The name of the nslookup command is an abbreviated version of "name server lookup". nslookup sends a request to the local domain name system (DNS) server asking for information from its DNS records.
In response, the DNS server returns the IP address or relevant domain information for a specific website or server. However, it can also return the domain associated with a particular IP address.
What Information Can the nslookup Command Retrieve?
A DNS server maintains different types of domain records, covering topics like reverse lookups, mail servers, and time-to-live settings. Here is a list of all the available DNS records.
- Address (A) Record: Lists the IP address of the domain. Each address for the domain is described using a separate address record, so a domain can have multiple addresses and "A" records.
- Canonical Name (CNAME) Record: Lists any aliases for the host.
- Mail Exchange (MX) Record: Provides information about the mail servers within the domain.
- Name Server (NS) Record: Lists all primary and secondary name servers for the domain.
- Pointer (PTR) Record: A pointer record enables reverse lookups. It lists the host name associated with an IP address.
- Start of Authority (SOA) Record: An SOA record indicates the most authoritative host for the DNS zone. A zone groups together multiple domains within the same organization.
- Text (TXT) Record: A TXT record contains notes about the domain. Administrators often use this field to verify ownership and prevent spam.
- Time-to-Live (TTL) Record: This setting indicates how long resolvers should cache the DNS information.
The nslookup command supports both interactive and non-interactive modes. Interactive mode is useful for script development, troubleshooting, and exploratory searches. The non-interactive command is better for quick searches for a single piece of information. The non-interactive command can be fully integrated into scripts and software applications.
nslookup is pre-installed and ready-to-use on most Linux-based systems. If it is not, it can be installed easily from the command line.
Debain and Ubuntu
sudo apt-get install dnsutils
AlmaLinux, CentOS Stream, Fedora, and Rocky Linux
sudo dnf install bind-utils
nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]
To use nslookup interactively, simply enter the command nslookup from a terminal with no additional parameters. The interactive prompt should appear.
The interactive prompt accepts requests for server information without requiring the nslookup command. To use nslookup to find the IP address for the English-language Wikipedia domain, enter the following:
The local DNS server returns its own address along with information about the en.wikipedia.org domain. The reply lists the canonical name of the server and its Ipv4 and Ipv6 addresses:
Server: UnKnown Address: 192.168.182.208 Non-authoritative answer: Name: dyna.wikimedia.org Addresses: 2001:df2:e500:ed1a::1 220.127.116.11 Aliases: en.wikipedia.org
This answer is said to be non-authoritative because it is provided by the local DNS, not the DNS associated with the domain.
Change Query Type: To change the request type, use the set directive and append the preferred option. The following example sets the type for all further requests to ns. This instructs the nslookup utility to request information about the name servers used within the domain.
When nslookup sends another query about the domain, a list of nameservers is retrieved.
>wikipedia.org Server: UnKnown Address: 192.168.182.208 Non-authoritative answer: wikipedia.org nameserver = ns0.wikimedia.org wikipedia.org nameserver = ns1.wikimedia.org wikipedia.org nameserver = ns2.wikimedia.org
To exit interactive mode, use the exit keyword. Or you can use Ctrl+c to exit.
nslookup can also be used in non-interactive mode, in the same way as other Linux commands. To use the nslookup command non-interactively, use the format nslookup [options] domain_name.
The command returns the same information it did in interactive mode. This is the correct mode to use in scripts and applications requiring accurate DNS information.
Although users are most often searching for nameserver and IP address information, nslookup provides access to all DNS records. This section includes examples showing how to use nslookup to obtain more detailed DNS information.
Specify the type of record to search for using the type option. Add the option "-type=option_type" directly after the nslookup directive and before any domain name. Replace option_type with the name of the record type. For instance, to view the nameservers for a domain, use "-type=ns". The following example displays nameserver information for wikipedia.org.
1. Check Nameservers
>nslookup -type=ns Wikipedia.org
Server: 172.23.176.1 Address: 172.23.176.1#53 Non-authoritative answer: wikipedia.org nameserver = ns0.wikimedia.org. wikipedia.org nameserver = ns1.wikimedia.org. wikipedia.org nameserver = ns2.wikimedia.org. Authoritative answers can be found from:
2. Check MX (Mail) Servers
To view mail server information for a domain, set the type to mx.
nslookup -type=mx wikipedia.org
Server: 172.23.176.1 Address: 172.23.176.1#53 Non-authoritative answer: wikipedia.org mail exchanger = 10 mx1001.wikimedia.org. wikipedia.org mail exchanger = 10 mx2001.wikimedia.org. Authoritative answers can be found from:
3. Check SOA Records (State Of the authority)
nslookup can also retrieve the official Start of the authority (SOA) record, containing vital information about the domain. This information includes the email address of the administrator and DNS parameters, such as refresh time. Use "-type=soa" to search for this information.
