Linux Nslookup Command Help and Examples (2022)

Updated: 11/06/2021 by Computer Hope

Linux Nslookup Command Help and Examples (1)

On Unix-like operating systems, the nslookup command queries Internet name servers interactively for information.

  • Description
  • Syntax
  • Technical description
  • Arguments
  • Options
  • Interactive commands
  • Configuration files
  • Deprecation
  • Examples
  • Related commands
  • Linux commands help

Description

nslookup, which stands for "name server lookup", finds information about a named domain.

By default, nslookup translates a domain name to an IP address (or vice versa). For instance, to find the IP address of microsoft.com, you could run the command:

nslookup microsoft.com

...and you would receive a response like this:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: microsoft.comAddress: 134.170.185.46Name: microsoft.comAddress: 134.170.188.221

Here, 8.8.8.8 is the address of our system's Domain Name Server. This is the server our system is configured to use to translate domain names into IP addresses. "#53" indicates we are communicating with it on port 53, which is the standard port number domain name servers use to accept queries.

Below this, we have our lookup information for microsoft.com. Our name server returned two entries, 134.170.185.46 and 134.170.188.221. This indicates microsoft.com uses a round robin setup to distribute server load. When you access micrsoft.com, you may be directed to either of these servers and your packets are routed to the correct destination.

You can see that we have received a "Non-authoritative answer" to our query. An answer is "authoritative" only if our DNS has the complete zone file information for the domain in question. More often, our DNS has a cache of information representing the last authoritative answer it received when it made a similar query; this information is passed on to you, and qualified as "non-authoritative" by the server: the information was recently received from an authoritative source, but the DNS server is not itself that authority.

Reverse DNS lookups

We can also perform the operation above in reverse by providing the IP address rather than the domain name. For instance, the command:

nslookup 134.170.185.46

...returns information resembling the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:46.185.170.134.in-addr.arpa name = grv.microsoft.com.Authoritative answers can be found from:

Querying the NS record of a domain

The NS record of a domain is a map of all name servers that are authoritative for that domain. You can query a domain's NS record using the option -type=ns, like this:

nslookup -type=ns microsoft.com

...and the response resembles the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com nameserver = ns2.msft.net.Authoritative answers can be found from:

This output gives us the names of the four microsoft.com name servers (which actually belong to the msft.net domain), according to our DNS's (non-authoritative) information. If there is an available source for authoritative answers, it is listed at the bottom of the output.

Querying the MX record

The MX record is a map of mail exchange servers for a domain. When you send an e-mail to a domain, for example "@microsoft.com", mail is routed to Microsoft's MX servers.

You can query a domain for its MX record using the -type=mx option. For example:

nslookup -type=mx microsoft.com

...responds with output resembling the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.Authoritative answers can be found from:

Here, the mail exchanger address is prefixed with a number (10). If there were more than one mail exchanger, they would each have a different number, with the lower numbers representing a higher priority. So if there were another exchanger with the prefix 5, that server would take precedence over the server listed here.

Querying the SOA record

The SOA (Start Of Authority) record for a domain provides technical information about the domain. It can be queried with the option -type=soa.

nslookup -type=soa microsoft.com
Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600Authoritative answers can be found from:

The information listed here is the cached version held by our domain name server. It includes:

  • origin: The authority from which the information originated.
  • mail addr: The e-mail address of the domain administrator (the first dot would be an @ symbol in an e-mail address, so here the e-mail address is [emailprotected]).
  • serial: Revision data for this information, in the form YYYYMMDDNN. Here, the information is current as of August 11, 2014; 02 means it was the second revision made on that day.
  • refresh: A number representing the interval, in seconds, after which the secondary name server checks the primary name server for an updated revision of this information. This information tells us the secondary Microsoft name server's information is never more than two hours (7200 seconds) out of date.
  • retry: The secondary nameserver waits this many seconds before attempting to reconnect to the primary name server after a failed attempt.
  • expire: The secondary nameserver's cache of the primary nameserver's information always is considered invalid after this many seconds.
  • minimum: The secondary nameserver's cache of the primary nameserver's information should not be refreshed if this amount of time has not elapsed since the last refresh.

