This series explores the practical application of DNS, the Domain Naming System. We demonstrate using DNS records to support websites, mail servers, and other services. Other topics addressed include DNS security, replication, and popular server software including BIND and Microsoft Windows DNS.
DNS Overview
In this episode, Wes and Don discuss how to obtain information from a DNS server with the NSLookup command. They explain the different modes interactive and non-interactive that an administrator can use and what these modes are used for.
Clock icon0h 23m
Welcome to ITProTV. I'm your host, Don Pezet [CROSSTALK] [MUSIC] You're watching ITProTV. Welcome back to another exciting episode here at ITProTV. I'm your host, Wes Bryan, and today, we've got a really good subject coming at you. We're gonna be talking about one of the most important services on the Internet that really makes us get around the Internet. And joining me in the studios today for that topic is none other than Mr. Don Pezet. Don, how are you doing sir? I'm doing great, Wes. Ready to dive right back into DNS. In this episode, we're moving on with our command line utilities, some of our utilities that we can use with DNS. And in this particular episode, we're gonna look at nslookup, which is probably one of the most useful command line utilities when it comes to working with DNS. Anytime you're doing configuration changes, anytime you're putting entries in, we need to be able to verify that they work. You need to be able to test to make sure that our names are resolving, and that's where nslookup comes in. So, just a real brief synopsis on nslookup. The name stands for name server lookup. Just a command line utility that we can reach out and it talks to DNS servers, so that we can recreate the queries that all of our other servers are doing in the background. Nice thing about nslookup, it's present on Windows, Linux, Unix, MacOS. Pretty much every system these days has nslookup baked in. And to be honest with you, I can't remember the last time that I encountered a system that didn't have it. There's some of those really stripped down Linux distros that might not have it installed by default, but you can throw it right on there pretty easily through one of the repositories and have access to it. The other nice thing about nslookup is the command line syntax is pretty much identical between all the operating systems. So, if you know how to use it on Windows, then, you know how to use it on a Mac. And if you know how to use it on a Mac, you know how to use it on Unix and Linux. So, it's all kinda tied together and that makes this one really robust. So, that's what we're gonna take a look at right here in this episode. All right, so, enough talking about it. All right, let's get in here and take a look and see it. You know you have nslookup, well, it's actually pretty easy to see. We know we have it in pretty much every operating systems out there. You can just run it and see. If you don't have it for some reason, which really would just be like kind of some Linux distributions that might not have it, most of us, we should have this, no big deal, right? But if you just run it, what you should see is basically what I got right here. It's gonna jump in and you should end up with a greater than prompt like that, all right? What I just did is I entered what's called the interactive command line for nslookup. So, once I'm in here, I'm technically still in the nslookup utility. And now, I can start running commands against it, as many commands as I want, all right. But for most of us, we're not gonna go with the interactive mode. We're going to stick with the non-interactive mode, where we run a command, it does what we ask it to do, and then it's done, right? It just gets in, gets out, and in, that's it. So, let me exit out of that, back to my prompt. And the non-interactive mode is the most straight forward. It is the one I use most of the time. We're just trying to do something like simple name resolution. So, if I wanna find out what the IP address of the ITProTV website is, right? What I can do is I can jump in here and I can just say, nslookup itpro.tv. And it's gonna reach out to that DNS server and it's gonna do a lookout, okay. Now, when it did the lookup, notice I got this DNS request timed out, right? Timeout was 2 seconds. What does that mean? Well, whatever my main DNS server is wasn't answering. And so, it skipped forward to the next one, right? I can see that progression that just happened and it moved forward to a Google server, to Right, so, I hit that one and that one was fine. And then, I was able to resolve my address. So, I get some feedback about that query process and what happened. But it's not terribly detailed, right? It didn't tell me what it timed out on. So, what was my primary DNS server? I don't know. It also says here that it's a non-authoritative answer. Now, remember, with non-authoritative, that means the server that I asked didn't actually have the answer for me. It had to do a recursive lookup against some other server. And so, it reached out and talked to other servers and hid all that from me and gave me this answer. When we use the non-interactive mode, you get a really simplified output like this. If we want really