nslookup -type=soa wikipedia.org
Server: 172.23.176.1 Address: 172.23.176.1#53 Non-authoritative answer: wikipedia.org origin = ns0.wikimedia.org mail addr = hostmaster.wikimedia.org serial = 2022030414 refresh = 43200 retry = 7200 expire = 1209600 minimum = 3600 Authoritative answers can be found from:
It is often useful to compare SOA records between sites. The SOA record for amazon.com has much lower refresh and retry numbers, suggesting the domain information might change more frequently.
nslookup -type=soa amazon.com
Server: 172.23.176.1 Address: 172.23.176.1#53 Non-authoritative answer: amazon.com origin = dns-external-master.amazon.com mail addr = root.amazon.com serial = 2010174183 refresh = 180 retry = 60 expire = 3024000 minimum = 60 Authoritative answers can be found from:
4. Check TXT Records for Domain Information
The TXT records are used to validate domain information. Use "-type=txt" to retrieve this information.
nslookup -type=txt Wikipedia.org
Server: 172.23.176.1 Address: 172.23.176.1#53 Non-authoritative answer: wikipedia.org text = "google-site-verification=AMHkgs-4ViEvIJf5znZle-BSE2EPNFqM1nDJGRyn2qk" wikipedia.org text = "yandex-verification: 35c08d23099dc863" wikipedia.org text = "v=spf1 include:wikimedia.org ~all" Authoritative answers can be found from:
5. Check Full DNS records
Use the option "-type=any" to view the full DNS records for a domain.
nslookup -type=any google.com
Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: google.com Address: 18.104.22.168 Name: google.com Address: 2a00:1450:4009:81e::200e google.com mail exchanger = 10 smtp.google.com. google.com nameserver = ns4.google.com. google.com nameserver = ns3.google.com. google.com nameserver = ns1.google.com. google.com nameserver = ns2.google.com.
Some domains are not configured to return all information in response to this request, and only return the name servers. In this case, you must request each type of record separately.
It's also possible to ask for information about a particular name server. Use nslookup and the name of the domain, along with the canonical name of the name server. This example demonstrates how to find out details about Wikipedia's ns.wikipedia.org name server.
nslookup wikipedia.org ns0.wikimedia.org
Server: ns0.wikimedia.org Address: 22.214.171.124#53 Name: wikipedia.org Address: 126.96.36.199 Name: wikipedia.org Address: 2620:0:862:ed1a::1
6. DNS Debug
To debug the information from nslookup, use the "-debug" flag. Debug mode displays the queries sent to the DNS server along with the replies received in response.
nslookup -debug wikipedia.org
Server: 127.0.0.53 Address: 127.0.0.53#53 ------------ QUESTIONS: wikipedia.org, type = A, class = IN ANSWERS: -> wikipedia.org internet address = 188.8.131.52 ttl = 600 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: Name: wikipedia.org Address: 184.108.40.206 ------------ QUESTIONS: wikipedia.org, type = AAAA, class = IN ANSWERS: -> wikipedia.org has AAAA address 2620:0:862:ed1a::1 ttl = 600 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Name: wikipedia.org Address: 2620:0:862:ed1a::1
Note: Most DNS requests are sent and received using TCP port 53. To request DNS information from a different port, use the "-port" flag, for example nslookup -port=55 wikipedia.org. In most cases, DNS servers are configured to refuse these requests, resulting in the error message communications error to 127.0.0.53#55: connection refused.
7. Use nslookup for reverse lookups
Although nslookup can find the IP address for a domain, it can also reveal the domain mapped to an IP address. This is referred to as a reverse DNS lookup. To perform a reverse lookup, apply the nslookup command to the IP address under investigation. The following example illustrates how to find the domain that is mapped to the address 220.127.116.11.
Note: The output displays the IP address in reverse order, so 18.104.22.168 is transposed to 22.214.171.124 in the display. The octets are presented in reverse order due to complex technical reasons involving the in-addr.arpa domain tree specification.
126.96.36.199.in-addr.arpa name = text-lb.esams.wikimedia.org. Authoritative answers can be found from:
A second alternative is to use the "-type=ptr" option and the address in reverse order to find the domain. The pointer record confirms the domain owns the address in question.
nslookup -type=ptr 188.8.131.52.in-addr.arpa
Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: 184.108.40.206.in-addr.arpa name = text-lb.esams.wikimedia.org. Authoritative answers can be found from:
That was a brief introduction to the nslookup command. There are other commands like dig and host that can also be used to query dns records of a webhost. We shall be discussing those commands in upcoming posts.
Let us know in the comments below.