries that dependency.
SaaS dependencies
Customer support, docs, analytics, landing pages and status pages often appear as CNAMEs under a company domain.
CDN and edge routing
CDN providers commonly ask customers to create aliases that route traffic to provider-controlled hostnames.
Migration evidence
CNAME changes reveal infrastructure moves, vendor replacements, abandoned rollouts and domain onboarding work.
Takeover candidates
A CNAME pointing at a removed external service is not proof of takeover, but it is the right place to start a deeper review.
Query CNAME Records in JSON
Send the hostname in the domain query parameter and authenticate with Authorization: TOKEN=YOUR_API_KEY.
curl "https://whoisjson.com/api/v1/nslookup?domain=docs.example.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"The documented response exposes CNAME as an array of strings. Other fields may also be present depending on the hostname and zone.
{
"CNAME": [
"example-docs.hosted-service.example"
],
"A": [
"203.0.113.10"
]
}CNAME Audit Workflow
A useful CNAME workflow should preserve raw DNS data, classify known provider patterns, and separate findings that need manual provider validation.
| Step | API field | Why it matters |
|---|---|---|
| Query the hostname | CNAME | Find aliases to external platforms, CDNs or SaaS tools. |
| Store the target | CNAME[] | Keep raw target hostnames for future diffing. |
| Classify expected providers | Application logic | Distinguish approved vendors from unknown or legacy targets. |
| Check resolution state | Client-side DNS check | Identify targets that no longer resolve or appear decommissioned. |
| Validate claimability | Provider-specific review | Confirm whether an external account or resource can actually be claimed. |
CNAME and Subdomain Takeover Risk
Subdomain takeover risk usually starts with DNS pointing somewhere that no longer belongs to the organization. CNAME records are a common source because they delegate a corporate hostname to an external platform.
- Dangling alias: the CNAME target no longer resolves or returns a provider error for a missing resource.
- Claimable provider: the external platform allows a new user to register the missing project, bucket, app or tenant.
- Business impact: the affected hostname belongs to a customer-facing, login, documentation, marketing or email-related workflow.
A CNAME lookup helps identify the first condition. It does not prove the second condition. For broader discovery, run the Subdomain Discovery API first, then use CNAME lookups to deepen suspicious hostnames.
Python Example: Classify CNAME Targets
This example queries /nslookup, extracts CNAME values, classifies common provider hints, and marks unknown targets for review. Add retries and 429 handling from the rate limit guide before using it in production.
import requests
API_KEY = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"
HEADERS = {"Authorization": f"TOKEN={API_KEY}"}
PROVIDER_HINTS = {
"cloudfront.net": "aws_cloudfront",
"github.io": "github_pages",
"herokuapp.com": "heroku",
"fastly.net": "fastly",
"netlify.app": "netlify",
"azurewebsites.net": "azure_app_service",
}
def classify_target(target: str) -> str:
normalized = target.rstrip(".").lower()
for suffix, provider in PROVIDER_HINTS.items():
if normalized.endswith(suffix):
return provider
return "unknown"
def lookup_cname(hostname: str) -> dict:
response = requests.get(
f"{BASE_URL}/nslookup",
headers=HEADERS,
params={"domain": hostname},
timeout=10,
)
response.raise_for_status()
targets = response.json().get("CNAME") or []
aliases = [
{
"target": target,
"provider_hint": classify_target(str(target)),
}
for target in targets
]
return {
"hostname": hostname,
"has_cname": len(aliases) > 0,
"aliases": aliases,
"needs_review": any(
item["provider_hint"] == "unknown"
for item in aliases
),
}
print(lookup_cname("docs.example.com"))
Node.js Example: Build a CNAME Dependency Map
This version loops over known hostnames and stores a compact dependency map. Use it for owned domains, customer-domain onboarding checks, vendor inventory, or scheduled DNS drift reports.
const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://whoisjson.com/api/v1";
async function getDns(hostname) {
const url = new URL(`${BASE_URL}/nslookup`);
url.searchParams.set("domain", hostname);
const response = await fetch(url, {
headers: { Authorization: `TOKEN=${API_KEY}` },
});
if (!response.ok) {
throw new Error(`${hostname}: HTTP ${response.status}`);
}
return response.json();
}
async function buildCnameMap(hostnames) {
const rows = [];
for (const hostname of hostnames) {
const dns = await getDns(hostname);
const cnames = Array.isArray(dns.CNAME) ? dns.CNAME : [];
rows.push({
hostname,
cnameCount: cnames.length,
targets: cnames,
});
}
return rows;
}
const hostnames = [
"docs.example.com",
"status.example.com",
"support.example.com",
];
buildCnameMap(hostnames).then(console.log).catch(console.error);
Combine CNAME Lookup with Subdomain Discovery
A root-domain CNAME check is useful, but takeover and SaaS dependency workflows usually need breadth first. The documented /subdomains endpoint discovers active subdomains and marks whether each discovered hostname resolved as A or CNAME.
curl "https://whoisjson.com/api/v1/subdomains?domain=example.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"Then query selected hostnames with /nslookup to retrieve CNAME aliases and adjacent DNS context. This keeps the workflow aligned with the documented API surface: discovery with /subdomains, DNS detail with /nslookup.
What This API Does Not Claim
CNAME records are important, but the lookup result should not be overstated.
FAQ
What is a CNAME record lookup API?
It queries DNS aliases for a hostname and returns CNAME values as structured JSON.
Which WhoisJSON endpoint returns CNAME records?
Use GET /api/v1/nslookup with the domain query parameter, then read the CNAME array from the JSON response.
Can CNAME records reveal SaaS dependencies?
Yes. CNAME targets often point to CDNs, documentation platforms, support tools, static hosting providers, status pages and other SaaS services.
Does a dangling CNAME always mean takeover is possible?
No. A dangling CNAME is a warning sign. Takeover depends on whether the external service lets someone claim the missing resource.
Can I check CNAME records and subdomains together?
Yes. Use /subdomains to discover active hostnames, then /nslookup to inspect CNAME values and related DNS records for selected hostnames.
Conclusion
A CNAME record lookup API gives teams a practical way to turn DNS aliases into inventory and risk signals. Use /nslookup, read the CNAME array, preserve raw target hostnames, and classify only the provider patterns your workflow understands.
For security work, keep the logic honest: CNAME data highlights possible SaaS dependencies and dangling aliases, but takeover confirmation requires provider-specific validation.
Check CNAME records with WhoisJSON
Query CNAME records alongside A, MX, TXT, SOA, CAA, DMARC, BIMI, MTA-STS and TLS-RPT with one API key.
Check CNAME RecordsView Documentation