DNS Lookup Command A Step-by-Step Guide

A dns lookup cmd is fundamental for security professionals. You uncover critical network information, identify potential misconfigurations, and map attack surfaces. DNS records reveal domain ownership, mail servers, and even security policies like SPF and DMARC. Understanding these details helps in reconnaissance, incident response, and validating infrastructure health. You will learn to perform various DNS lookups using command-line tools. You will retrieve different record types, target specific DNS servers, and interpret the output for security insights. This guide equips you with essential skills for network investigation.

• Access to a command-line interface (CLI) on Windows, Linux, or macOS.
• Basic understanding of network concepts.
• Internet connectivity to resolve domain names.

Performing a DNS Lookup Cmd

Perform a basic A record lookup to resolve a domain name to its IPv4 address. This is the most common DNS query. The `nslookup` command works on both Windows and Unix-like systems.

nslookup example.com

Expected output (Windows):

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    example.com
Addresses:  93.184.216.34

Expected output (Linux/macOS):

Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	example.com
Address: 93.184.216.34

Use the `dig` command for more detailed DNS query information, common on Linux and macOS. Specify the domain directly.

dig example.com

Expected output:

; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62232
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            3599    IN      A       93.184.216.34

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Oct 26 10:00:00 2023
;; MSG SIZE  rcvd: 55

The `host` command offers a simpler, concise output for DNS lookups. It is available on most Unix-like systems.

host example.com

Expected output:

example.com has address 93.184.216.34

Retrieve AAAA records to find a domain's IPv6 address. This is crucial for environments transitioning to or already using IPv6. Many modern services offer IPv6 connectivity.

nslookup -type=AAAA example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    example.com
Addresses:  2606:2800:220:1:248:1893:25c8:1946

Use `dig` to query for AAAA records specifically. Add `AAAA` after the domain name.

dig AAAA example.com

Expected output:

;; ANSWER SECTION:
example.com.            3599    IN      AAAA    2606:2800:220:1:248:1893:25c8:1946

The `host` command also supports specific record types. Use the `-t AAAA` flag.

host -t AAAA example.com

Expected output:

example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

Query MX (Mail Exchange) records to identify the mail servers responsible for a domain. This helps in understanding a target's email infrastructure. MX records include a preference number, indicating server priority.

nslookup -type=MX example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     MX preference = 10, mail exchanger = mail.example.com

Use `dig MX` for detailed MX record information. This output often includes additional helpful details.

dig MX example.com

Expected output:

;; ANSWER SECTION:
example.com.            3599    IN      MX      10 mail.example.com.

The `host` command with `-t MX` provides a concise list of mail exchangers.

host -t MX example.com

Expected output:

example.com mail is handled by 10 mail.example.com.

Find NS (Name Server) records to determine which DNS servers are authoritative for a domain. This reveals the domain's DNS provider and delegation structure.

nslookup -type=NS example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     nameserver = a.iana-servers.net.
example.com     nameserver = b.iana-servers.net.

Querying with `dig NS` shows the authoritative name servers. This can aid in mapping a target's infrastructure.

dig NS example.com

Expected output:

;; ANSWER SECTION:
example.com.            3599    IN      NS      b.iana-servers.net.
example.com.            3599    IN      NS      a.iana-servers.net.

The `host -t NS` command quickly lists the name servers.

host -t NS example.com

Expected output:

example.com name server b.iana-servers.net.
example.com name server a.iana-servers.net.

Look up TXT (Text) records for various purposes, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). These records are critical for email security. For more details on checking these, refer to our blog post on Checking DNS TXT Records A How-To or Easy DNS TXT Record Lookup How-To.

nslookup -type=TXT example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     text = "v=spf1 -all"

Use `dig TXT` to retrieve TXT records. This command shows the full text string.

dig TXT example.com

Expected output:

;; ANSWER SECTION:
example.com.            3599    IN      TXT     "v=spf1 -all"

The `host -t TXT` command displays TXT records concisely.

host -t TXT example.com

Expected output:

example.com descriptive text "v=spf1 -all"

Query CNAME (Canonical Name) records to identify aliases for a domain. A CNAME record points one domain to another canonical domain name. This is often used for subdomains or cloud services. For finding more subdomains, consider using a subdomain discovery tool.

nslookup -type=CNAME www.example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
www.example.com canonical name = example.com

Use `dig CNAME` to find canonical names. This reveals underlying service providers or redirection schemes.

dig CNAME www.example.com

Expected output:

;; ANSWER SECTION:
www.example.com.        3599    IN      CNAME   example.com.

The `host -t CNAME` command quickly shows any CNAME records.

host -t CNAME www.example.com

Expected output:

www.example.com is an alias for example.com.

