DNS is short for the Domain Name System. This is a service that maps IP addresses to domain names. The domain name is a concept of the World Wide Web. The Web doesn’t have its own transport system. Instead, it travels over IP-based networks. The devices that pass data around don’t understand domain names – they deal with IP addresses. DNS reconciles between these two addressing standards.
Nslookup is a networking utility that is available at the command line of any computer that has a network card. The command’s name derives from “name server lookup.” Its purpose is to query the default domain name server and return information on those mappings between domain names and IP addresses.
Networks run their own DNS servers to record the mappings between hostnames and IP addresses within the private domain. If the network gives access to the internet, the system’s users will also get access to a DNS server for internet domain names.
How DNS works
There are a number of applications that need to initiate a DNS reference call. For example, we will look at how a Web browser functions. Once the address of a Web page gets into the address bar of a browser, the search for that requested Web page begins.
The browser needs to know the IP address of the host for that Web page before it can go and request the code that builds the page. In order to do this, it only needs to work with the domain name. So, given an address such as https://www.comparitech.com/net-admin/what-is-saas-monitoring/, the browser focuses on the www.comparitech.com part, and in fact, initially, just comparitech.com.
The first step that the browser takes to get the IP address of the computer that hosts comparitech.com is to look in its own storage system. This is called a cache. Browsers store the DNS resolution information for frequently-accessed sites. If the address isn’t there, the browser has to contact a DNS resolver. This service is also called a recursive resolver, or a DNS recursor. The resolver implements a number of transactions in order to identify the IP address that is associated with a given domain name.
The DNS resolver checks in its own cache for the IP address – the resolver serves many browsers and so might have recently been asked for the address of the requested domain’s host by another client and then stored the results. If that doesn’t bring up a result, the DNS resolver enters a routine:
- The resolver contacts a root DNS server. There are 13 root DNS servers in the world and every recursive server has all of its contact details. The root nameserver returns the address of a TLD nameserver (top-level domain) to contact.
- The DNS resolver contacts the TLD nameserver and receives back the address of an authoritative nameserver for the given domain name.
- The DNS recursor contacts the authoritative name server, giving the domain name that it needs to reference, and gets back the IP address associated with that domain name.
- The DNS resolver returns the IP address to the browser that requested the DNS resolution.
This process is explained in the diagram below. The numbers on each arrow indicate the sequence of transmissions and not the step numbers in the list above.
Network DNS systems
The DNS system that operates on a private network is a little different from the methods used by the global DNS service.
Some applications use hostnames to identify the destination of their communications on the network. This is a very good strategy to use on networks that use the Dynamic Host Configuration Protocol (DHCP) because that scenario changes the allocation of IP addresses to devices on the network.
DHCP “leases” IP addresses to all of the network-connected devices. Those addresses are not fixed forever, so if networked applications relied on IP addresses to identify other equipment, they would periodically end up sending data to the wrong device as IP addresses get reallocated or sending it to an address that is no longer associated with any device.
So, in the network environment, the DNS server has a hostname for each device. When the DHCP server allocates an IP address to a device, it passes that information on to the DNS server, which updates its records for that hostname.
The DNS server and the DHCP server are part of a suite of network facilities that need to keep constantly coordinated on the status of IP addresses. This group of facilities is known as DDI. The I in DDI stands for IP Address Manager or IPAM. The IPAM checks on the usage of each IP address enabling it to spot when an address has been abandoned but not reclaimed by the DHCP server. In such a case, both the DHCP server and the DNS server need to be updated.
A network DNS server receives queries with two types of addresses to reference: hostnames and domain names. When a network DNS server receives a domain name to dereference, it passes that through to an external DNS resolver if it hasn’t already stored the IP address for the domain in its cache.
A DNS server stores address mappings in a plain text file. This is called a DNS zone file. Each line of text in the file is called a DNS resource record. A typical resource record has the following fields:
|Owner Name||It is also known as the left-hand name, this the domain name|
|TTL||The length of time that the record can be cached – it’s refresh time.|
|Class||Usually IN for “Internet.”|
|Type||Examples are A, AAAA, CNAME|
|Value||The IP address.|
There are 31 possible values for the Type field. This is represented by a code and the most common of these are:
|A||The record that holds the IP address of a domain (IPv4)
|AAAA||The IPv6 address of a domain|
|CNAME||Forwards a domain or subdomain to another (doesn’t contain an address)|
|MX||Directs mail to an email server|
|TXT||Lets an admin store text notes in the record|
|NS||Stores the name server for a DNS entry|
|SOA||Stores admin information about a domain|
|SRV||Specifies a port for specific services|
|PTR||Provides a domain name in reverse-lookups|
Of all of these types, when an inquiry is looking for a host address in order to access a Web page, it wants the A record.
