The default nslookup format described in the preceding sections provides good, simple information regarding the hostname requested. If you would like to see other DNS record types, you must use options for nslookup. The nslookup options can be specified on the command line, but it is often easier to use nslookup in interactive mode.
To enter interactive mode, simply type nslookup at the command prompt without any parameters. The default DNS server used will be displayed, along with an nslookup prompt:
C:\>nslookup
Default Server: dns.ispnet.net Address: 10.25.0.1
>
At the nslookup prompt, you can enter in a variety of special commands to modify the behavior of the nslookup query, as described in Table 4.5.
Table 4.5: nslookup Commands
Command Description
NAME Resolves the hostname NAME
NAME1 NAME2 Resolves the hostname NAME using DNS server
NAME2
Help Lists all the available nslookup commands and options
Set Sets an nslookup option
Server NAME Sets the default DNS server to NAME, using the current default server
Lserver NAME Sets the default DNS server to NAME, using the initial
server
Finger [USER] Uses the Finger utility to find USER at the current default host
Root Sets the current default DNS server to the root server
ls DOMAIN Lists all registered addresses in DOMAIN
View Views a file created with the ls command
Exit Exits the nslookup command mode
As you can see in Table 4.5, you use the set command to establish various options for the DNS query. These options are defined in Table 4.6, and a few of the most commonly used are discussed in the sections that follow.
Table 4.6: nslookup Set Options
Option Description
All Prints the options, current server, and host
[no]debug Prints (or doesn t print) debugging information
[no]d2 Prints (or doesn t print) exhaustive debugging information
[no]defname Appends (or doesn t append) domain name to each
query
[no]recurse Asks for recursive answer to each query
[no]search Uses domain search list
[no]vc Always uses a virtual circuit
Domain=NAME Sets default domain name to NAME
Srchlist=N1[N2/ /N6] Sets domain to N1 and search list to N1, N2, etc.
root=NAME Sets DNS root server to NAME
Retry=X Sets number of retries to X
Timeout=X Sets initial timeout interval to X seconds
type=X Sets query type
Querytype=X Sets query type
Class=X Sets query class
[no]msxfr Uses Microsoft fast zone transfer
Ixfrver=X Sets the current version to use in IXFR transfer request
The debug Option
The debug option allows you to watch the DNS communication with the DNS server. Listing 4.4 shows a sample DNS query with the debug option turned on. This information shows exactly what you saw in the WinDump results:
the original query for the www.microsoft.com hostname and the answer indicating that it was an alias for the www.microsoft.akadns.net host, along with all the IP addresses associated with it.
Listing 4.4: nslookup query with debug on
C:\>nslookup
Default Server dns.ispnet.net Address: 10.25.0.1
> set debug
> www.microsoft.com Server: dns.ispnet.net Address: 10.25.0.1
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 7, authority records = 7, additional = 7 QUESTIONS:
www.microsoft.com, type = A, class = IN ANSWERS:
-> www.microsoft.com
canonical name = www.microsoft.akadns.net ttl = 7116 (1 hour 58 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.230.219 ttl = 216 (3 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.230.220 ttl = 216 (3 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.197.100 ttl = 216 (3 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.230.218 ttl = 216 (3 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.197.102 ttl = 216 (3 mins 36 secs)
-> www.microsoft.akadns.net
internet address = 207.46.197.113 ttl = 216 (3 mins 36 secs)
AUTHORITY RECORDS:
-> akadns.net
nameserver = ZA.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZC.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZD.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZE.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZF.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZG.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> akadns.net
nameserver = ZH.akadns.net
ttl = 127117 (1 day 11 hours 18 mins 37 secs) ADDITIONAL RECORDS:
-> ZA.akadns.net
internet address = 216.32.65.105
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> ZC.akadns.net
internet address = 63.241.199.50
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> ZD.akadns.net
internet address = 206.132.160.36
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> ZE.akadns.net
internet address = 12.47.217.11
ttl = 127117 (1 day 11 hours 18 mins 37 secs)
internet address = 63.215.198.79
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> ZG.akadns.net
internet address = 204.248.36.131
ttl = 127117 (1 day 11 hours 18 mins 37 secs) -> ZH.akadns.net
internet address = 63.208.48.42
ttl = 127117 (1 day 11 hours 18 mins 37 secs)
Non-authoritative answer:
Name: www.microsoft.akadns.net
Addresses: 207.46.230.219, 207.46.230.220, 207.46.197.100, 207.46.230.218 207.46.197.102, 207.46.197.113
Aliases: www.microsoft.com
>exit C:\>
hostname
The querytype option
Another useful capability is setting the querytype. You can use this option to narrow down specific information regarding a host, or even regarding a complete domain. For example, you can set the query type to SOA to retrieve the SOA record for the domain:
C:\>nslookup
Default Server: dns.ispnet.net Address: 10.25.0.1
> set querytype=soa
> microsoft.com
Server: dns.ispnet.net Address: 10.25.0.1 microsoft.com
primary name server = dns.cp.msft.net
responsible mail addr = msnhst.microsoft.com serial = 2002061201
refresh = 900 (15 mins) retry = 600 (10 mins)
expire = 7200000 (83 days 8 hours) default TTL = 7200 (2 hours)
dns.cp.msft.net internet address = 207.46.138.10
>
You can see the entire SOA record for the requested domain, as it is defined in the local DNS server. This will also work when you are trying to determine the mail servers for a particular domain, as shown in the following example:
C:\>nslookup
Default Server: dns.ispnet.net Address: 10.25.0.1
> set querytype=mx
> microsoft.com
Server: dns.ispnet.net Address: 10.25.0.1
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com maila.microsoft.com internet address = 131.107.3.125
maila.microsoft.com internet address = 131.107.3.124 mailb.microsoft.com internet address = 131.107.3.123 mailb.microsoft.com internet address = 131.107.3.122 mailc.microsoft.com internet address = 131.107.3.126
mailc.microsoft.com internet address = 131.107.3.121
>
The results show that there are three separate mail servers defined for the microsoft.com domain. The information shows the mail server hostnames, along with their individual IP addresses.
The Domain Dump Option (ls)
The ls option of the nslookup command allows system administrators to obtain a complete dump of the defined DNS database for a domain. With this option, you can investigate all the DNS records for an entire domain. Be
forewarned, though I say "can" because it is not guaranteed to work. Many DNS servers disable this command to prevent unauthorized users from seeing the entire DNS database.
If you do have access to the ls command on a DNS server, you can dump the complete DNS database to a file by using the redirection command (>):
C:\>nslookup
Default Server: dns.ispnet.net Address: 10.25.0.1
> ls testdomain.com > td.txt
> view td.txt
The view command can then be used to view the downloaded text file, which contains the DNS database for the domain.