Viewing all available NS records

We can also view all available NS records for a domain using the option -type=any. For example:

nslookup -type=any microsoft.com
Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: microsoft.comAddress: 134.170.185.46Name: microsoft.comAddress: 134.170.188.221microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com nameserver = ns2.msft.net.microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.microsoft.com text = "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all" microsoft.com text = "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="Authoritative answers can be found from:

Querying another DNS

By default, nslookup queries the same DNS the system is configured to use for all network operations. You can specify a custom DNS to query, however, by specifying it on the command line. For example:

nslookup microsoft.com ns1.msft.net

...provides us with the authoritative answer to our previous query of microsoft.com:

Server: ns1.msft.netAddress: 65.55.37.62#53Name: microsoft.comAddress: 134.170.185.46Name: microsoft.comAddress: 134.170.188.221

This is useful not only for obtaining authoritative information, but for finding out exactly what information a certain DNS currently has cached.

Querying on a non-standard port

By default, domain name servers accept queries on port 53. If this is configured differently on the server you are trying to query, you can specify another port number using the -port= option:

nslookup -port=54 microsoft.com

Here, the query attempt failed because our DNS uses the standard port, number 53.

Debugging the query transaction

Advanced users may need to examine more closely the details of the query transaction. This can be achieved using the -debug option:

nslookup -debug microsoft.com
Server: 8.8.8.8Address: 8.8.8.8#53------------ QUESTIONS: microsoft.com, type = A, class = IN ANSWERS: -> microsoft.com internet address = 134.170.188.221 ttl = 964 -> microsoft.com internet address = 134.170.185.46 ttl = 964 AUTHORITY RECORDS: ADDITIONAL RECORDS:------------Non-authoritative answer:Name: microsoft.comAddress: 134.170.188.221Name: microsoft.comAddress: 134.170.185.46

Interactive mode

You can also run multiple commands interactively by running nslookup with no options:

nslookup

This brings you to a special command prompt where you can use commands to perform any of the operations listed above. It looks like this:

>

At this prompt, you can type a domain name or IP address to query your DNS for its basic information:

> microsoft.com
Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: microsoft.comAddress: 134.170.185.46Name: microsoft.comAddress: 134.170.188.221

...or, to submit a specific query type, you can set the type with set type=value, and then run the query. For instance, these two commands are the equivalent of running nslookup -type=any microsoft.com from the command line:

> set type=any> microsoft.com
Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: microsoft.comAddress: 134.170.188.221Name: microsoft.comAddress: 134.170.185.46microsoft.com nameserver = ns2.msft.net.microsoft.com nameserver = ns3.msft.net.microsoft.com nameserver = ns4.msft.net.microsoft.com nameserver = ns1.msft.net.microsoft.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2014110802 refresh = 7200 retry = 600 expire = 2419200 minimum = 3600microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com.microsoft.com text = "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all"microsoft.com text = "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="Authoritative answers can be found from:

When ready to exit nslookup's Interactive Mode, run the command exit:

> exit

...and you are returned to the command line.

There are other commands you can run from interactive mode; see: Interactive commands below for a list.

Syntax

nslookup [-option] [name | -] [server]

Technical description

nslookup is a program used to query Internet domain name servers for information.

nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or print a list of hosts in a domain. Non-interactive mode is used to print the name and requested information for a host or domain.

Arguments

Interactive mode is entered in the following cases:

  1. When no arguments are given (the default name server is used).
  2. When the first argument is a hyphen ("-") and the second argument is the hostname or Internet address of a name server.

Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument (which can be preceded by options). The optional second argument specifies the hostname or address of a name server, to be used instead of the system's default DNS.

Options

Options can be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:

nslookup -query=hinfo -timeout=10

The name of the option corresponds to the keyword of the set command. See below for a description of these keywords and their available settings.

Interactive commands

host [server]Look up information for host using the current default server, or server if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.

To look up a host not in the current domain, append a period to the name.

server domain, lserver domainChange the default server to domain; lserver uses the initial server to look up information about domain, while server uses the current default server. If an authoritative answer isn't found, the names of servers that might have the answer are returned.
exitExits the program.
set keyword[=value]Used to change state information that affects the lookups. Valid keywords are:
allPrints the current values of the frequently used options to set. Information about the current default server and host is also printed.
class=valueChange the query class to one of:
INthe Internet class
CHthe Chaos class
HSthe Hesiod class
ANYwildcard
The class specifies the protocol group of the information.