detailed output where we see all the different steps, that's where the interactive mode comes in. So, that's a real simple lookup right there. You provided a domain name or a host name, and it gives you back an IP address. There's really only one other thing we can do here from the non-interactive mode. Notice how I get the server that I did a lookup against, right? I can override that server. I can say instead of looking up against, maybe, I wanna lookup against, all right? And when we do that, we're overriding the server. Now, why would we wanna do that? Well, have you ever made a change to a public DNS record? So, if you go on GoDaddy or Hover or Register, or whatever it is that you purchase your domain name. You log in to the website and you make a change to an A record. The real message it'll say, this could take up to 48 hours to take effect. But what does that mean? In computers, what takes 48 hours? Well, your change actually takes effect immediately, right the moment you do it. But people around the world will cache your DNS record and they can cache it for up to 48 hours. So, that's why they warn you about that. Hey, it can take up to two days for everybody to purge their cache and learn your new address. So, if you ever wanna see how far you've propagated out, you might do what I just did. Do a lookup against Google server. Do a lookup against Level Three server. Do a lookup against your ISP, other people's ISPs and see whether they've received the change already or not, and you'd be surprised. It's a rare change that takes more than like an hour to propagate out these days. Don, now, when you said override, is that taking the interface assigned DNS server and saying, hey we're not gonna use this. We're gonna use the IP address of what you've just put there at the end of nslookup? Yeah, on Windows, it's whatever DNS server you have assigned to your network adapter. If you're running Mac or Linux, it's whatever DNS servers are in your resolve.com file. So, that's what a stuff's defined, and that's all nslookup does is it looks up those things. I guess, important thing to mention here is that some operating systems have a DNS cache built in to them, right? Windows has it, it's super annoying, where [LAUGH] Windows will do a lookup and it will cache a record. And then, when you go to browse that webpage again, it doesn't actually go out to the DNS server. It just uses its own cache, right? This is where the whole 40-hour thing comes in. So, if we wanna override that, well, in Windows, some of you guys might be familiar with the command. Let me show you. It's ipconfig /flushdns and that will wipe your DNS cache, right? Well, nslookup doesn't use the DNS cache in Windows. So, it's actually bypassing that cache. Now, the reason I bring that up is you might fire up a web browser, and try and go to web page, and you can't get there. And you drop to a command prompt and use nslookup, but it show us the right IP. And the problem is that Chrome, Firefox, Internet Explorer, whatever, might be using the DNS cache and NSlookup isn't. And so, they have two different records. That's where you might have to flush the cache here. But nslookup does not use the DNS cache on your system. So, if you want just a quick answer from a DNS server, you can just use nslookup, you said, in the non-interactive mode. Now, you mentioned that term interactive mode, you said, that's where the actions at. Tell us a little bit about that, Don. All right, so, pretty limited options here, right? I can provide a host name or DNS name and I can override the server, and that's really about it. But if we get into the interactive mode, there are a ton of options that we can jump in there and start to manipulate it and change. So, if I just run nslookup by itself, that's gonna take me into that interactive prompt and I'll get my DNS timed out again. [LAUGH] So i'll just switch over to the other server. So, anyhow, once I'm in there, now, I could start to change the way things work. If you just do a question mark, you'll get a list of all the different commands and things that we can put in there. And right off the bat, you'll notice that you can do a lookup for a name or a host name just by typing it in. So, I just type in whatever that name is. Type in ITProTV and it will resolve it. But then, there's all these set options that we can do. To override the way that things are working. And way down here we'll see where we can set the server also. So earlier I was overriding the server from the command line. From here, anytime I do a look up, right now it's using, right? So if I do a look up for itpro.tv It's using But if I do server, right? Now it's changing my resolver. I'm now changed over to, and every look up I do from here on out, it's gonna do against that resolver. So if I look up itpro.tv. There we go, it ran it, and it ran it against and I didn't have to tell it. And then I could jump in and say cnn.com, and there it goes, again off of If I do a server, let's see 8.8. What's the other one, 4.4 That's it, the other Google one. There we are, I'll switch to the other Google one. And now I can run that lookup for itpro.tv, and there it goes doing that lookup. And it didn't make me have to provide the server every time. Now Don, with all those options, who are the demographic? Who would really be using this with all those, all that flexibility and power? All right, so an end user or a Help Desk technician might use the basic NsLookup just to test DNS resolution or to find out the IP of a host, all right? But beyond that, it's really gonna be DNS administrators. If you're administering a DNS server, NS lookup has some incredible features in it that will let us troubleshoot the server. Let me just give you an example. So there are some denial of service attacks that can be pulled off against DNS servers using TCP. And so you might decide to block TCP and only allow UDP lookups against your server, or vice versa, you might want to go the other way. So maybe you configure your server to only answer on UDP, or only answer on TCP. How do you test that? Well, in NS lookup, let me just do that question mark again, or actually you can do, well there's a few ways. I'll do the question mark. If you look, there's all these set OPTIONs in here. And if you look at the set OPTIONs, and kinda look down at the list, you'll see where you can override all sorts of different things. How you do the transfer, the class, the type of query, the timeout, the domain, the search list. And just all sorts of really interesting things here to tweak. And so, you can see how you're talking to that server. One of my favorite options is this debug option. The debug option gives you a ton of output about that lookup, right? Let me show you that in action. I'm gonna do a lookup for itpro.tv. Very simple, I get the server that I do the look up against, and then I see the host name and the IP address that I got back, and that's it. It was non-authoritative so I know other stuff happened in the background, but I don't see it, all right? Let me just clear a little bit of this. And what I'm gonna do now, is I'm gonna say, set debug, all right? Set debug, that turns on the debug mode. And now I'm going to get a very verbose output. When I do a look up for itpro.tv, I get a lot more information. Look at all this, right? I do see that I reached out to google server, and then here's my answer that came back, right? I got a header. I got a query, is what I performed. I got no error on the query. Sometimes you can have a malformed query and it'll show up if there was an error right there. I can see there was a response. We wanted recursion, and recursion was available. This server didn't have the answer so it's gonna have to go somewhere else. I see I sent one question. I got one answer. And I guess this is kind of off my screen here, but authority record 0. We didn't have the record for it, we had to go somewhere else, right? And then, here's the question that I asked, and here's the answer that I got with a ttl, and how long it took. So it's laying all that out for me, and kinda putting it in here. And as I look at it, if you see a little bit here as far as like a four A record, which should be IPv6. We actually don't have one, and so this came back empty. But it looks like I did IPv4, as well as an IPv6 look up for that host, for itpro.tv. And that's cuz I'm on Windows, not every operating system does that. Now Don, right there in that last bit of output you've talked about in other episodes, about the start of authority. Is that what we're seeing, the authoritative information for this response? Absolutely, so ITPro.TV, if I remember right, that domain is registered with a registrar called Hover.com. And so if I were to do a lookup against Hover's DNS servers, then I would get an authoritative response on it. But if I ask any other DNS server on the planet, it's not gonna be authoritative, right? It's going to have to send that query up through the tuple, the domain chain, right? So it's gotta start at a root hint server, and it's gotta find the servers for .TV, right? TV's a country code, so it's gotta go and find that country code and who manages that. And once it finds that, then it can find where the actual SOA for ITPro.tv is, and then it can go there to get the authoritative answer, and pass that back over to me. So there's gonna be at least three more lookups that are kind of on the back-end of this query that I sent, assuming it's not cached. It could already be in the DNS cache for Google, and they'll respond. That's the advantage of using Google servers, is that they've cached darn near everything. So you can get those responses back really quick. All right, so that's debug. With the debug option we saw a lot of good output but there are a lot of things that you don't necessarily see, and we'll see other utilities later on that will let us see even more. But there's another thing that I find kind of useful in the Windows world. Windows, if you have a Windows machine joined to a domain, you'll have a default suffix list. So when you do a search for a single name, it will append onto the end of it what your search list is. So for example, if I have a domain called domain.net. And I do a lookup for ITPro.tv, the lookup might actually get formed as ITPro.tv.domain.net. It sticks it on the end, which is kind of annoying. And so you'll notice in my set options that we can do this enabling and disabling of the search, right? That's the suffix list. And do we wanna search this list or not? Do I just