The nslookup command for beginners

In this tutorial, we're going to learn how to use the nslookup command, as it's one of the essential commands you need to know as a system and network administrator! Just as you need to know the ping, tracert, ipconfig and other commands... you need to know nslookup. We'll also see that the"Resolve-DnsName" PowerShell command is really interesting!

• Watch the video on YouTube (french version)

The nslookup command is integrated into all Windows operating systems, whether Windows desktop or Windows Server. Easy to use, it is very useful for resolving DNS problems or for quickly checking the status of a DNS record.

Whether it's a problem with a local DNS server (the Active Directory zone, for example) or a public DNS zone, you can use nslookup to obtain information on DNS records and test name resolution on your local machine.

For example, you can check the IP address associated with the domain name "it-connect.fr", check the mail server of a domain (by reading the MX record), or check that the new server you've just created is registered in the DNS zone of your Active Directory domain. There are many examples, but nslookup is the tool that can help you if the problem is DNS-related. We can also use nslookup to verify a change made in a DNS zone.

The nslookup tool is also available for Linux, although there's also the dig tool.

From now on, we're going to learn how to use the nslookup command with several practical examples. Before we begin, please note that the nslookup command is based on the following syntax:

nslookup <options> <domain name or IP address>

Let's start with a very simple, but frequent use case: resolving a domain name to obtain the corresponding IP address. Let's take the example of the domain name "google.fr":

nslookup google.fr

Nslookup returns two IP addresses associated with the domain name "google.fr": an IPv6 address and a IPv4 address. On a domain like Google's, the result is likely to vary from one machine to another, as Google doesn't use just one IP address. On the other hand, if you test on your personal domain, you should obtain your public IP address (e.g. the public IP address of your VPS server, dedicated server, box, etc.).

We can see that the result of the nslookup command begins with two pieces of information: Server and Address, referring to"1.1.1.1". In fact, this is the DNS server requested by nslookup to resolve the name "google.fr". The tool used this DNS server because it is defined as the preferred DNS server on my network interface used to access the Internet:

We'll see later that you can request the DNS server of your choice.

Nslookup can also use a reverse lookup zone to obtain the host name associated with an IP address. Let's take the example of the IP address"9.9.9.9":

nslookup 9.9.9.9

We can see that it is associated with the host name"dns9.quad9.net".

SOA (Start of Authority) and NS records give important information about a domain, including the DNS server with authority over the zone, but also the contact, default TTL, etc...

nslookup -type=soa it-connect.tech

We can see the"primary name server" value associated with"dns104.ovh.net": chances are OVHcloud is the registrar for this domain.

Similar information can be obtained by reading the NS record:

nslookup -type=ns it-connect.tech

It returns :

it-connect.tech nameserver = dns104.ovh.net
it-connect.tech nameserver = ns104.ovh.net

If you want to investigate the messaging part of a domain, you need to consult the domain's MX type record. Simply specify the MX type.

nslookup -type=mx it-connect.tech

This provides information on the mail server(s) for this domain:

it-connect.tech MX preference = 0, mail exchanger = itconnect-tech0e.mail.protection.outlook.com

An answer like the one above is associated with a domain linked to a Microsoft 365 tenant.

To list the resource records of a domain, you need to consult records with the "TXT" type. In the same way as for NS, SOA or CNAME, you simply specify the type as follows:

nslookup -type=txt google.com

Nslookup is not the best tool for enumerating the contents of a DNS zone. There are more suitable tools, such as DNSEnum or Dig, but it can still return a great deal of information. We've seen that you can specify the type of record. The "any" type allows you to return records of different types:

nslookup -type=any google.com

Some DNS servers, such as "1.1.1.1", do not support these requests.

*** one.one.one.one ne parvient pas à trouver google.com : Not implemented

In this case, we can request another DNS server. But how can we do this without modifying the DNS configuration of the machine's network interface? Simply specify the DNS server to be used at the end of the request. For example, to request "8.8.8.8" instead of the DNS server on the network interface, we'll use this syntax :

nslookup -type=any google.com 8.8.8.8
nslookup -type=any it-connect.tech 8.8.8.8

We can see that the output is more complete:

Finally, let's see how to list all the domain controllers in an Active Directory domain with nslookup? If a domain controller is missing from the returned list, there's a problem...!

We can start with a simple query:

nslookup it-connect.local

This command will return the IP addresses of all your domain controllers for this domain.

To go further and obtain more precise information, particularly with names, you need to consult a more specific SRV record stored in the DNS zone of your Active Directory domain:

nslookup -type=SRV _ldap._tcp.it-connect.local

The result of these two orders can be seen in the image below:

The"Resolve-DnsName" PowerShell command is also available on Windows. Like nslookup, it allows you to perform name resolution as we have just done. As it's a PowerShell command, it opens up other possibilities, including possible integration within scripts. You could almost call it a modern nslookup.

Here are a few examples...

• Resolve the hostname it-connect.fr by requesting DNS server 8.8.8.8

Resolve-DnsName it-connect.fr -Server 8.8.8.8

• Get MX (messaging) information for the it-connect.tech domain

Resolve-DnsName it-connect.tech -Type MX

• Resolve the hostname it-connect.tech using only the data in the local DNS cache

Resolve-DnsName it-connect.tech -CacheOnly

• Resolve multiple hostnames with a single command, focusing on IPv4 records (type A)

"google.com", "google.fr" | Resolve-DnsName -Type A

By the way, you can use PowerShell to request nslookup! If we want to do the equivalent of the above command, we need to run :

"google.com", "google.fr" | Foreach{ nslookup -type=A $_ }

The Resolve-DnsName command is also very practical and represents a serious alternative to nslookup, especially if you enjoy PowerShell scripting. It has many options.

• Microsoft Learn - Resolve-DnsName

With this tutorial, you'll be able to easily diagnose your name resolution problems or changes to your DNS zones! Whether you're using nslookup or Resolve-DnsName in PowerShell, you'll have enough examples to become autonomous in the use of these two commands.