The nslookup command uses the settings in /etc/resolv.conf and totally ignores /etc/hosts to perform address resolution:
root:/etc> nslookup 8.8.4.4
Server: 141.228.16.34
Address: 141.228.16.34#53
.
Nonauthoritative answer:
4.4.8.8.inaddr.arpa name = googlepublicdnsb.google.com.
.
Authoritative answers can be found from:
.
root:/etc> nslookup googlepublicdnsb.google.com
Server: 141.228.16.34
Address: 141.228.16.34#53
.
Nonauthoritative answer:
Name: googlepublicdnsb.google.com
Address: 8.8.4.4
We can explicitly state the nameserver we want to use (1.1.1.1) to override those specified in /etc/resolv.conf:
root:/etc> nslookup 8.8.8.8 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
.
Non-authoritative answer:
8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com.
.
Authoritative answers can be found from:
When we are inputting DNS addresses we can either specify the FQDN or skip the domain (the one in /etc/resolv.conf will be used):
root:/etc> grep search /etc/resolv.conf
search google.com
.
root:/etc> nslookup google-public-dns-a
.
Server: 192.168.123.200
Address: 192.168.123.200#53
.
Non-authoritative answer:
Name: google-public-dns-a.google.com
Address: 8.8.8.8
We can enable a more verbose output…
root:/etc> nslookup -debug google-public-dns-a
Server: 192.168.123.200
Address: 192.168.123.200#53
.
————
. QUESTIONS:
. google-public-dns-a.google.com, type = A, class = IN
. ANSWERS:
. -> google-public-dns-a.google.com
. internet address = 8.8.8.8
. ttl = 5027
. AUTHORITY RECORDS:
. ADDITIONAL RECORDS:
————
Non-authoritative answer:
Name: google-public-dns-a.google.com
Address: 8.8.8.8
… and even more verbose for trouble-shooting:
root:/etc> nslookup -d2 google-public-dns-a
main parsing google-public-dns-a
addlookup()
make_empty_lookup()
looking up google-public-dns-a
setup_system()
create_search_list()
ndots is 1.
copy_server_list()
…
success
flush_server_list()
freeing commctx
freeing socketmgr
freeing timermgr
destroy DST lib
detach from entropy
unlock_lookup dighost.c:3887
Destroy the messages kept for sigchase
Removing log context
Destroy memory
We can set the number of retries in case of failure to obtain a reply and timeout interval:
root:/etc> nslookup -retry=2 -timeout=1 www.google.com
The DNS port is most often set to 53 (the default) but if the nameserver you are using is listening on another port you can tweak the command so that it uses that port:
root:/etc> nslookup -port=54 8.8.8.8 192.168.111.100
Usually the DNS server forwards your inquiry to other DNS servers if it does not know the answer (it is not cached and it is not in its zones). If you want to get the reply from a particular server without any such forwarding you can achieve that with norecurse:
root:/etc> nslookup 8.8.4.4 -norecurse 192.168.111.100
By default nslookup uses the UDP protocol to communicate with nameservers. But you can switch to TCP if you need to (e.g. firewalls getting in the way, unreliable networks, etc) with the vc option:
root:/etc> nslookup 8.8.4.4 -vc 192.168.111.100
The default type of nslookup query is assumed to be “A” for IPv4…
root:/etc> nslookup -q=A www.google.com
Server: 192.168.123.200
Address: 192.168.123.200#53
.
Non-authoritative answer:
Name: www.google.com
Address: 172.217.23.100
… but we can also inquire for IPv6 addresses by stating an “AAAA” type…
root:/etc> nslookup -q=AAAA www.google.com
Server: 192.168.123.200
Address: 192.168.123.200#53
.
Non-authoritative answer:
www.google.com has AAAA address 2a00:1450:4002:805::2004
… and ask about the nameservers for a certain domain…
root:/etc> nslookup -q=NS facebook.com
Server: 192.168.123.200
Address: 192.168.123.200#53
.
Non-authoritative answer:
facebook.com nameserver = b.ns.facebook.com.
facebook.com nameserver = a.ns.facebook.com.
… and list the mail servers…
root:/etc> nslookup -q=MX gs.com
Server: 192.168.123.200
Address: 192.168.123.200#53
.
Non-authoritative answer:
gs.com mail exchanger = 10 mxb-0014b501.gslb.pphosted.com.
gs.com mail exchanger = 10 mxa-0014b501.gslb.pphosted.com.
… and any addresses/IPs that are visible to us:
root:/etc> nslookup -q=soa localnet
Server: 192.168.123.200
Address: 192.168.123.200#53
.
localnet
. origin = ns1.localnet
. mail addr = root.localnet
. serial = 2018082308
. refresh = 3600
. retry = 900
. expire = 604800
. minimum = 1800
The host command works exactly the same way as nslookup but with a slightly different output and flags:
root:/etc> host 8.8.4.4
4.4.8.8.inaddr.arpa domain name pointer googlepublicdnsb.google.com.
