Nslookup Command Examples in Linux – Query DNS records

By | June 5, 2023
0 Comment

The name of the nslookup command is an abbreviated version of "name server lookup". nslookup sends a request to the local domain name system (DNS) server asking for information from its DNS records.

In response, the DNS server returns the IP address or relevant domain information for a specific website or server. However, it can also return the domain associated with a particular IP address.

What Information Can the nslookup Command Retrieve?

A DNS server maintains different types of domain records, covering topics like reverse lookups, mail servers, and time-to-live settings. Here is a list of all the available DNS records.

  • Address (A) Record: Lists the IP address of the domain. Each address for the domain is described using a separate address record, so a domain can have multiple addresses and "A" records.
  • Canonical Name (CNAME) Record: Lists any aliases for the host.
  • Mail Exchange (MX) Record: Provides information about the mail servers within the domain.
  • Name Server (NS) Record: Lists all primary and secondary name servers for the domain.
  • Pointer (PTR) Record: A pointer record enables reverse lookups. It lists the host name associated with an IP address.
  • Start of Authority (SOA) Record: An SOA record indicates the most authoritative host for the DNS zone. A zone groups together multiple domains within the same organization.
  • Text (TXT) Record: A TXT record contains notes about the domain. Administrators often use this field to verify ownership and prevent spam.
  • Time-to-Live (TTL) Record: This setting indicates how long resolvers should cache the DNS information.

Installation

The nslookup command supports both interactive and non-interactive modes. Interactive mode is useful for script development, troubleshooting, and exploratory searches. The non-interactive command is better for quick searches for a single piece of information. The non-interactive command can be fully integrated into scripts and software applications.

nslookup is pre-installed and ready-to-use on most Linux-based systems. If it is not, it can be installed easily from the command line.

Debain and Ubuntu

sudo apt-get install dnsutils

AlmaLinux, CentOS Stream, Fedora, and Rocky Linux

sudo dnf install bind-utils

Syntax

nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]

Interactive Mode

To use nslookup interactively, simply enter the command nslookup from a terminal with no additional parameters. The interactive prompt should appear.

nslookup

The interactive prompt accepts requests for server information without requiring the nslookup command. To use nslookup to find the IP address for the English-language Wikipedia domain, enter the following:

en.wikipedia.org

The local DNS server returns its own address along with information about the en.wikipedia.org domain. The reply lists the canonical name of the server and its Ipv4 and Ipv6 addresses:

Server:  UnKnown
Address:  192.168.182.208

Non-authoritative answer:
Name:    dyna.wikimedia.org
Addresses:  2001:df2:e500:ed1a::1
          103.102.166.224
Aliases:  en.wikipedia.org

Note:
This answer is said to be non-authoritative because it is provided by the local DNS, not the DNS associated with the domain.

Change Query Type: To change the request type, use the set directive and append the preferred option. The following example sets the type for all further requests to ns. This instructs the nslookup utility to request information about the name servers used within the domain.

set type=ns

When nslookup sends another query about the domain, a list of nameservers is retrieved.

>wikipedia.org
Server:  UnKnown
Address:  192.168.182.208

Non-authoritative answer:
wikipedia.org   nameserver = ns0.wikimedia.org
wikipedia.org   nameserver = ns1.wikimedia.org
wikipedia.org   nameserver = ns2.wikimedia.org

To exit interactive mode, use the exit keyword. Or you can use Ctrl+c to exit.

Non-Interactive Mode

nslookup can also be used in non-interactive mode, in the same way as other Linux commands. To use the nslookup command non-interactively, use the format nslookup [options] domain_name.

The command returns the same information it did in interactive mode. This is the correct mode to use in scripts and applications requiring accurate DNS information.

Although users are most often searching for nameserver and IP address information, nslookup provides access to all DNS records. This section includes examples showing how to use nslookup to obtain more detailed DNS information.

Specify the type of record to search for using the type option. Add the option "-type=option_type" directly after the nslookup directive and before any domain name. Replace option_type with the name of the record type. For instance, to view the nameservers for a domain, use "-type=ns". The following example displays nameserver information for wikipedia.org.

1. Check Nameservers

>nslookup -type=ns Wikipedia.org
Server:         172.23.176.1
Address:        172.23.176.1#53

Non-authoritative answer:
wikipedia.org   nameserver = ns0.wikimedia.org.
wikipedia.org   nameserver = ns1.wikimedia.org.
wikipedia.org   nameserver = ns2.wikimedia.org.

Authoritative answers can be found from:

2. Check MX (Mail) Servers

To view mail server information for a domain, set the type to mx.

nslookup -type=mx wikipedia.org
Server:         172.23.176.1
Address:        172.23.176.1#53

Non-authoritative answer:
wikipedia.org   mail exchanger = 10 mx1001.wikimedia.org.
wikipedia.org   mail exchanger = 10 mx2001.wikimedia.org.