A faulty DNS record stops all possibilities of communicating with a host. Without a corresponding IP address, there can be no way for any browser to access a page on a website. Sometimes, DNS records are intentionally incorrect.
Authoritarian regimes and controlling Internet service providers use a method, called a DNS sinkhole to block access to certain sites. In this strategy, the DNS zone file doesn’t contain the real IP address of the host of a domain. Instead, the blocker puts a fake, unassigned address or an address that leads to a page with a warning message rather than the intended website.
DNS troubleshooting with nslookup
Nslookup is a command-line environment. When you enter the command nslookup, it takes you through to a new prompt, away from the operating system. To get back to the operating system prompt, you need to type the exit command.
As well as granting entry to the environment, the nslookup command can be run at the command line with a string of options and parameters.
To get to the command line in Windows, type cmd in the Start menu search bar and then select the Command Prompt app that appears in the results popup.
To enter the nslookup environment, just type nslookup and press RETURN.
A list of nslookup options is available if you type help or ?.
Here is the format of a query within nslookup.
NAME - print info about the host/domain NAME using the default server NAME1 NAME2 - as above, but use NAME2 as server help or ? - print info on common commands set OPTION - set an option server NAME - set default server to NAME, using the current default server lserver NAME - set default server to NAME, using the initial server root - set current default server to the root ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE) view FILE - sort an 'ls' output file and view it with pg exit - exits the program
The basic query function in this list is the NAME instruction. That means you just have to type in a domain and hit return to get its DNS entry.
C:\Windows\system32>nslookup Default Server: cache1.service.virginmedia.net Address: 126.96.36.199 > comparitech.com Server: cache1.service.virginmedia.net Address: 188.8.131.52 Non-authoritative answer: Name: comparitech.com Address: 184.108.40.206 > google.com Server: cache1.service.virginmedia.net Address: 220.127.116.11 Non-authoritative answer: Name: google.com Addresses: 2a00:1450:4009:81a::200e 18.104.22.168 >
In the above query, the computer referred to its nearest DNS server by default, which is one provided by the ISP, Virgin Media. In the case of the query for the comparitech.com host address, the DNS server returned an IPv4 address. In the case of the query for google.com, the DNS server returned an IPv6 address and then an IPv4 address.
Investigating DNS problems
Here is an attempt to access the NordVPN website. The browser reports a problem.
It seems as though there is something wrong with the NordVPN web server. Chrome reports that the site doesn’t have a valid SSL certificate. Dear oh dear. Attempts to get to ExpressVPN.com and Pornhub.com were also unsuccessful.
Let’s take a look at the DNS records for those three sites with nslookup.
C:\Windows\system32>nslookup Default Server: cache1.service.virginmedia.net Address: 22.214.171.124 > nordvpn.com Server: cache1.service.virginmedia.net Address: 126.96.36.199 Non-authoritative answer: Name: nordvpn.com Addresses: 2a02:8801:200:1::1 188.8.131.52 > expressvpn.com Server: cache1.service.virginmedia.net Address: 184.108.40.206 Non-authoritative answer: Name: expressvpn.com Addresses: 2a02:8801:200:1::1 220.127.116.11 > pornhub.com Server: cache1.service.virginmedia.net Address: 18.104.22.168 Non-authoritative answer: Name: pornhub.com Addresses: 2a02:8801:200:1::1 22.214.171.124
Strangely, all three websites have the same IP address, according to the Virgin Media DNS server: 126.96.36.199. Is that possible? Do the two rival VPN services plus a porn site all operate from the same IP address? Why can’t these three successful online businesses afford to pay for a valid SSL certificate between them?
Fortunately, the nslookup query system allows users to query a different DNS server other than the default just by putting its name or address after the domain name in the query. Cloudflare operates a global DNS service from the IP address 188.8.131.52. Here are its records for NordVPN, ExpressVPN, and Pornhub.
