nslookup and dig illustrated

nslookup(on windows) and dig(on linux) are two indepensible tools for system administrator to debug DNS problems. However, the two DNS tools are not easy to use as other commands.

First of all, if you issue the following commands to try to get the help information of nslookup, you will be disappointed:

nslookup /?

nslookup /h

nslookup -?

nslookup -h

nslookup /help

The above commands are the common formats to get the usage for a command under windows. But none works for nslookup. The output would be like this(on my computer):

*** Can’t find server name for address xx.xx.xx.xx: Query refused
*** Can’t find server name for address yy.yy.yy.yy: Query refused
Server:  somedomainname.net
Address:  zz.zz.zz.zz

*** somedomainname.net can’t find /help: Non-existent domain

The output information is very confusing. You just do not know what it means. But you are certain not to get the help document.  In fact, nslookup does not understand the help switch as in other commands. The first two lines are related to the DNS settings in my system. I set two non-workable DNS ip addresses ( xx.xx.xx.xx and yy.yy.yy.yy) in the Network Connections/Local Connections/Property/ Internet Protocols(TCP/IP) properties/Use the following DNS server IP addresses/Primary DNS server/Secondary DNS server. The queries to the two DNS servers were refused. And nslookup tried to look up the domain name for the two ip addresses by reverse DNS lookup but failed. Then nslookup resorted to the third DNS server ip address I set(zz.zz.zz.zz) and looked up its domain name(somedomainname.net) successfully. The last line of the output says nslookup could not find the domain using the dns server somedomainname.net. But I did not specify a domain, did I? In fact, nslookup took the string after the command name as the domain (in this case, “/help”) to query and failed. So how to use nslookup? In fact, you can get the help after running nslookup and entering its command line interface. Just type “help” on its command line interface and you will see all the usage of nslookup:

> help
Commands:   (identifiers are shown in uppercase, [] means optional)
NAME            – print info about the host/domain NAME using default serve
NAME1 NAME2     – as above, but use NAME2 as server
help or ?       – print info on common commands
set OPTION      – set an option
all                 – print options, current server and host
[no]debug           – print debugging information
[no]d2              – print exhaustive debugging information
[no]defname         – append domain name to each query
[no]recurse         – ask for recursive answer to query
[no]search          – use domain search list
[no]vc              – always use a virtual circuit
domain=NAME         – set default domain name to NAME
srchlist=N1[/N2/.../N6] – set domain to N1 and search list to N1,N2, et
root=NAME           – set root server to NAME
retry=X             – set number of retries to X
timeout=X           – set initial time-out interval to X seconds
type=X              – set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV
querytype=X         – same as type
class=X             – set query class (ex. IN (Internet), ANY)
[no]msxfr           – use MS fast zone transfer
ixfrver=X           – current version to use in IXFR transfer request
server NAME     – set default server to NAME, using current default server
lserver NAME    – set default server to NAME, using initial server
finger [USER]   – finger the optional NAME at the current default host
root            – set current default server to the root
ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to FI
-a          -  list canonical names and aliases
-d          -  list all records
-t TYPE     -  list records of the given type (e.g. A,CNAME,MX,NS,PTR e
view FILE           – sort an ‘ls’ output file and view it with pg
exit            – exit the program

How to look up the A record of domain using nslookup?

nslookup google.com

Server:  somedomainname.net
Address:  zz.zz.zz.zz

DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name:    google.com
Address:  172.217.6.206

Because zz.zz.zz.zz is not the authorative name server for google.com, you got the Non-authoritative answer for zz.zz.zz.zz.

How to look up the MX records of a domain?

nslookup -type=MX google.com

Server:  somedomainname.net
Address:  zz.zz.zz.zz

Non-authoritative answer:
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com

How to get the NS records of a domain?

nslookup -type=NS google.com

Non-authoritative answer:
google.com      nameserver = ns1.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns2.google.com
google.com      nameserver = ns3.google.com

How to retrieve the TXT records of a domain?

nslookup -type=TXT google.com

Non-authoritative answer:
google.com      text =

“docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e”
google.com      text =

“v=spf1 include:_spf.google.com ~all”

How to look up the DNS records of a domain using a specified name server?

nslookup  google.com 8.8.8.8

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    google.com
Address:  172.217.27.142

In the above example, we look up the (default) A record of google.com using the specified name server:8.8.8.8.