Authoritative answers can be found from:

3. Check SOA Records (State Of the authority)

nslookup can also retrieve the official Start of the authority (SOA) record, containing vital information about the domain. This information includes the email address of the administrator and DNS parameters, such as refresh time. Use "-type=soa" to search for this information.

nslookup -type=soa wikipedia.org
Server:         172.23.176.1
Address:        172.23.176.1#53

Non-authoritative answer:
wikipedia.org
        origin = ns0.wikimedia.org
        mail addr = hostmaster.wikimedia.org
        serial = 2022030414
        refresh = 43200
        retry = 7200
        expire = 1209600
        minimum = 3600

Authoritative answers can be found from:

It is often useful to compare SOA records between sites. The SOA record for amazon.com has much lower refresh and retry numbers, suggesting the domain information might change more frequently.

nslookup -type=soa amazon.com
Server:         172.23.176.1
Address:        172.23.176.1#53

Non-authoritative answer:
amazon.com
        origin = dns-external-master.amazon.com
        mail addr = root.amazon.com
        serial = 2010174183
        refresh = 180
        retry = 60
        expire = 3024000
        minimum = 60

Authoritative answers can be found from:

4. Check TXT Records for Domain Information

The TXT records are used to validate domain information. Use "-type=txt" to retrieve this information.

nslookup -type=txt Wikipedia.org
Server:         172.23.176.1
Address:        172.23.176.1#53

Non-authoritative answer:
wikipedia.org   text = "google-site-verification=AMHkgs-4ViEvIJf5znZle-BSE2EPNFqM1nDJGRyn2qk"
wikipedia.org   text = "yandex-verification: 35c08d23099dc863"
wikipedia.org   text = "v=spf1 include:wikimedia.org ~all"

Authoritative answers can be found from:

5. Check Full DNS records

Use the option "-type=any" to view the full DNS records for a domain.

nslookup -type=any  google.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.212.206
Name:	google.com
Address: 2a00:1450:4009:81e::200e
google.com	mail exchanger = 10 smtp.google.com.
google.com	nameserver = ns4.google.com.
google.com	nameserver = ns3.google.com.
google.com	nameserver = ns1.google.com.
google.com	nameserver = ns2.google.com.

Note:
Some domains are not configured to return all information in response to this request, and only return the name servers. In this case, you must request each type of record separately.

It's also possible to ask for information about a particular name server. Use nslookup and the name of the domain, along with the canonical name of the name server. This example demonstrates how to find out details about Wikipedia's ns.wikipedia.org name server.

nslookup wikipedia.org ns0.wikimedia.org
Server:		ns0.wikimedia.org
Address:	208.80.154.238#53

Name:	wikipedia.org
Address: 91.198.174.192
Name:	wikipedia.org
Address: 2620:0:862:ed1a::1

6. DNS Debug

To debug the information from nslookup, use the "-debug" flag. Debug mode displays the queries sent to the DNS server along with the replies received in response.

nslookup -debug wikipedia.org
Server:		127.0.0.53
Address:	127.0.0.53#53

------------
    QUESTIONS:
    wikipedia.org, type = A, class = IN
    ANSWERS:
    ->  wikipedia.org
    internet address = 91.198.174.192
    ttl = 600
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:	wikipedia.org
Address: 91.198.174.192
------------
    QUESTIONS:
    wikipedia.org, type = AAAA, class = IN
    ANSWERS:
    ->  wikipedia.org
    has AAAA address 2620:0:862:ed1a::1
    ttl = 600
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Name: wikipedia.org
Address: 2620:0:862:ed1a::1

Note: Most DNS requests are sent and received using TCP port 53. To request DNS information from a different port, use the "-port" flag, for example nslookup -port=55 wikipedia.org. In most cases, DNS servers are configured to refuse these requests, resulting in the error message communications error to 127.0.0.53#55: connection refused.

7. Use nslookup for reverse lookups

Although nslookup can find the IP address for a domain, it can also reveal the domain mapped to an IP address. This is referred to as a reverse DNS lookup. To perform a reverse lookup, apply the nslookup command to the IP address under investigation. The following example illustrates how to find the domain that is mapped to the address 91.198.174.192.

nslookup 91.198.174.192

Note: The output displays the IP address in reverse order, so 91.198.174.192 is transposed to 192.174.198.91 in the display. The octets are presented in reverse order due to complex technical reasons involving the in-addr.arpa domain tree specification.

192.174.198.91.in-addr.arpa	name = text-lb.esams.wikimedia.org.

Authoritative answers can be found from:

A second alternative is to use the "-type=ptr" option and the address in reverse order to find the domain. The pointer record confirms the domain owns the address in question.

nslookup -type=ptr 192.174.198.91.in-addr.arpa
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
192.174.198.91.in-addr.arpa	name = text-lb.esams.wikimedia.org.

Authoritative answers can be found from:

Conclusion

That was a brief introduction to the nslookup command. There are other commands like dig and host that can also be used to query dns records of a webhost. We shall be discussing those commands in upcoming posts.

Let us know in the comments below.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *