snoopaloop
asked on
How do I get nslookup to query properly?
C:\Program Files\Windows AIK\Tools\PETools>nslookup
Default Server: contoso.com
Address: 192.168.1.5
> ls -t contoso
[ns.contoso.com]
*** Can't list domain contoso: Non-existent domain
> ls -t contos
[ns.contoso.com]
*** Can't list domain contoso.com: Query refused
Default Server: contoso.com
Address: 192.168.1.5
> ls -t contoso
[ns.contoso.com]
*** Can't list domain contoso: Non-existent domain
> ls -t contos
[ns.contoso.com]
*** Can't list domain contoso.com: Query refused
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nslookup can be used to transfer an entire zone by using the ls command. This is useful to see all the hosts within a remote domain. The syntax for the ls command is:
ls [- a | d | t type] domain [> filename]
Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.
Example:
>ls domain.com
[nameserver1.domain.com]
nameserver1.domain.com. NS server = ns1.domain.com
nameserver2.domain.com NS server = ns2.domain.com
nameserver1 A 10.0.0.1
nameserver2 A 10.0.0.2
>
Zone transfers can be blocked at the DNS server so that only authorized addresses or networks can perform this function. The following error will be returned if zone security has been set:
*** Can't list domain example.com .: Query refused
Did you create a reverse lookup zone ? For nslokup to work right you need a reverse lookup zone
ASKER
yes, reverse lookup is set. i think it's the security parameter as mentioned above that is causing the error. thanks
I think i gave you the same answer , should have shared when accepting answers.....
The "ls" command in nslookup executes a zone transfer (which is a TCP-based connection) to get all of the information from the remote authoritative name server to the local machine. In order for this to work, the remote DNS server must be accessible by the TCP protocol over port 53, and the transfer of the zone must be authorized to the client making the request.
Operation in this manner is desired as it increases security of the domain by not revealing all of the gory details to "any machine that asks for them". If you must be able to support the "ls" command, provide specific details about the DNS server (including whether it's under your control or not), and I can help you enable it.
https://www.experts-exchange.com/questions/20950202/nslookup-query.html