Nslookup Common Usage tips

As always, this is not a complete guide to nslookup but a quick how-to guide. The truth can be found in "man nslookup"

Nslookup is used for looking up name records from your DNS server. It can be used with your default name server (/etc/resolv.conf on unix systems) or a name server of your choice. So ehre are some basic things (both diagnostic and non) that I do with nslookup.

Shortcuts:
Online Help
Basic Lookup
Changing servers
Mail Servers
Name Servers
The full domain
Authoritative vs. Non-authoritative Servers
Root Servers
Reverse Lookup

Online Help

samantha:~> nslookup

Default Server:  localhost
Address:  127.0.0.1

> ?
$Id: nslookup.help,v 8.4 1996/10/25 18:09:41 vixie Exp $

Commands:       (identifiers are shown in uppercase, [] means optional)
NAME            - print info about the host/domain NAME using default
server
NAME1 NAME2     - as above, but use NAME2 as server
help or ?       - print info on common commands; see nslookup(1) for
details
set OPTION      - set an option
    all         - print options, current server and host
    [no]debug   - print debugging information
    [no]d2      - print exhaustive debugging information
    [no]defname - append domain name to each query
    [no]recurse - ask for recursive answer to query
    [no]vc      - always use a virtual circuit
    domain=NAME - set default domain name to NAME
    srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
    root=NAME   - set root server to NAME
    retry=X     - set number of retries to X
    timeout=X   - set initial time-out interval to X seconds
    querytype=X - set query type, e.g., A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,WKS,SRV,NAPTR
    port=X      - set port number to send query on
    type=X      - synonym for querytype
    class=X     - set query class to one of IN (Internet), CHAOS, HESIOD or ANY
server NAME     - set default server to NAME, using current default
server
lserver NAME    - set default server to NAME, using initial server
finger [USER]   - finger the optional USER at the current default host
root            - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -h          -  list HINFO (CPU type and operating system)
    -s          -  list well-known services
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g., A,CNAME,MX, etc.)
view FILE       - sort an 'ls' output file and view it with more
exit            - exit the program, ^D also exits
>
We're using localhost for our DNS server. This is not really a regular occurence, but happens a great deal on single-computer networks. It is usually very common to find DNS on the same machine as a domain's mail server.

Basic Lookup

A basic nslookup, to find the address of the host www.cosby.dhs.org 
> www.cosby.dhs.org
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    samantha.cosby.dhs.org
Address:  129.21.142.19
Aliases:  www.cosby.dhs.org

>
The host www.cosby.dhs.org is actually a CNAME (an alias) to the computer samantha.cosby.dhs.org. The address of both names (since they're one and the same) is 129.21.142.19

Changing Servers

Changing name servers to find out if changes have propogated (or are even being seen at all) is one of the most common uses of nslookup. 
> server ns.mindspring.com
Default Server:  ns.mindspring.com
Addresses:  207.69.188.186, 207.69.188.187, 207.69.188.185

>
This changes your default server to mindpsring.com. It's important to understand how this process works. nslookup will look up the address of the name server you want (or will simply go to it by IP if you specify the IP) in your current nameserver. Then it will switch to the new nameserver. If this new nameserver isn't actually running bind then not only will you not be able to run DNS queries, but you won't be able to change nameservers except by IP. Another way to get out of that is to use the lserver command instead of the server command.
ns.mindpsring.com has three different addresses. This is for redundancy and rudimentary load balancing. When you're running nslookup, nslookup gives you all three IPs so you have the complete information. But any other program that didn't specifically ask would get one of the three listed IPs to go to, thus balancing the load among the three servers.

Mail Servers

The mail server at a site is not always known as "mail." In csh, for instance, it's named "mcp." The only real way to find the mail server for a domain (or a host) is to specifically ask for its MX record.

> juno.com
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    juno.com
Address:  209.67.34.137

> set type=MX
> juno.com
Server:  localhost
Address:  127.0.0.1

juno.com        preference = 10, mail exchanger = mx.boston.juno.com
juno.com        preference = 10, mail exchanger = mx.jersey.juno.com
juno.com        nameserver = ns.boston.juno.com
juno.com        nameserver = ns.jersey.juno.com
juno.com        nameserver = ns.nyc.juno.com
mx.boston.juno.com      internet address = 207.205.100.140
mx.jersey.juno.com      internet address = 209.67.34.140
ns.boston.juno.com      internet address = 207.205.100.1
ns.jersey.juno.com      internet address = 209.67.33.2
ns.nyc.juno.com internet address = 205.231.108.1
>
This gives us a wealth of information about the structure of juno.com that just about any host will need to send information to it. juno.com has two primamry mail servers, each with a priority of 10. If one had a lower priority than the other then anyone attempting to send mail to uno.com would send mail to the host with the lowest priority number first. Since their priorities are equal, an smtp server would again just pick whichever one it felt like to talk to. Note that a query with the type set to MX also returns NS records and the IP addresses of the MXs of the hosts/domains you asked for.

Name Servers

Occasionally we only want to find out what the address of a domain's name server is. This can be very useful information since when you ask a domain's authoritative server for an address, you know that you've got the latest, most correct version (in theory, at least).