You can combine the type option and the specified name server:

nslookup  -type=MX google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com

google.com      nameserver = ns3.google.com
google.com      nameserver = ns2.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns1.google.com
ns1.google.com  internet address = 216.239.32.10
ns1.google.com  AAAA IPv6 address = 2001:4860:4802:32::a
ns2.google.com  internet address = 216.239.34.10
ns2.google.com  AAAA IPv6 address = 2001:4860:4802:34::a
ns3.google.com  internet address = 216.239.36.10
ns3.google.com  AAAA IPv6 address = 2001:4860:4802:36::a
ns4.google.com  internet address = 216.239.38.10
ns4.google.com  AAAA IPv6 address = 2001:4860:4802:38::a

The above examples do the query using one line of command. You can also execute the same under the command interface of nslookup:

nslookup
Default Server:  somedomainname.net
Address:  zz.zz.zz.zz

> google.com
Server:  somedomainname.net
Address:  zz.zz.zz.zz

Non-authoritative answer:
Name:    google.com
Address:  172.217.6.206

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> set type=MX
> google.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
google.com      MX preference = 10, mail exchanger = aspmx.l.google.com
google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com

google.com      nameserver = ns2.google.com
google.com      nameserver = ns1.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns3.google.com
ns1.google.com  internet address = 216.239.32.10
ns1.google.com  AAAA IPv6 address = 2001:4860:4802:32::a
ns2.google.com  internet address = 216.239.34.10
ns2.google.com  AAAA IPv6 address = 2001:4860:4802:34::a
ns3.google.com  internet address = 216.239.36.10
ns3.google.com  AAAA IPv6 address = 2001:4860:4802:36::a
ns4.google.com  internet address = 216.239.38.10
ns4.google.com  AAAA IPv6 address = 2001:4860:4802:38::a
>

The “server 8.8.8.8″ sub-command set the default name server. The following queries will be delivered to this server. The “set type=MX” sub-command sets the query type to MX. Simply type a domain name such as “google.com” and press enter, the query of MX records of the domain “google.com” will be submitted to 8.8.8.8.

 

If you are on Linux, you an use the dig command to look up the DNS records of a domain:

dig google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41852
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             27      IN      A       172.217.11.78

;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 28 07:03:11 2018
;; MSG SIZE  rcvd: 44

Most newbies will be frightened by the mess output. How to interpret the output of the dig command? Let me decode the output and tell you what it means. The format of the output of the dig command is like a configuration file and the lines beginning with ‘;;” seems comments but they are not actually comments. Some lines in the output are based on the information got from the name server, other lines are generated by the local information. The first line:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> google.com

tells you the version of the dig command, and the arguments of the command.

The second line:

;; global options: +cmd

lists the global options specified on the command line. The global options are the options before the domain( whereas the options after the domain are called local options) .

The following 3 lines:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41852
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

shows the result of the interaction for this DNS query including whether the query is successful or not.

The “question section”:

;; QUESTION SECTION:
;google.com.                    IN      A

shows what are queried for, i.e., we queried for the A record of domain google.com.

The “answer section” shows the response from the name server:

;; ANSWER SECTION:
google.com.             27      IN      A       172.217.11.78

The last lines are the statistics for this query:

;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 28 07:03:11 2018
;; MSG SIZE  rcvd: 44

from which we can know we were querying the (default) name server 8.8.8.8 on port 53(which is specified in /etc/resolv.conf). The query costed 29 msec and we received 44 bytes from the name server.

How to know the MX records of a domain?

dig google.com MX

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> google.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 767
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      MX

;; ANSWER SECTION:
google.com.             599     IN      MX      10 aspmx.l.google.com.
google.com.             599     IN      MX      50 alt4.aspmx.l.google.com.
google.com.             599     IN      MX      20 alt1.aspmx.l.google.com.
google.com.             599     IN      MX      40 alt3.aspmx.l.google.com.
google.com.             599     IN      MX      30 alt2.aspmx.l.google.com.

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 28 07:25:04 2018
;; MSG SIZE  rcvd: 136

How to query the name servers of a domain?

dig google.com NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> google.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22808
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      NS

;; ANSWER SECTION:
google.com.             21599   IN      NS      ns3.google.com.
google.com.             21599   IN      NS      ns4.google.com.
google.com.             21599   IN      NS      ns1.google.com.
google.com.             21599   IN      NS      ns2.google.com.

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 28 07:26:55 2018
;; MSG SIZE  rcvd: 100

How to check the DNS TXT  records?

dig google.com txt

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54061
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      TXT

;; ANSWER SECTION:
google.com.             3599    IN      TXT     “v=spf1 include:_spf.google.com ~all”
google.com.             299     IN      TXT     “docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e”

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 28 07:28:39 2018
;; MSG SIZE  rcvd: 134

How to use a different name server for the DNS query?

dig @ns1.google.com google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> @ns1.google.com google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7464
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       172.217.5.206

;; Query time: 51 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Wed Mar 28 07:30:14 2018
;; MSG SIZE  rcvd: 44

Posted in tips of hosting