How to Use Nslookup Command

Nslookup (short for name server lookup) is an excellent tool for querying DNS (domain name systems).

Importance of DNS

DNS is such a foundational aspect of how networks and the internet work that it’s hard to categorize it as either more sysadmin or more networking related. In most of the environments I’ve worked in it’s usually the SysAdmins that manage DNS or a dedicated DNS group in very large enterprises since DNS is a server role, yet it’s affect on network communications is pretty substantial and many a network admin will find themselves doing DNS lookups while troubleshooting.

In a nutshell, DNS helps computers on a network communicate by translating domain names to IP addressees which are used in routing.

When you type networkproguide.com into your address bar your computer queries your local DNS server which queries a public DNS server to figure out what IP address networkproguide.com has. At that point routing takes over and directs the packets from your computer to the destination.

When DNS doesn’t work right, things on your network can fail to communicate. Not good!

Using Nslookup we can quickly gather a variety of information about DNS. Most people know the basic nslookup command for checking a host name’s IP or IP’s hostname but not many know to use all the other cool features like specifying the DNS server to use or choosing what type of record to query for a given IP and so on.

Let’s dig in and learn some of these tricks!

Nslookup Command Syntax

The primary command for entering Nslookup is:

nslookup

You can either use the command by itself to enter a dedicated command line within the nslookup program or you can enter commands on the same line to return your result and return you to the base command prompt.

For example:

nslookup

Will return:

Default Server: UnKnown
Address: 10.2.0.1
>

Leaving you at a prompt within nslookup where you can enter more command and parameters. Whereas entering:

nslookup wikipedia.org

Will return:

Server: UnKnown
Address: 10.2.0.1

Non-authoritative answer:
Name: wikipedia.org
Addresses: 2620:0:860:ed1a::1
208.80.153.224

C:\Users\rsanchez>

Returning you back to the base command prompt.

If you want a complete list of all nslookup commands, switches, and paramaters you can enter:

nslookup ?

 

Nslookup Command Examples

The following are some examples of the most useful (in my personal opinion) nslookup commands. You can think of it as a mini nslookup cheatsheet of sorts.

Lookup Domain Name (PTR Record Lookup)

nslookup 208.80.153.224

Which results in:

Server: UnKnown
Address: 10.2.0.1

Name: text-lb.codfw.wikimedia.org
Address: 208.80.153.224

 

Lookup IP address (A Record Lookup)

nslookup wikipedia.org

Which results in:

Server: UnKnown
Address: 10.2.0.1

Non-authoritative answer:
Name: wikipedia.org
Addresses: 2620:0:860:ed1a::1
208.80.153.224

 

Email MX Record Lookup

This one requires that enter the nslookup prompt first, then set our record type, then enter our domain name to return our result as so:

nslookup
> set q=mx
> wikipedia.org

Which results in:

Server: UnKnown
Address: 10.2.0.1

Non-authoritative answer:
wikipedia.org MX preference = 10, mail exchanger = mx1001.wikimedia.org
wikipedia.org MX preference = 50, mail exchanger = mx2001.wikimedia.org

 

Start of Authority (SOA) Record Lookup

nslookup
>set q=SOA
>wikipedia.org

Which results in:

Server: UnKnown
Address: 10.2.0.1

Non-authoritative answer:
wikipedia.org
primary name server = ns0.wikimedia.org
responsible mail addr = hostmaster.wikimedia.org
serial = 2018081012
refresh = 43200 (12 hours)
retry = 7200 (2 hours)
expire = 1209600 (14 days)
default TTL = 3600 (1 hour)

 

Lookup All DNS Records

This is a bit of a misnomer. You can’t really return all records. You can only return the records that the particular DNS servers you’re using are aware of. To truly get all records for a domain you’d be looking at what is called a zone transfer and most DNS servers restrict those for good reason.

nslookup
>set type=all
>microsoft.com

Which results in:

microsoft.com internet address = 23.100.122.175
microsoft.com internet address = 23.96.52.53
microsoft.com internet address = 191.239.213.197
microsoft.com internet address = 104.40.211.35
microsoft.com internet address = 104.43.195.251
microsoft.com nameserver = ns4.msft.net
microsoft.com nameserver = ns1.msft.net
microsoft.com nameserver = ns2.msft.net
microsoft.com nameserver = ns3.msft.net
microsoft.com
primary name server = ns1.msft.net
responsible mail addr = msnhst.microsoft.com
serial = 2018090721
refresh = 7200 (2 hours)
retry = 600 (10 mins)
expire = 2419200 (28 days)
default TTL = 3600 (1 hour)

 

Nameserver Lookup

nslookup
> set q=ns
> wikipedia.org
Server: UnKnown
Address: 10.2.0.1

Non-authoritative answer:
wikipedia.org nameserver = ns1.wikimedia.org
wikipedia.org nameserver = ns2.wikimedia.org
wikipedia.org nameserver = ns0.wikimedia.org

 

Specify Alternate DNS Server

nslookup
>server IPofDNSServer

Example:

nslookup
>server 8.8.4.4
Default Server: google-public-dns-b.google.com
Address: 8.8.4.4

> wikipedia.org
Server: google-public-dns-b.google.com
Address: 8.8.4.4

Non-authoritative answer:
Name: wikipedia.org
Addresses: 2620:0:860:ed1a::1
208.80.153.224

You can see in the example above that the Default Server shows as google-public-dns now instead of Uknown as it did earlier, signifying that we are now using a defined server.

Verbose DNS Lookup

If you want as much information as you can get for a specific command you can enable verbose output by entering the following command:

nslookup
>set debug
>wikipedia.org

Which results in:

Server: UnKnown
Address: 10.2.0.1

– – – – – – –
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
wikipedia.org, type = A, class = IN
ANSWERS:
-> wikipedia.org
internet address = 208.80.153.224
ttl = 600 (10 mins)

– – – – – – –
Non-authoritative answer:
– – – – – – –
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
wikipedia.org, type = AAAA, class = IN
ANSWERS:
-> wikipedia.org
AAAA IPv6 address = 2620:0:860:ed1a::1
ttl = 600 (10 mins)

– – – – – – –
Name: wikipedia.org
Addresses: 2620:0:860:ed1a::1
208.80.153.224

Pretty simple, huh? I especially like the command for setting a specific DNS server. This can come in handy for ruling out DNS caching issues on specific DNS servers when making DNS changes.

Hopefully this helps you out and saves you some time and heartache!

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *