Link to home
Start Free TrialLog in
Avatar of snoopaloop
snoopaloopFlag for United States of America

asked on

How do I get nslookup to query properly?

C:\Program Files\Windows AIK\Tools\PETools>nslookup
Default Server:  contoso.com
Address:  192.168.1.5

> ls -t contoso
[ns.contoso.com]
*** Can't list domain contoso: Non-existent domain
> ls -t contos
[ns.contoso.com]
*** Can't list domain contoso.com: Query refused
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

Here is a good explantion.

The "ls" command in nslookup executes a zone transfer (which is a TCP-based connection) to get all of the information from the remote authoritative name server to the local machine. In order for this to work, the remote DNS server must be accessible by the TCP protocol over port 53, and the transfer of the zone must be authorized to the client making the request.

Operation in this manner is desired as it increases security of the domain by not revealing all of the gory details to "any machine that asks for them". If you must be able to support the "ls" command, provide specific details about the DNS server (including whether it's under your control or not), and I can help you enable it.

https://www.experts-exchange.com/questions/20950202/nslookup-query.html
ASKER CERTIFIED SOLUTION
Avatar of gs121
gs121
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Nslookup can be used to transfer an entire zone by using the ls command. This is useful to see all the hosts within a remote domain. The syntax for the ls command is:

 
   ls [- a | d | t type] domain [> filename]

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.

Example:

 
   >ls domain.com
   [nameserver1.domain.com]
    nameserver1.domain.com.    NS     server = ns1.domain.com
    nameserver2.domain.com                 NS     server = ns2.domain.com
    nameserver1                            A      10.0.0.1
    nameserver2                            A      10.0.0.2

   >

Zone transfers can be blocked at the DNS server so that only authorized addresses or networks can perform this function. The following error will be returned if zone security has been set:
 
*** Can't list domain example.com .: Query refused

Did you create a reverse lookup zone ? For nslokup to work right you need a reverse lookup zone
Avatar of snoopaloop

ASKER

yes, reverse lookup is set.  i think it's the security parameter as mentioned above that is causing the error.  thanks
I think i gave you the same answer , should have shared when accepting answers.....