wanna search for what I typed? Or do we wanna add the search list to the end, right? You can do the same thing with recursion. So maybe I don't want to do recursion. Either this server is gonna have the answer I want, or they're not. Now by default that's on. We ask for recursive quarries, right? So set recurs is the default. So me entering that in is gonna have no effect, right? But if I do set norecurs, now I'm disabling recursive queries, right? And if I do a look up against Google for example, my debug is still on. I'm gonna do a set nodebug. All these set commands, to turn them on, you do set and the name of the command. To turn them off you do set, and then no followed by the command. The part I always forget, cuz I'm from the Sysco stuff, I always forget to leave the space out, right? It does need to be nodebug all one word. If you put the space in there, it doesn't work. So I just turned that off. But if I do a lookup now for itpro.tv, it's gonna reach out. And see how I got can't find itpro.tv, server failed? It worked a minute ago. Why isn't it working now? Well, because I turned off recursion. If I do a set debug. And I redo that look up, I can look in here and I can see I got a code that said server fail, all right? I ask one question, I sent it there, but not notice I've got, I want a response. Recursion is available but I didn't ask for recursion. And so it didn't do it, and as a result I didn't get the answer, because I blocked it. If I do a set recurse and turn that back on, now I can do that lookup. And it should work this time, there we go. So it worked, and if I scroll back, there's that want recursion, that's the key part right there that we're changing. So I'm manipulating the way the query actually runs. And that's very powerful. Because if you're trying to test, is your SOA working? You could point to the SOA server, and you would wanna turn off your recursion there and make sure you are getting the authoritative answer right from that server. All right, other things we can do here. Let me turn off some of this stuff that I've got on. So I'm gonna do a nodebug and I'm gonna set recurse back on. All right, when I did my lookup for itvpro.tv and I had debug turned on, you saw where I asked for an a record and a fora record, IPV4 and IPV6. When you do a lookup, and we don't have an IPv6 record for ITProTV. So let me pick somebody who does, like Google. If I do a lookup for Google.com, right, I get all their addresses. And notice here's IPv4 addresses and an IPv6 address. It looked up both. But you can manipulate that. If you look at all the set commands that we can run, one of the set commands is type. And there's actually an old format which is Query Type. It's actually the same thing, just more typing. So if you type equals you can tell it exactly what kind of record you're looking for. So if I do a set type equals A, I'm only going to look for the A records. And now when I do Google dot com I don't get the IP B six record, right? Likewise, I could say set type=AAAA. And now when I query Google, I only get the IPv6 record, right? Now I'll be honest with you guys, I don't do this one very often because I normally want both., right? But where I use this are other records. Hey, I wanna find out who's the authoritative DNS Server for ITProTV? I don't know, right? So if I want to find out, I can set my type to NS to show me the name server records. And let me pull that up for itpro.tv. All right, so I'll punch that in itpro.tv, and it's going to reach out and it's going to find out. Here is the authorised DNS server where it's supposed to be and you'll see ours is hosted in the m zone web services. So we've got awsdns server listed right there. So if I were to look up against one these guys, they could give me an authorated answer for our domain, right? Because I changed that type, these records aren't normally shown to me. I could also do set type=MX, right? I want to see the mail exchange records for itpro.tv. And so I can punch that in. And now I can see right there. There's the Itpro-tv.mail.protection.outlook.com. It's in Office 365. So that's an easy way to spot who's using Office 365, or Google apps for work or whatever. I can see those mail exchanger records. Right there, okay. Now my favorite set type command is one that actually I'm not even sure if it's in the documentation. Let's see if it shows up. But it's set type equals all, enter or any, any or all is the same thing, they get processed the same way. But we can punch that in. And so if you do a set type=ALL, now when I do that lookup for itpro.tv it's gonna return everything that it can, okay? And all and any, they work the same way. So you can punch in either one, I did all because that's what I'm used to, any was in the documentation. But if I look, I'm getting the name server records. I'm getting the MX records, I'm also getting text records down here. Which are really handy if you working for like a sender policy framework SPF, like you're doing anti spam measures and your DNS record. You can come and you can see those text records and see what is my SPF set to and you will start to see the approved email servers For ITPro.TV. You can really get some good data right in here. All just by viewing that domain. And that's a pretty