.
root:/etc> host -R 3 -T -s 8.8.4.4 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
4.4.8.8.inaddr.arpa domain name pointer googlepublicdnsb.google.com.
The 2nd example above performs 3 attempts to contact the nameserver (“-R 3”), uses TCP rather than the default UDP (“-T”) and uses nameserver 8.8.8.8 and no other (“-s”) to resolve the DNS of IP 8.8.4.4.
The dig command is more powerful than the previous two and unlike them it checks /etc/hosts if the name or IP cannot be resolved by the nameservers. Let’s look at some examples to see how to use dig:
root:/etc> dig assemblea.cat → same as “ dig -q assemblea.cat”
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> assemblea.cat
.
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 22716
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;assemblea.cat. IN A
.
;;ANSWER SECTION:
assemblea.cat. 3600 IN A 81.169.149.37
.
;; AUTHORITY SECTION:
assemblea.cat. 86384 IN NS dns2.pdimedia.com.
assemblea.cat. 86384 IN NS dns1.pdimedia.com.
.
;; Query time: 55 msec
;; SERVER: 141.228.16.34#53(141.228.16.34)
;; WHEN: Mon Sep 28 12:59:33 BST 2015
;; MSG SIZE rcvd: 109
The DNS query above is a typical one using the nameservers in /etc/resolv.conf and with all the default options. By default and without any flag, dig will take the input value as a DNS address to be resolved into an IP. We would get the same result for the query above if we used the -q flag. If we want to resolve IPs into DNS records we need to use the -x flag:
root:/etc> dig -x 81.169.149.37
.
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 43637
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
.
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;37.149.169.81.inaddr.arpa. IN PTR
.
;; ANSWER SECTION:
37.149.169.81.inaddr.arpa. 1799 IN PTR assemblea.cat.
.
;; AUTHORITY SECTION:
assemblea.cat. 83863 IN NS dns2.pdimedia.com.
assemblea.cat. 83863 IN NS dns1.pdimedia.com.
.
;; Query time: 36 msec
;; SERVER: 141.228.16.34#53(141.228.16.34)
;; WHEN: Mon Sep 28 13:02:15 BST 2015
;; MSG SIZE rcvd: 82
We see in the examples above that a dig query shows by default 5 sections:
• Header → dig version, options used, and number of queries/answers/authorities/additionals.
• Question → parametrised query being executed
• Answer → output received from the namserver
• Authority → authoritative nameservers for the IP/name given
• Additional → IPs of the nameservers, query response time, message size, etc
If we want to omit some of those sections we can do so with the options: +nocmd, +nocomments,
+noquestion, +noauthority and +nostats.
root:/etc> dig -x 81.169.149.37 +nostats
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37 +nostats
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 3649
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;37.149.169.81.inaddr.arpa. IN PTR
.
;; ANSWER SECTION:
37.149.169.81.inaddr.arpa. 1771 IN PTR assemblea.cat.
.
root:/etc> dig -x 81.169.149.37 +nostats +nocomments
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37 +nostats +nocomments
;; global options: +cmd
;37.149.169.81.inaddr.arpa. IN PTR
37.149.169.81.inaddr.arpa. 1770 IN PTR assemblea.cat.
149.169.81.inaddr.arpa. 1770 IN NS ns.rzip.net.
149.169.81.inaddr.arpa. 1770 IN NS ns2.rzip.net.
.
root:/etc> dig -x 81.169.149.37 +nostats +nocomments +noauthority
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37 +nostats +nocomments
+noauthority
;; global options: +cmd
;37.149.169.81.inaddr.arpa. IN PTR
37.149.169.81.inaddr.arpa. 1763 IN PTR assemblea.cat.
.
root:/etc> dig -x 81.169.149.37 +nostats +nocomments +noauthority +noquestion
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37 +nostats +nocomments
+noauthority +noquestion
;; global options: +cmd
37.149.169.81.inaddr.arpa. 1799 IN PTR assemblea.cat.
.
root:/etc> dig -x 81.169.149.37 +noall +answer
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> x 81.169.149.37 +noall +answer
;; global options: +cmd
37.149.169.81.inaddr.arpa. 1799 IN PTR assemblea.cat.
As with nslookup and host, we can specify the nameserver we want to query:
root:/etc> dig @8.8.8.8 -q assemblea.cat
.
; <<>> DiG 9.9.6P1RedHat9.9.610.P1.fc21 <<>> @8.8.8.8 q assemblea.cat
; (1 server found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 8895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
.
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;assemblea.cat. IN A
.
;; ANSWER SECTION:
assemblea.cat. 3600 IN A 81.169.149.37
.
;; AUTHORITY SECTION:
assemblea.cat. 86400 IN NS dns2.pdimedia.com.
assemblea.cat. 86400 IN NS dns1.pdimedia.com.
