Updated: 11/06/2021 by Computer Hope
On Unix-like operating systems, the nslookup command queries Internet name servers interactively for information.
- Technical description
- Interactive commands
- Configuration files
- Related commands
- Linux commands help
nslookup, which stands for "name server lookup", finds information about a named domain.
By default, nslookup translates a domain name to an IP address (or vice versa). For instance, to find the IP address of microsoft.com, you could run the command:
...and you would receive a response like this:
Server: 184.108.40.206Address: 220.127.116.11#53Non-authoritative answer:Name: microsoft.comAddress: 18.104.22.168Name: microsoft.comAddress: 22.214.171.124
Here, 126.96.36.199 is the address of our system's Domain Name Server. This is the server our system is configured to use to translate domain names into IP addresses. "#53" indicates we are communicating with it on port 53, which is the standard port number domain name servers use to accept queries.
Below this, we have our lookup information for microsoft.com. Our name server returned two entries, 188.8.131.52 and 184.108.40.206. This indicates microsoft.com uses a round robin setup to distribute server load. When you access micrsoft.com, you may be directed to either of these servers and your packets are routed to the correct destination.
You can see that we have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our DNS has the complete zone file information for the domain in question. More often, our DNS has a cache of information representing the last authoritative answer it received when it made a similar query; this information is passed on to you, and qualified as "non-authoritative" by the server: the information was recently received from an authoritative source, but the DNS server is not itself that authority.
Reverse DNS lookups
We can also perform the operation above in reverse by providing the IP address rather than the domain name. For instance, the command:
...returns information resembling the following:
Server: 220.127.116.11Address: 18.104.22.168#53Non-authoritative answer:22.214.171.124.in-addr.arpa name = grv.microsoft.com.Authoritative answers can be found from:
Querying the NS record of a domain
The NS record of a domain is a map of all name servers that are authoritative for that domain. You can query a domain's NS record using the option -type=ns, like this:
nslookup -type=ns microsoft.com
...and the response resembles the following:
Server: 126.96.36.199Address: 188.8.131.52#53Non-authoritative answer:microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com nameserver = ns2.msft.net.Authoritative answers can be found from:
This output gives us the names of the four microsoft.com name servers (which actually belong to the msft.net domain), according to our DNS's (non-authoritative) information. If there is an available source for authoritative answers, it is listed at the bottom of the output.
Querying the MX record
The MX record is a map of mail exchange servers for a domain. When you send an e-mail to a domain, for example "@microsoft.com", mail is routed to Microsoft's MX servers.
You can query a domain for its MX record using the -type=mx option. For example:
nslookup -type=mx microsoft.com
...responds with output resembling the following:
Server: 184.108.40.206Address: 220.127.116.11#53Non-authoritative answer:microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.Authoritative answers can be found from:
Here, the mail exchanger address is prefixed with a number (10). If there were more than one mail exchanger, they would each have a different number, with the lower numbers representing a higher priority. So if there were another exchanger with the prefix 5, that server would take precedence over the server listed here.
Querying the SOA record
The SOA (Start Of Authority) record for a domain provides technical information about the domain. It can be queried with the option -type=soa.
nslookup -type=soa microsoft.com
Server: 18.104.22.168Address: 22.214.171.124#53Non-authoritative answer:microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600Authoritative answers can be found from:
The information listed here is the cached version held by our domain name server. It includes:
- origin: The authority from which the information originated.
- mail addr: The e-mail address of the domain administrator (the first dot would be an @ symbol in an e-mail address, so here the e-mail address is [emailprotected]).
- serial: Revision data for this information, in the form YYYYMMDDNN. Here, the information is current as of August 11, 2014; 02 means it was the second revision made on that day.
- refresh: A number representing the interval, in seconds, after which the secondary name server checks the primary name server for an updated revision of this information. This information tells us the secondary Microsoft name server's information is never more than two hours (7200 seconds) out of date.
- retry: The secondary nameserver waits this many seconds before attempting to reconnect to the primary name server after a failed attempt.
- expire: The secondary nameserver's cache of the primary nameserver's information always is considered invalid after this many seconds.
- minimum: The secondary nameserver's cache of the primary nameserver's information should not be refreshed if this amount of time has not elapsed since the last refresh.
Viewing all available NS records
We can also view all available NS records for a domain using the option -type=any. For example:
nslookup -type=any microsoft.com
Server: 126.96.36.199Address: 188.8.131.52#53Non-authoritative answer:Name: microsoft.comAddress: 184.108.40.206Name: microsoft.comAddress: 220.127.116.11microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com nameserver = ns2.msft.net.microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.microsoft.com text = "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:18.104.22.168 ip4:22.214.171.124 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206 -all" microsoft.com text = "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="Authoritative answers can be found from:
Querying another DNS
By default, nslookup queries the same DNS the system is configured to use for all network operations. You can specify a custom DNS to query, however, by specifying it on the command line. For example:
nslookup microsoft.com ns1.msft.net
...provides us with the authoritative answer to our previous query of microsoft.com:
Server: ns1.msft.netAddress: 220.127.116.11#53Name: microsoft.comAddress: 18.104.22.168Name: microsoft.comAddress: 22.214.171.124
This is useful not only for obtaining authoritative information, but for finding out exactly what information a certain DNS currently has cached.
Querying on a non-standard port
By default, domain name servers accept queries on port 53. If this is configured differently on the server you are trying to query, you can specify another port number using the -port= option:
nslookup -port=54 microsoft.com
Here, the query attempt failed because our DNS uses the standard port, number 53.