handy thing to see. All right, let's see what else do we have in here that we can tinker with? Let me show an older command. This one is not incredibly useful on public DNS servers. It's the ls command. The ls command is the list command, and what you used to be able to do back in the day when the Internet was very small was that you could connect to a DNS server and you could say ls itpro.tv. And that would say give me the listing for the itpro.tv DNS server. Give me everything you've got in the DNS file format. And it would output it on the screen in a file format that you could save as a text file and load right into bind or Windows DNS or whatever. Now you could host that zone. What you're effectively doing is what's called a zone transfer, right? A zone transfer is when we synchronize a zone between two DNS servers. They're using the ls command. You used to be able to do something pretty much any domain. Now when you do it, you'll get the error restricted, right? Can't list domain server failed. So, not useful on a public server, but on a private server, in your own business if you've got Microsoft Active Directory, or Bind running on your own Linux and Unix servers, you might want to connect up and do a zone transfer. Connect and download the whole zone file to back it up. And that way if you ever lose the server you've got a backup on the zone file right here in this ls command. And you can do ls for whatever your domain is, right, so maybe you have like company.com. And then you can pipe that into a file, so you might call it company.com.dns that's the normal file name. It's just a text file, call it whatever you want but most people do end them with dot-dns and if you're running bind or Window DNS they actually look for a file like that for domain. And I can dump into a file copy that to a DNS server and bring that zone right back up on a new DNS server very easily. All right, so on private servers that works if you are approved for doing zone transfers. On public servers, you’re not normally approved for doing zoned transfers. You at least have to be listed as a NS record but most of them actually require you to put it into some security profile on the back end. So that's neat command that's there that just not you really don't see it really in use all that often anymore. Because you've gotta be approved, right? Security is far different in the world of DNS today than what it used to be. Don, that's a lot of great information, in fact now I'm gonna be using that set command now that I know it a little bit better. It does look like we're gonna wrap this one up soon, but before we do, do you got any additional words on using NS lookup? Any tips or tricks? There are more commands in there, and you probably notice like when I did the question mark there were a handful like setting the class and setting route and so on. Those are useful in very, very few scenarios. Class is pretty much useless. There's really only one class these days. The IN, or the internet class. The other ones are like the chaos class, the class, the test class. Those are all way back in the early days of DNS, and they aren't really used anymore. Other ones like manipulating how the internet transfers work, again there's really only one way in use anymore, so there's not really a reason to override those. Root can be kind of handy, if you're overriding the root hint servers on the internet, if you're not using those, you can connect to any server and use the set root command. To flag it as the root and you won't use root hints anymore. Everything will go against that one server. Not something I've ever had to use in production, but it is there. So the commands that I didn't show are ones that just we're not really gonna use that much. There's the search list command, where you can create a suffix search list if you want, right there inside of NSLookup. We've usually already got that defined on our systems, we don't necessarily need it there. And then timeouts and retries. You can override the timeout time and the retry time. They're the amount of retries, and the interval of the timeout, to use the right terminology to kinda manipulate those. Again, less common use scenario. What we saw through the whole beginning of this is really kinda the important meat and potatoes of NS hookup. Well, Don, that's a wealth of information and we appreciate it. We appreciate the viewers, so we're gonna go ahead and sign out here at ITProTV. I've been your host, Wes Brian. And I'm Don Pozet. And we'll see you next time. [MUSIC] Thank you for watching, IT Pro TV. [BLANK AUDIO]

Learning Style

On Demand

Length of course

13h 25m
28 Episodes

Here are the topics we'll cover

  • DNS Utilities
  • Configuring Host Records
  • Configuring Email Services
  • Public Domains
  • Configuring Zones
  • Zone Replication
  • Microsoft DNS Server
  • BIND DNS Server
  • Unbound DNS Server
Learning Options

Options for this course

Train your team
Stay ahead of the curve and future-proof your business with training programs designed for you.
Channel & Reseller
Transform your experience and integrate with our unique evolving library of Audit, Cybersecurity, and Information Technology courses.
Individual learners
Learn at your own pace and get your certification training.