.
;; Query time: 125 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 28 13:05:02 BST 2015
;; MSG SIZE rcvd: 109
We can also specify IPv4 or IPv6 and can use a file to feed the IPs & addresses to be resolved:
root:/etc> cat /tmp/2resolv.txt
-x 104.86.111.51
-x 104.86.111.65
-q www.zerohedge.com
.
root:/etc> dig -f /tmp/2resolv.txt +nocomments +nostats +nocmd +noquestion
51.111.86.104.inaddr.arpa. 172 IN PTR a1048651.deploy.static.akamaitechno.com.
65.111.86.104.inaddr.arpa. 300 IN PTR a1048665.deploy.static.akamaitechno.com.
www.zerohedge.com. 116 IN A 185.32.215.118
www.zerohedge.com. 116 IN A 185.32.215.119
We can also use use dig to discover the mail servers (MX), nameservers (NS) and all other records for a certain domain:
marc:~> dig redhat.com -t ns +noall +answer | grep -v -e DiG -e “options: +cmd”
redhat.com. 515 IN NS ns1.redhat.com.
redhat.com. 515 IN NS ns3.redhat.com.
redhat.com. 515 IN NS ns4.redhat.com.
redhat.com. 515 IN NS ns2.redhat.com.
.
marc:~> dig redhat.com -t mx +noall +answer | grep -v -e DiG -e “options: +cmd”
redhat.com. 600 IN MX 5 mx1.redhat.com.
redhat.com. 600 IN MX 10 mx2.redhat.com.
.
marc:~> dig redhat.com -t any +noall +answer | grep -v -e DiG -e “options: +cmd”
redhat.com. 599 IN SOA ns1.redhat.com. noc.redhat.com. 2015092501 300 180 604800 14400
redhat.com. 599 IN TXT “v=spf1 include:u1969764.wl.sendgrid.net include:_spf1.redhat.com include:_spf2.redhat.com all”
redhat.com. 599 IN MX 5 mx1.redhat.com.
redhat.com. 599 IN MX 10 mx2.redhat.com.
redhat.com. 599 IN NS ns4.redhat.com.
redhat.com. 599 IN NS ns2.redhat.com.
redhat.com. 599 IN NS ns3.redhat.com.
And we can specify a short-output option:
marc:~> dig redhat.com -t ns +short
ns4.redhat.com.
ns1.redhat.com.
ns2.redhat.com.
ns3.redhat.com.
And we can enforce use of IPv4 (“-4”), IPv6 (“-6”), TCP (“-t”), non-default port (“-p”) and set timeout (“+time=3”) among other options. Finally, we can create a $HOME/.digrc file with the options we most often use:
marc:~> cat ~/.digrc
+noall +answer
At the local network level (anything within the same subnet) we can use the arping command to determine the MAC addresses of other hosts’ devices.
root:/etc> arping -I virbr0 -c 1 192.168.122.161
ARPING 192.168.122.161 from 192.168.122.1 virbr0
Unicast reply from 192.168.122.161 [52:54:00:49:72:FC] 0.596ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
Finally and to close this section we can use the whois command to extract a lot of useful information about IP addresses/ranges or DNSes:
root:/etc> whois google.com
[Querying whois.verisigngrs.com]
[Redirected to whois.markmonitor.com]
[Querying whois.markmonitor.com]
[whois.markmonitor.com]
Domain Name: google.com
Registry Domain ID: 2138514_DOMAIN_COMVRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 20150612T10:38:520700
Creation Date: 19970915T00:00:000700
Registrar Registration Expiration Date: 20200913T21:00:000700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registry Registrant ID:
Registrant Name: Dns Admin
Registrant Organization: Google Inc.
Registrant Street: Please contact contactadmin@google.com, 1600 Amphitheatre Parkway
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6502530000
Registrant Phone Ext:
Registrant Fax: +1.6506188571
Registrant Fax Ext:
Registrant Email: dnsadmin@google.com
Registry Admin ID:
Admin Name: DNS Admin
Admin Organization: Google Inc.
Admin Street: 1600 Amphitheatre Parkway
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6506234000
Admin Phone Ext:
Admin Fax: +1.6506188571
Admin Fax Ext:
Admin Email: dnsadmin@google.com
Registry Tech ID:
Tech Name: DNS Admin
Tech Organization: Google Inc.
Tech Street: 2400 E. Bayshore Pkwy
Tech City: Mountain View
Tech State/Province: CA
Tech Postal Code: 94043
Tech Country: US
Tech Phone: +1.6503300100
Tech Phone Ext:
Tech Fax: +1.6506181499
Tech Fax Ext:
Tech Email: dnsadmin@google.com
Name Server: ns2.google.com
Name Server: ns4.google.com
Name Server: ns1.google.com
Name Server: ns3.google.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 20150930T03:20:020700 <<<