(Default = IN; abbreviation = cl)

[no]debugTurn on or off the display of the full response packet and any intermediate response packets when searching.

(Default = nodebug; abbreviation = [no]deb)

[no]d2Turn debugging mode on or off. This displays more about what nslookup is doing.

(Default = nod2)

domain=nameSets the search list to name.
[no]searchIf the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.

(Default = search)

port=valueChange the default TCP/UDP name server port to value.

(Default = 53; abbreviation = po)

querytype=value, type=valueSpecify the type of the information to be returned in response to your query. The value may be one of the following, in upper or lower case:
aan IP address
anyany and all available data
cnamecanonical name
gida group identifier for a group name
hinfoCPU and type of operating system
mbmailbox domain name
mgmail group member
minfomailbox or mail list information
mrmail rename domain name
mxmail exchanger
nsthe name servers for the named zone
ptrif the query is an IP address, returns a server name; otherwise, a pointer to other information
soathe start of authority for the named zone
txtreturns a textual string with relevant information
[no]recurseTell the name server to query other servers if it does not have the information.

(Default = recurse; abbreviation = [no]rec)

retry=numberSet the number of retries to number.
timeout=numberChange the initial timeout interval for waiting for a reply to number seconds.
[no]vcAlways use a virtual circuit when sending requests to the server.

(Default = novc)

[no]failTry the next nameserver if a nameserver responds with SERVFAIL or a referral, (nofail) or terminate query (fail) on such a response.

(Default = nofail)


Configuration files

nslookup makes use of the configuration file /etc/nsresolv.conf, if it exists, for any special DNS configuration you may need. This file is managed using the command line program resolvconf.

Deprecation

nslookup was briefly classified as "deprecated" by the Internet Systems Consortium in favor of the tools host and dig. They later reversed this decision, but it's important to note that host and dig can provide you with the same functions as nslookup, at a somewhat higher level of industry acceptance.

Examples

nslookup 204.228.150.3

Perform a reverse lookup of the IP address 204.228.150.3. Your domain server responds with the current information it has about that host, and it is displayed on your terminal screen. Output resembles the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:3.150.228.204.in-addr.arpa name = 204-228-150-3.xmission.com.Authoritative answers can be found from:
nslookup -type=mx computerhope.com

Query your DNS for information about the mail exchange server(s) for the domain computerhope.com. Output resembles the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:computerhope.com mail exchanger = 10 mail.computerhope.com.Authoritative answers can be found from:
nslookup -type=any google.com

Query your DNS for all available information related to the domain google.com. Output resembles the following:

Server: 8.8.8.8Address: 8.8.8.8#53Non-authoritative answer:Name: google.comAddress: 74.125.226.167Name: google.comAddress: 74.125.226.165Name: google.comAddress: 74.125.226.169Name: google.comAddress: 74.125.226.163Name: google.comAddress: 74.125.226.168Name: google.comAddress: 74.125.226.174Name: google.comAddress: 74.125.226.162Name: google.comAddress: 74.125.226.160Name: google.comAddress: 74.125.226.161Name: google.comAddress: 74.125.226.166Name: google.comAddress: 74.125.226.164google.com has AAAA address 2607:f8b0:4006:809::1009google.com nameserver = ns3.google.com.google.com mail exchanger = 50 alt4.aspmx.l.google.com.google.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6Dgoogle.com nameserver = ns4.google.com.google.com text = "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"google.com mail exchanger = 40 alt3.aspmx.l.google.com.google.com nameserver = ns1.google.com.google.com mail exchanger = 30 alt2.aspmx.l.google.com.google.com mail exchanger = 20 alt1.aspmx.l.google.com.google.com mail exchanger = 10 aspmx.l.google.com.google.com origin = ns1.google.com mail addr = dns-admin.google.com serial = 2014110400 refresh = 7200 retry = 1800 expire = 1209600 minimum = 300google.com nameserver = ns2.google.com.Authoritative answers can be found from:

dig — DNS lookup utility.
host — Convert a hostname to an IP address and vice versa.
ping — Send ICMP ECHO_REQUEST packets to network hosts.

Top Articles

Latest Posts

Article information

Author: Margart Wisoky

Last Updated: 11/10/2022

Views: 6517

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.