Perform a PTR (Pointer) record lookup, also known as reverse DNS lookup. This resolves an IP address back to its associated domain name. This is useful for verifying email server legitimacy or analyzing server logs.

nslookup 93.184.216.34

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
34.216.184.93.in-addr.arpa       name = example.com

Use `dig -x` for reverse DNS lookups. This is a common method on Unix-like systems.

dig -x 93.184.216.34

Expected output:

;; ANSWER SECTION:
34.216.184.93.in-addr.arpa. 3599 IN      PTR     example.com.

The `host` command also performs reverse lookups by simply providing an IP address.

host 93.184.216.34

Expected output:

34.216.184.93.in-addr.arpa domain name pointer example.com.

Retrieve SOA (Start of Authority) records to gather administrative information about a DNS zone. This includes the primary name server for the zone, the email of the domain administrator, and various timers that govern zone transfers and refreshes. This information can reveal insights into a domain's management.

nslookup -type=SOA example.com

Expected output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com
        primary name server = a.iana-servers.net
        responsible mail addr = hostmaster.example.com
        serial  = 2023102601
        refresh = 10000
        retry   = 2400
        expire  = 604800
        default TTL = 3600

Use `dig SOA` to get comprehensive SOA record details. This output is generally preferred for its completeness.

dig SOA example.com

Expected output:

;; ANSWER SECTION:
example.com.            3599    IN      SOA     a.iana-servers.net. hostmaster.example.com. 2023102601 10000 2400 604800 3600

The `host -t SOA` command provides a concise summary of the SOA record.

host -t SOA example.com

Expected output:

example.com has SOA record a.iana-servers.net. hostmaster.example.com. 2023102601 10000 2400 604800 3600

Specify a custom DNS server for your lookup. This helps test specific DNS resolvers, bypass local caching, or verify propagation changes. Public DNS servers like Google (8.8.8.8) or Cloudflare (1.1.1.1) are commonly used.

nslookup example.com 8.8.8.8

Expected output (Windows):

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    example.com
Addresses:  93.184.216.34

With `dig`, specify the server using the `@` symbol before the domain.

dig @8.8.8.8 example.com

Expected output:

;; SERVER: 8.8.8.8#53(8.8.8.8)
;; ANSWER SECTION:
example.com.            3599    IN      A       93.184.216.34

The `host` command takes the DNS server as the last argument.

host example.com 8.8.8.8

Expected output:

Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

example.com has address 93.184.216.34

For quick, browser-based DNS lookups without command-line access, use online tools. Secably offers a dedicated DNS lookup tool that provides a user-friendly interface for various record types. This offers a convenient alternative for ad-hoc checks or when sharing results.

Verification Steps

Cross-reference results from multiple tools and sources. A record lookup using `nslookup` should match results from `dig` and `host` for the same domain. Discrepancies might indicate DNS caching issues or misconfigurations. Compare your command-line results with an independent online DNS lookup service. This confirms that your local DNS resolver provides accurate, up-to-date information. If results differ significantly, your local DNS cache or resolver might be outdated. Check for expected record types based on the service you are investigating. For example, if a domain uses Google Workspace, you expect to see Google-specific MX records. If you are examining a website, ensure the A record points to the correct web server IP. Confirm the TTL (Time To Live) values in the DNS records. A lower TTL means changes propagate faster. High TTLs can delay updates and troubleshooting efforts.

Troubleshooting

You receive "Server can't find domain: NXDOMAIN" or similar errors. This usually means the domain name is misspelled, does not exist, or the DNS server cannot resolve it. Double-check the domain name for typos. Try querying a known working domain like `google.com` to ensure your DNS server functions correctly. If it persists, try specifying a different DNS server (e.g., `dig @8.8.8.8 example.com`). A "Query refused" error indicates the DNS server you are querying denied your request. This could be due to firewall rules, rate limiting, or the server only allowing queries from specific IP ranges. Try querying a different public DNS server. If you are querying an internal DNS server, ensure your IP address has access permissions. Results from different tools or locations show conflicting information. This often points to DNS caching or propagation delays. DNS changes take time to propagate across the internet. Your local resolver or ISP's DNS might still serve old cached data. Clear your local DNS cache (`ipconfig /flushdns` on Windows, `sudo killall -HUP mDNSResponder` on macOS). Wait for DNS propagation, which can take up to 48 hours for new domains or significant changes. Your DNS lookup commands time out, or you experience very slow responses. This typically indicates network connectivity issues between your machine and the DNS server, or the DNS server itself is overloaded or down. Check your internet connection. Try pinging the DNS server you are trying to query (e.g., `ping 8.8.8.8`). If it fails, try a different DNS server. For broader network reconnaissance and identifying exposed services, consider tools like Zondex.