Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them.
In simple terms, it is a tool that can provide information by interrogating DNS servers either locally on your network or externally assuming the required DNS server responsible (or knowledgeable) about the requested domain is contactable from where you are operating - over the Internet for example. To access the nslookup utility, drop out to a cmd prompt window.
Nslookup provides options for a range of parameters and options that can be used to drill down to provide selected information on fully qualified domain names, the IP addresses associated with the domain names, identify the mail servers used on those domains plus much more. The list of parameters is quite long and can be seen by entering nslookup without using any parameters. At the ">" prompt, press the ? key and then press the enter or return key. The following will be displayed:
c:\nslookup (Press enter)
Default Server: sbs01.local.local (My default DNS Server)
Address: 192.168.16.2 (IP address of my default DNS Server)
> ? (Press enter)
Commands: (identifiers are shown in uppercase,  means optional)
NAME - print info about the host/domain NAME using default server
NAME1 NAME2 - as above, but use NAME2 as server
help or ? - print info on common commands
set OPTION - set an option
all - print options, current server and host
[no]debug - print debugging information
[no]d2 - print exhaustive debugging information
[no]defname - append domain name to each query
[no]recurse - ask for recursive answer to query
[no]search - use domain search list
[no]vc - always use a virtual circuit
domain=NAME - set default domain name to NAME
srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
root=NAME - set root server to NAME
retry=X - set number of retries to X
timeout=X - set initial time-out interval to X seconds
type=X - set query type (ex. A,AAAA,A+AAAA,ANY,CNAME,MX
querytype=X - same as type
class=X - set query class (ex. IN (Internet), ANY)
[no]msxfr - use MS fast zone transfer
ixfrver=X - current version to use in IXFR transfer request
server NAME - set default server to NAME, using current default server
lserver NAME - set default server to NAME, using initial server
root - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
-a - list canonical names and aliases
-d - list all records
-t TYPE - list records of the given RFC record type (ex. A,CNAME,MX,NS,
view FILE - sort an 'ls' output file and view it with pg
exit - exit the program
To exit the tool, just type in the word EXIT and hit return.
Nslookup can also be used straight from the cmd line once you get used to using parameters and I'll walk through both scenarios.
lol - all clear? Thought not, so let's see HOW we could use it. Once completed, hopefully you will see for yourself WHEN and WHY you might use such a tool. I am assuming you have a basic grasp of DNS so I am not going to work through how name resolution works. I will also assume that you have a working DNS environment.
Let's take a basic example then as a starter using the command or cmd line. I want to know the IP addresses of Microsoft web server.
The output above shows that nslookup has sent a request to my internal DNS server (sbs01.local.local located on 192.168.16.2) to action the request.
The answer that has been returned for my query was provided by the server called lb1.www.ms.akadns.net
and it reports that three servers are known for www.microsoft.com
and they are found at 18.104.22.168, 22.214.171.124 and 126.96.36.199.
Nslookup can also perform reverse lookups against DNS .ptr records. If we take one of the addresses returned in the previous example, you can see the true names of the servers used.
This reveals that server at 188.8.131.52 is called wwwbaytest1.microsoft.com is ONE of the servers that will respond to www.microsoft.com
Not convinced it is useful? OK, let's be more specific. I am in the UK and I use ZEN as my ISP. I want to use ZEN to host my SMTP email and I need to setup the name and IP address of the ZEN mail server in my Outlook client. All I know at this time is that their domain is called zen.co.uk.
First of all, I run the nslookup tool to get to the > prompt.
I now tell nslookup that I am interested in MX records. MX (Mail eXchanger) records are those that tell mail servers where they need to deliver mail to for a particular domain. You can either type in the full command or you can type in the first characters it has to be enough so that nslookup can identify a single command. To tell nslookup that we want to look up MX records we can use the querytpe option or, in this case, just q because there is only one option that begins with that letter.
>set querytype=mx or use set q=mx
Finally, I can type in the name of the domain that I want to check the MX records of.
zen.co.uk MX preference = 10, mail exchanger = mailcluster.zen.co.uk
zen.co.uk nameserver = ns0.zen.co.uk
zen.co.uk nameserver = ns1.zen.co.uk
mailcluster.zen.co.uk internet address = 184.108.40.206
mailcluster.zen.co.uk internet address = 220.127.116.11
mailcluster.zen.co.uk internet address = 18.104.22.168
mailcluster.zen.co.uk internet address = 22.214.171.124
mailcluster.zen.co.uk internet address = 126.96.36.199
mailcluster.zen.co.uk internet address = 188.8.131.52
ns1.zen.co.uk internet address = 184.108.40.206
ns0.zen.co.uk internet address = 220.127.116.11
Again, the output reports that my internal DNS server was used to action the query. This is followed by the names of the ZEN DNS servers who responded to the query and then the names of the Zen mail servers with their appropriate IP addresses.
Note that there are numerous entries for the same fully qualified domain name but with different IP addresses associated with them? Note the non-authoritative answer the MX record for this company is mail-cluster.zen.co.uk and that is the fully qualified domain name that other mail servers will use when trying to deliver email to the ZEN organisation. Because ZEN does not want to lose email connectivity or have multiple MX records, they have used DNS aliases to associate mail-cluster.zen.co.uk with other mail servers. Check it out for yourself by looking up the reverse DNS entries with the tool.
For example, lets take the first two.....
By using the nslookup tool with an IP address, my local DNS server has queried the reverse DNS pointer records (.ptr) and identified they are associated with the servers shown their REAL names that is. The first server being called bastion7 and the second being bastion5.
Nslookup can also be used to check up on your OWN network from a security perspective. Try this one.... use lower case LS nslookup is case sensitive.
[Reporting DNS Server name]
*** Can't list domain yourdomain.com: Non-existent domain
The DNS server refused to transfer the zone yourdomain.com to your computer. If this
is incorrect, check the zone transfer security settings for yourdomain.com on the DNS
server at IP address xx.xx.xx.xx.
The ls option tells nslookup to list the entire contents of the DNS for the domain selected. In the above example, (my domain) I received a message saying that my DNS server had rightly refused the request. If you received a list when testing your own domain then you should notify your administrator so that they can make amendments. An option in Windows DNS allows zone transfers to be restricted to known name servers only.
These are just some of the simple uses that nslookup can be put to. I will create a more in-depth review when I have more time covering the deep-dive aspects of nslookup.