PowerShell DNS Lookup A Quick Step-by-Step Guide
Perform a powershell dns lookup directly from your command line. This guide provides step-by-step instructions for querying various DNS record types using PowerShell's Resolve-DnsName cmdlet.
What You'll Achieve
You will perform various DNS record lookups, including A, AAAA, MX, NS, TXT, CNAME, PTR, and SRV records, using PowerShell.
Prerequisites
- Windows operating system (Windows 7/Server 2008 R2 or newer).
- PowerShell 5.1 or newer (default on Windows 10/Server 2016+).
- Active internet connection for external lookups.
Step-by-Step Instructions
Step 1: Perform a Basic A Record Lookup
A records map domain names to IPv4 addresses. This is the most common DNS lookup type.
Execute the following command to retrieve the A record for secably.com:
Resolve-DnsName -Name secably.comExpected output will resemble this:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
secably.com A 300 Answer 20.20.20.20The IPAddress field shows the resolved IPv4 address for the domain.
Step 2: Look Up AAAA (IPv6) Records
AAAA records map domain names to IPv6 addresses. Many modern services support IPv6.
Query the AAAA record for an IPv6-enabled domain like ipv6.google.com:
Resolve-DnsName -Name ipv6.google.com -Type AAAAExpected output will be similar to:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
ipv6.google.com AAAA 300 Answer 2607:f8b0:4004:80c::200eThis shows the IPv6 address associated with the specified domain.
Step 3: Query MX (Mail Exchange) Records
MX records specify mail servers responsible for accepting email messages on behalf of a domain. Security teams often check these for email authentication configurations.
Retrieve MX records for secably.com:
Resolve-DnsName -Name secably.com -Type MXExample output:
Name Type TTL Section NameExchange
---- ---- --- ------- ------------
secably.com MX 300 Answer mail.secably.com
secably.com MX 300 Answer mail2.secably.comThe NameExchange field indicates the mail server hostname. You can further investigate email authentication by checking DKIM records associated with these mail servers.
Step 4: Discover NS (Name Server) Records
NS records identify the authoritative DNS servers for a domain. This helps understand who manages a domain's DNS.
Find the name servers for secably.com:
Resolve-DnsName -Name secably.com -Type NSOutput will look like:
Name Type TTL Section NameServer
---- ---- --- ------- ----------
secably.com NS 300 Answer ns1.secablydns.com
secably.com NS 300 Answer ns2.secablydns.comThe NameServer entries list the authoritative DNS servers.
Step 5: Retrieve TXT Records
TXT records store arbitrary text information. These are frequently used for SPF, DKIM, DMARC, and domain verification.
Query TXT records for secably.com:
Resolve-DnsName -Name secably.com -Type TXTExample output showing SPF and other TXT records:
Name Type TTL Section Strings
---- ---- --- ------- -------
secably.com TXT 300 Answer {v=spf1 include:_spf.secably.com ~all}
secably.com TXT 300 Answer {google-site-verification=abcdef12345}The Strings array contains the text data. For more details on checking these records, refer to our guide on Checking DNS TXT Records A How-To or Easy DNS TXT Record Lookup How-To.
Step 6: Follow CNAME (Canonical Name) Records
CNAME records alias one domain name to another. This is common for subdomains or CDN configurations.
Check the CNAME record for www.secably.com:
Resolve-DnsName -Name www.secably.com -Type CNAMEOutput indicating the alias target:
Name Type TTL Section NameTarget
---- ---- --- ------- ----------
www.secably.com CNAME 300 Answer secably.comNameTarget shows the canonical name the queried domain points to.
Step 7: Perform Reverse DNS (PTR) Lookup
PTR records map an IP address back to a hostname. This is useful for verifying mail server legitimacy or identifying hosts.
Perform a reverse lookup for Google's public DNS server 8.8.8.8:
Resolve-DnsName -Name 8.8.8.8 -Type PTRExpected output:
Name Type TTL Section NameHost
---- ---- --- ------- --------
8.8.8.8 PTR 300 Answer dns.googleThe NameHost field provides the associated hostname.
Step 8: Specify a DNS Server for Lookup
You can direct your DNS query to a specific DNS server instead of using the system's default. This is useful for testing DNS propagation or querying internal DNS servers.
Query secably.com using Cloudflare's 1.1.1.1 DNS server:
Resolve-DnsName -Name secably.com -Server 1.1.1.1The output will be similar to a basic A record lookup, but the query originated from 1.1.1.1:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
secably.com A 300 Answer 20.20.20.20This method helps isolate DNS issues specific to certain resolvers.
Step 9: Query SRV (Service) Records
SRV records specify the location (hostname and port) of servers for specific services, like SIP, LDAP, or XMPP. This helps clients find services on a domain.
Query for a common SRV record, such as _sip._tcp.secably.com (replace with a real service if available, otherwise this will show no records):
Resolve-DnsName -Name _sip._tcp.secably.com -Type SRVIf records exist, output might resemble:
Name Type TTL Section Priority Weight Port NameTarget
---- ---- --- ------- -------- ------ ---- ----------
_sip._tcp.secably.com SRV 300 Answer 10 100 5060 sipserver.secably.comThe NameTarget, Port, Priority, and Weight fields provide service location details.
Step 10: Export Lookup Results
Exporting results to a CSV file allows for easier analysis or integration with other tools.
Export all DNS records for secably.com to a CSV file:
Resolve-DnsName -Name secably.com -Type Any | Export-Csv -Path C:\Temp\secably_dns.csv -NoTypeInformationThis command will not produce direct console output. Instead, a file named secably_dns.csv will be created in C:\Temp containing all available DNS records for secably.com.
Verify file creation by navigating to C:\Temp and opening secably_dns.csv in a text editor or spreadsheet application.
Step 11: Perform Bulk DNS Lookups from a List
For large-scale reconnaissance or asset discovery, you might need to resolve many domains. First, create a text file named domains.txt in C:\Temp with one domain per line:
secably.com
google.com
microsoft.comThen, use PowerShell to read the file and perform a powershell dns lookup for each domain:
Get-Content C:\Temp\domains.txt | ForEach-Object { Resolve-DnsName -Name $_ }Expected output will list DNS records for each domain in the file:
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
secably.com A 300 Answer 20.20.20.20
google.com A 300 Answer 142.250.186.14
microsoft.com A 60 Answer 20.100.20.10This method streamlines large-scale information gathering. Tools like Zondex offer broader internet-wide scanning for exposed services and reconnaissance.
Step 12: Advanced Filtering and Property Selection
You can refine the output to display only specific properties, which is useful for scripting or focused analysis.
To get only the IP addresses for secably.com:
(Resolve-DnsName -Name secably.com).IPAddressOr, for multiple properties:
Resolve-DnsName -Name secably.com | Select-Object Name, Type, IPAddressOutput for the first command:
20.20.20.20Output for the second command:
Name Type IPAddress
---- ---- ---------
secably.com A 20.20.20.20This allows for precise data extraction.
Step 13: Understanding Alternatives (nslookup and dig)
While PowerShell's Resolve-DnsName is the recommended tool on Windows, other utilities exist. The nslookup command is built into Windows, but Microsoft generally deprecates it in favor of Resolve-DnsName for scripting due to its richer object output.
For Linux or macOS environments, the dig utility is the standard for DNS queries, offering extensive options for detailed lookups.
Verification Steps
Confirm the accuracy of your PowerShell DNS lookup results.
- Review Command Output: Visually inspect the PowerShell console output for each command. Ensure the returned records match your expectations for the queried domain or IP address.
- Check Exported Files: If you exported data (e.g., to CSV), open the file and verify its contents. Confirm that all expected records are present and correctly formatted.
- Cross-Reference with External Tools: Use an independent online tool to validate your findings. Secably provides a free DNS lookup tool that can quickly confirm A, AAAA, MX, NS, and TXT records.
Troubleshooting
Issue 1: Resolve-DnsName Command Not Found
Problem: You receive an error indicating that Resolve-DnsName is not recognized as a cmdlet.
Solution: This usually means your PowerShell version is too old or the necessary Windows Management Framework (WMF) components are missing. Resolve-DnsName requires PowerShell 4.0 or newer (included with WMF 4.0 or newer). On Windows 7 or Server 2008 R2, you might need to install WMF 5.1. On Windows 10/Server 2016 and newer, it should be available by default. Run $PSVersionTable.PSVersion to check your PowerShell version.
Issue 2: DNS Resolution Fails / No Records Found
Problem: The command returns no records, or an error like "DNS server reported that the name does not exist."
Solution:
- Check Network Connectivity: Ensure your system has an active internet connection. Try pinging a reliable external IP address (e.g.,
ping 8.8.8.8). - Verify Domain Name: Double-check the spelling of the domain name. Typos are common.
- Test with a Different DNS Server: Your configured DNS servers might be experiencing issues. Try specifying a public DNS server like Google (
8.8.8.8) or Cloudflare (1.1.1.1) using the-Serverparameter. Example:Resolve-DnsName -Name example.com -Server 8.8.8.8. - Clear Local DNS Cache: Your local DNS client cache might hold outdated or incorrect entries. Run
Clear-DnsClientCachein an elevated PowerShell prompt.
Issue 3: Incorrect or Incomplete Records Returned
Problem: The lookup returns records, but they appear outdated, incomplete, or incorrect compared to other sources.
Solution:
- DNS Propagation Delay: If DNS records were recently changed, it might take time for changes to propagate across the internet. This can vary from minutes to 48 hours, depending on TTL settings.
- Specify Authoritative DNS Server: Directly query the authoritative name servers for the domain (found via NS lookup) to bypass caching issues from intermediate DNS servers.
- Verify TTL: Observe the TTL (Time To Live) value in the output. A high TTL means changes will take longer to update everywhere.
Issue 4: Permission Denied or Access Issues
Problem: You encounter errors related to permissions, especially when clearing the DNS cache or exporting files.
Solution:
- Run as Administrator: Many administrative tasks in PowerShell, such as clearing the DNS client cache or writing to protected directories, require elevated privileges. Close your current PowerShell session and reopen it by right-clicking the PowerShell icon and selecting "Run as administrator."
- Check File Path Permissions: If exporting to a file fails, ensure your user account has write permissions to the target directory (e.g.,
C:\Temp\is generally writable, butC:\Program Files\is not).