> set type=NS
> westnet1.net
Server:  ns.mindspring.com
Addresses:  207.69.188.186, 207.69.188.187, 207.69.188.185

Non-authoritative answer:
westnet1.net    nameserver = NS1.westnet1.net
westnet1.net    nameserver = NS1.WCSC.net

Authoritative answers can be found from:
NS1.westnet1.net        internet address = 206.50.47.5
NS1.WCSC.net    internet address = 206.50.164.3
>
The domain westnet1.net uses the name servers ns1.westne1.net and ns1.wcsc.net. Which one of these is the primary and one is the backup, they both look like primary servers to the outside world and they both need to act as primary servers in order for names within westnet1.net to resolve correctly. Acting as a primary server, by the way, means that you answer "authoritatively" for the domain (i.e. you have the best answer and anyone who disagrees with you is wrong).

The Full Domain

Ever wondered what computers ther were out there? Like which ones were available to talk to? Or just trying to figure out who runs what...? Well, there's an nslookup command designed specifically for that. 
Default Server:  localhost.isc.rit.edu
Address:  127.0.0.1

> ls cosby.dhs.org
[localhost.isc.rit.edu]
$ORIGIN cosby.dhs.org.
@                       1D IN A         129.21.142.19
shawn                   1D IN A         129.21.60.18
kitten                  12H IN A        24.27.8.201
localhost               1D IN A         127.0.0.1
somegirl                1D IN A         129.21.142.10
malcolm                 1D IN A         207.160.66.126
samantha                1D IN A         129.21.142.19
ns                      1D IN A         129.21.142.19
ns2                     1D IN A         129.21.131.10
>


This is a list of the domain cosby.dhs.org. This listing ignores CNAMEs (aliases) to make the list a bit more compact and readable. The fields are, in order, the name of the host, the time it can safely be kept in a local cache (1D being a day, 12H being 12 hours), its address type (IN meaning internet), it's record type (A being authoritative), and its IP (for an IN address anyway). Note that the information in an ls listing for nslookup is generally considered private, so on a well-maintained nameserver the IPs that can access that information are limited.

Authoritative vs. Non-authoritative Servers

Oftentimes it's important to be sure you have the latest information on what names go with what addresses. When you need to know that the information you're getting is 100% correct then it behooves you to go looking for the authoritative servers for a domain.
While you should, in theory, be able to get whatever information you need about a domain from any nameserver on the internet there are times when the servers you're asking information of have cached old data and are serving it to you. In this instance you want to ask that server for the nameserver of the second domain and then go to that server and ask for the address you want.

> set type=A
> cosby.dhs.org
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    cosby.dhs.org
Address:  129.21.142.19

> set type=NS
> cosby.dhs.org
Server:  localhost
Address:  127.0.0.1

cosby.dhs.org   nameserver = ns.cosby.dhs.org
cosby.dhs.org   nameserver = ns2.cosby.dhs.org
ns.cosby.dhs.org        internet address = 129.21.142.19
ns2.cosby.dhs.org       internet address = 129.21.131.10
> server ns.cosby.dhs.org
Default Server:  ns.cosby.dhs.org
Address:  129.21.142.19

> set type=A
> cosby.dhs.org
Server:  ns.cosby.dhs.org
Address:  129.21.142.19

Name:    cosby.dhs.org
Address:  129.21.142.19

>


In this example I ask my defualt server for the address of cosby.dhs.org. It gives me the last address its gotten for that name but also warns that its answer is not "authoritative" meaning that it takes no extra measures to be sure that it ahs the most current data for cosby.dhs.org and that if you want to be sure of the current data you should ask cosby.dhs.org's nameserver.
Since we do want the most up to date information possible we ask our server for cosby.dhs.org's name server. If we were really paranoid we could ask root-servers.net for the address of dhs's name server and then asked dhs's name server for the address of cosby.dhs.org's nameserver.
We set our server to the name server address/name we just found. Then we search ask for cosby.dhs.org from this new nameserver. It returns the address to us, but without the warning that it may be out of date.

Root Servers

So how exactly would a name be looked up "from scratch"? Well, for the address www.cosby.dhs.org you want to contact cosby.dhs.org's name server to ask for www. But to find cosby.dhs.org's nameserver you need to ask dhs.org. And of course to find dhs.org's nameservers you'd simply ask .org's nameserver. But where is .org's nameserver? This is where the idea of "root servers" comes in. Somewhere out there are nameservers that are the authority on top-level domains. Sort of. 

> server a.root-servers.net
Default Server:  a.root-servers.net
Address:  198.41.0.4

> set type=NS
> dhs.org
Server:  a.root-servers.net
Address:  198.41.0.4

Non-authoritative answer:
dhs.org nameserver = NS1.dhs.org
dhs.org nameserver = NS2.dhs.org

Authoritative answers can be found from:
NS1.dhs.org     internet address = 209.249.50.99
NS2.dhs.org     internet address = 207.71.8.95
>
The line "set type=NS" is very important. Because the root servers are very busy (serving all the top-level domains isn't easy, even if they don't really do that) they don't service any requests except to find the nameservers of other domains. If you don't ask for an NS record, a root server will politely (but firmly) tell you to ask your local nameserver (based on your IP) the same question.
Of course, the "root servers" don't handle every domain, becasue they don't own the rights to all of them. In fact, the "root servers" only serve .com, .net, and .org (that I'm not too sure about).