Common nslookup Commands

nslookup is one of the most common network administration tools for querying the Domain Name System (DNS) to retrieve a domain name or its IP address mapping or other DNS records.

Network IT professionals frequently use this tool to troubleshoot issues pertaining to DNS in their IT environment. On the other hand, hackers or pen-testers use this tool in their “Reconnaissance” phase of hacking. Reconnaisance phase refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack.

nslookup can be used in two modes i.e. “Interactive Mode” and “Non-interactive Mode”. Interactive Mode allows for querying a DNS server for many hosts and domains. On the other hand, Non-interactive Mode allows the user to query information for a specific host or domain.

We will look at Non-interactive Mode in this article.

Types of DNS Records

Before we continue with nslookup, let’s look at the meanings of the types of common DNS records.

Address (A) record

Maps a domain name to a specific IPv4 address

Eg. www IN A 130.182.3.1

IP Version 6 Address (AAAA) record

Maps a domain name to a specific IPv6 address

Eg. www IN AAAA 2404:6800:4001:804::2001

Canonical Name (CNAME) record

The CNAME record specifies a domain name that has to be queried in order to resolve the original DNS query. It is used to create aliases of domain names.

Host Information (HINFO) record

Describes host type associated with host name

Eg. www IN HINFO Solaris8

Mail Exchange (MX) record

Identifies a mail system accepting mail for the given domain

Eg. calstatela.edu MX 10 mars

Name Server (NS) record

Identifies DNS servers of domain

Eg. calstatela.edu IN NS eagle

Text (TXT) record

Used for comments

Eg. serverx IN TXT “This system contains sensitive info”

nslookup commands

nslookup domain_name

This will display the IP addresses i.e. the ‘A’ and ‘AAAA’ records of the given domain name. If only one of the IP versions has been used, only the corresponding IP address will be displayed.

C:\>nslookup jayitsecurity.com

Server: UnKnown

Address:  192.168.43.1

Non-authoritative answer:

Name:    jayitsecurity.com

Address:  103.6.196.153

In the above output, server refers to the IP address of the DNS server. In this case, ‘UnKnown’ shows that the DNS server does not have a name.

Authoritative answer vs Non-authoritative answer

You may have noticed the keyword “Non-authoritative answer” in the above output.

A DNS Server that holds the complete zone file information available for the domain will provide the “Authoritative answer”.

Non-authoritative answer is provided by DNS servers that d0 not have the complete zone file information available for a given domain. These servers maintain a cache file which has the results of all the queries performed in the past. When a DNS query is given, such a server searches its cache file, and returns the information available as “Non-authoritative answer”.

Query the MX Record using -query=mx

This command is used to query the DNS server for the list of mail exchange servers for the given domain name. Mails sent to “@jayitsecurity.com” will be routed to the mail server in this domain.

C:\>nslookup -query=mx jayitsecurity.com

Server:  UnKnown

Address:  192.168.43.1

Non-authoritative answer:

mx1.jayitsecurity.com       MX preference = 0, mail exchanger = jayitsecurity.com

mx2.jayitsecurity.com       MX preference = 10, mail exchanger = jayitsecurity.com

In the above example, we have 2 MX records for the domain “jayitsecurity.com”. The numbers 0 and 10 associated with the MX records tells the preferred mail server. The lower the number, the higher the preference is. So when a mail is sent to “@jayitsecurity.com”, first preference will be “mx1.jayitsecurity.com”. If for some reasons, this mail server is not reachable, then the emails will be routed to “mx2.jayitsecurity.com”.

Query the NS Record using -type=ns

Lists the authoritative DNS servers for that domain.

C:\>nslookup -type=ns jayitsecurity.com

Server:  UnKnown

Address:  192.168.43.1

Non-authoritative answer:

jayitsecurity.com       nameserver = ns112.mschosting.com

jayitsecurity.com       nameserver = ns111.mschosting.com

Query the SOA Record using -type=soa

SOA record (start of authority), provides more detailed information about a domain. For example, primary name server, admin’s email address, serial number and many more.

C:\>nslookup -type=soa jayitsecurity.com

Server:  UnKnown

Address:  192.168.43.1

Non-authoritative answer:

jayitsecurity.com

        primary name server = ns111.mschosting.com

        responsible mail addr = abuse.mschosting.com

        serial  = 2016071601

        refresh = 86400 (1 day)

        retry   = 7200 (2 hours)

        expire  = 3600000 (41 days 16 hours)

        default TTL = 86400 (1 day)

jayitsecurity.com       nameserver = ns112.mschosting.com

jayitsecurity.com       nameserver = ns111.mschosting.com

• mail addr or responsible mail addr - specifies the email address of the domain admin
• serial – sort of revision numbering system. The standard convention is to use “YYYYMMYYNN” format. 01 will be incremented if more than one edit has taken place on a same day.
• refresh – specifies (in seconds) when should the Secondary DNS will check the Primary DNS for increase in the serial number. If there is an increase, Secondary DNS will make a new request to copy the new zone file.
• retry – specifies the interval to re-connect with the Primary DNS
• expire – specifies the time that the secondary DNS will keep the cached zone file as valid. 

View available DNS records using -query=any

It is possible to view all the available DNS records using -type=any option.

C:\>nslookup -type=any jayitsecurity.com

Server:  UnKnown

Address:  192.168.43.1

Non-authoritative answer:

jayitsecurity.com       text =

        "v=spf1 include:spf.mschosting.com -all"

jayitsecurity.com       MX preference = 0, mail exchanger = jayitsecurity.com

jayitsecurity.com

        primary name server = ns111.mschosting.com

        responsible mail addr = abuse.mschosting.com

        serial  = 2016071601

        refresh = 86400 (1 day)

        retry   = 7200 (2 hours)

        expire  = 3600000 (41 days 16 hours)

        default TTL = 86400 (1 day)

jayitsecurity.com       nameserver = ns112.mschosting.com

jayitsecurity.com       nameserver = ns111.mschosting.com

jayitsecurity.com       internet address = 103.6.196.153

Reverse DNS lookup

You can also do the reverse DNS look-up by providing the IP Address as argument to nslookup.

C:\>nslookup 103.6.196.153

Server:  UnKnown

Address:  192.168.43.1

Name:    power3.mschosting.com

Address:  103.6.196.153

In the example above, the command returns the domain name of the web hosting server of jayitsecurity.com.

Using Specific DNS server

We can also specify a DNS server for making queries.

C:\>nslookup www.jayitsecurity.com 8.8.8.8

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    ghs.l.google.com

Addresses:  2404:6800:4001:805::2013

          172.217.31.51

Aliases:  www.jayitsecurity.com

          ghs.google.com

In the command above, we used Google’s public DNS server which has IP address 8.8.8.8.

Change the port number to connect with

DNS servers use default port number 53. If for any reasons, the port number has changed, then we can specify the port number using the -port option.

C:\>nslookup –port 56 jayitsecurity.com

Change timeout interval to wait for a reply

The default timeout can be changed to wait for a reply by using the -timeout option.

C:\>nslookup -timeout=20 jayitsecurity.com

Server:  UnKnown

Address:  192.168.43.1

Non-authoritative answer:

Name:    jayitsecurity.com

Address:  103.6.196.153

Note:
You may use options -query and -type interchangeably.