Debugging the query transaction
Advanced users may need to examine more closely the details of the query transaction. This can be achieved using the -debug option:
nslookup -debug microsoft.com
Server: 126.96.36.199Address: 188.8.131.52#53------------ QUESTIONS: microsoft.com, type = A, class = IN ANSWERS: -> microsoft.com internet address = 184.108.40.206 ttl = 964 -> microsoft.com internet address = 220.127.116.11 ttl = 964 AUTHORITY RECORDS: ADDITIONAL RECORDS:------------Non-authoritative answer:Name: microsoft.comAddress: 18.104.22.168Name: microsoft.comAddress: 22.214.171.124
You can also run multiple commands interactively by running nslookup with no options:
This brings you to a special command prompt where you can use commands to perform any of the operations listed above. It looks like this:
At this prompt, you can type a domain name or IP address to query your DNS for its basic information:
Server: 126.96.36.199Address: 188.8.131.52#53Non-authoritative answer:Name: microsoft.comAddress: 184.108.40.206Name: microsoft.comAddress: 220.127.116.11
...or, to submit a specific query type, you can set the type with set type=value, and then run the query. For instance, these two commands are the equivalent of running nslookup -type=any microsoft.com from the command line:
> set type=any> microsoft.com
Server: 18.104.22.168Address: 22.214.171.124#53Non-authoritative answer:Name: microsoft.comAddress: 126.96.36.199Name: microsoft.comAddress: 188.8.131.52microsoft.com nameserver = ns2.msft.net.microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.microsoft.com text = "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:184.108.40.206 ip4:220.127.116.11 ip4:18.104.22.168 ip4:22.214.171.124 ip4:126.96.36.199 -all"microsoft.com text = "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="Authoritative answers can be found from:
When ready to exit nslookup's Interactive Mode, run the command exit:
...and you are returned to the command line.
There are other commands you can run from interactive mode; see: Interactive commands below for a list.
nslookup [-option] [name | -] [server]
nslookup is a program used to query Internet domain name servers for information.
nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or print a list of hosts in a domain. Non-interactive mode is used to print the name and requested information for a host or domain.
Interactive mode is entered in the following cases:
- When no arguments are given (the default name server is used).
- When the first argument is a hyphen ("-") and the second argument is the hostname or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument (which can be preceded by options). The optional second argument specifies the hostname or address of a name server, to be used instead of the system's default DNS.
Options can be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
nslookup -query=hinfo -timeout=10
The name of the option corresponds to the keyword of the set command. See below for a description of these keywords and their available settings.
|host [server]||Look up information for host using the current default server, or server if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.|
To look up a host not in the current domain, append a period to the name.
|server domain, lserver domain||Change the default server to domain; lserver uses the initial server to look up information about domain, while server uses the current default server. If an authoritative answer isn't found, the names of servers that might have the answer are returned.|
|exit||Exits the program.|
|set keyword[=value]||Used to change state information that affects the lookups. Valid keywords are:|
nslookup makes use of the configuration file /etc/nsresolv.conf, if it exists, for any special DNS configuration you may need. This file is managed using the command line program resolvconf.
nslookup was briefly classified as "deprecated" by the Internet Systems Consortium in favor of the tools host and dig. They later reversed this decision, but it's important to note that host and dig can provide you with the same functions as nslookup, at a somewhat higher level of industry acceptance.
Perform a reverse lookup of the IP address 188.8.131.52. Your domain server responds with the current information it has about that host, and it is displayed on your terminal screen. Output resembles the following:
Server: 184.108.40.206Address: 220.127.116.11#53Non-authoritative answer:18.104.22.168.in-addr.arpa name = 204-228-150-3.xmission.com.Authoritative answers can be found from:
nslookup -type=mx computerhope.com
Query your DNS for information about the mail exchange server(s) for the domain computerhope.com. Output resembles the following:
Server: 22.214.171.124Address: 126.96.36.199#53Non-authoritative answer:computerhope.com mail exchanger = 10 mail.computerhope.com.Authoritative answers can be found from:
nslookup -type=any google.com
Query your DNS for all available information related to the domain google.com. Output resembles the following:
Server: 188.8.131.52Address: 184.108.40.206#53Non-authoritative answer:Name: google.comAddress: 220.127.116.11Name: google.comAddress: 18.104.22.168Name: google.comAddress: 22.214.171.124Name: google.comAddress: 126.96.36.199Name: google.comAddress: 188.8.131.52Name: google.comAddress: 184.108.40.206Name: google.comAddress: 220.127.116.11Name: google.comAddress: 18.104.22.168Name: google.comAddress: 22.214.171.124Name: google.comAddress: 126.96.36.199Name: google.comAddress: 188.8.131.52google.com has AAAA address 2607:f8b0:4006:809::1009google.com nameserver = ns3.google.com.google.com mail exchanger = 50 alt4.aspmx.l.google.com.google.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6Dgoogle.com nameserver = ns4.google.com.google.com text = "v=spf1 include:_spf.google.com ip4:184.108.40.206/31 ip4:220.127.116.11/31 ~all"google.com mail exchanger = 40 alt3.aspmx.l.google.com.google.com nameserver = ns1.google.com.google.com mail exchanger = 30 alt2.aspmx.l.google.com.google.com mail exchanger = 20 alt1.aspmx.l.google.com.google.com mail exchanger = 10 aspmx.l.google.com.google.com origin = ns1.google.com mail addr = dns-admin.google.com serial = 2014110400 refresh = 7200 retry = 1800 expire = 1209600 minimum = 300google.com nameserver = ns2.google.com.Authoritative answers can be found from:
dig — DNS lookup utility.
host — Convert a hostname to an IP address and vice versa.
ping — Send ICMP ECHO_REQUEST packets to network hosts.