C:\Windows\system32>nslookup Default Server: cache1.service.virginmedia.net Address: 184.108.40.206 > nordvpn.com 220.127.116.11 Server: [18.104.22.168] Address: 22.214.171.124 Non-authoritative answer: Name: nordvpn.com Addresses: 126.96.36.199 188.8.131.52 > expressvpn.com 184.108.40.206 Server: [220.127.116.11] Address: 18.104.22.168 Non-authoritative answer: Name: expressvpn.com Addresses: 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 > pornhub.com 220.127.116.11 Server: [18.104.22.168] Address: 22.214.171.124 Non-authoritative answer: Name: pornhub.com Address: 126.96.36.199 >
Wow. It turns out that, according to Cloudflare DNS, these three sites don’t have the same IP address. In fact, NordVPN has two addresses and ExpressVPN has four.
Virgin Media is owned by Liberty Global, which is the largest broadband service provider in the world outside of the USA. Of course, such a prominent Internet service provider isn’t going to get the resource records for these three major eCommerce sites wrong – it has deployed a DNS sinkhole.
Switching the default DNS server
In the investigation into connection problems shown above, there is little that can be done to fix the problem. There is no point contacting the ISP to tell them that its DNS server is wrong because they already know. In their opinion, the entry is right – those sites are intentionally blocked.
Happily, it is very easy to change the default DNS server. In order to do this, you need administrator privileges, so close down your Command Prompt window, go back to the Start search field, and enter cmd. This time, click Run as Administrator underneath the Command Prompt headline in the search results screen.
In the Command Prompt window:
- Enter netsh
- At the netsh prompt, enter interface ip show config
- Look for the interface that you want to change the DNS server for. Note down its name.
- Enter interface ip set dns <interface_name> static <DNS_IP_address>
- Run interface ip show config again to check that the DNS server has been updated.
Here is an example run. First, here is part of the output from interface ip show config.
Configuration for interface "WiFi" DHCP enabled: Yes IP Address: 192.168.0.38 Subnet Prefix: 192.168.0.0/24 (mask 255.255.255.0) Default Gateway: 192.168.0.1 Gateway Metric: 0 InterfaceMetric: 55 DNS servers configured through DHCP: 188.8.131.52 184.108.40.206 Register with which suffix: Primary only WINS servers configured through DHCP: None
I want to change the WiFi interface settings.
netsh>interface ip set dns "WiFi" static 220.127.116.11
Now, here are the results of the interface status inquiry after the change.
Configuration for interface "WiFi" DHCP enabled: Yes IP Address: 192.168.0.38 Subnet Prefix: 192.168.0.0/24 (mask 255.255.255.0) Default Gateway: 192.168.0.1 Gateway Metric: 0 InterfaceMetric: 55 Statically Configured DNS Servers: 18.104.22.168 Register with which suffix: Primary only WINS servers configured through DHCP: None
For a check on the addresses reported by nslookup, here are the results for nordvpn.com after the DNS server change.
C:\Windows\system32>nslookup nordvpn.com Server: one.one.one.one Address: 22.214.171.124 Non-authoritative answer: Name: nordvpn.com Addresses: 126.96.36.199 188.8.131.52 C:\Windows\system32>
Here is the result when accessing NordVPN through a browser after the change in the default DNS server.
Network and internet access problems can often be caused by DNS resource records. If you are in charge of your network in a business and you run your own DNS server, you need to look at whether the DNS server is being updated by the DHCP server. If there is one device on the network that no one can reach, check its DNS record first and look whether there is a record there at all and then if the IP address listed is the right one.
If you have no control over the DNS server and you seem to be getting erroneous reports of websites not being available, try the nslookup check and then complain to the network manager that the system default DNS server is wrong. If you are a private user, test domain name records in other DNS servers like in the example above. If the DNS server is wrong about the address of a site, just switch to a different default DNS server.
Try these free, global DNS servers that usually do not experience problems:
- Google DNS: 184.108.40.206 and 220.127.116.11
- Cloudflare: 18.104.22.168 and 22.214.171.124
- Open DNS: 126.96.36.199 and 188.8.131.52
Does nslookup query DNS?
The nslookup command was created to query DNS records. It is a command line tool and is available on all operating systems that connect to a network.
How do I view a TXT record in nslookup?
In order to see the text records that are attached to a DNS entry, open a Command Prompt window and enter nslookup -q=TXT <domain name>.
What are the five main DNS record types?
There are 31 different DNS record types. Perhaps, the five most important of these are:
- A – IPv4 host address
- AAAA – IPv6 host address
- CNAME – Canonical name for an alias
- MX – Mail exchange
- TXT – Text notes