Nslookup How to Check DNS Records

DNS is short for the Domain Name System. This is a service that maps IP addresses to domain names. The domain name is a concept of the World Wide Web. The Web doesn’t have its own transport system. Instead, it travels over IP-based networks. The devices that pass data around don’t understand domain names – they deal with IP addresses. DNS reconciles between these two addressing standards.

Nslookup is a networking utility that is available at the command line of any computer that has a network card. The command’s name derives from “name server lookup.” Its purpose is to query the default domain name server and return information on those mappings between domain names and IP addresses.

Networks run their own DNS servers to record the mappings between hostnames and IP addresses within the private domain. If the network gives access to the internet, the system’s users will also get access to a DNS server for internet domain names.

How DNS works

There are a number of applications that need to initiate a DNS reference call. For example, we will look at how a Web browser functions. Once the address of a Web page gets into the address bar of a browser, the search for that requested Web page begins.

The browser needs to know the IP address of the host for that Web page before it can go and request the code that builds the page. In order to do this, it only needs to work with the domain name. So, given an address such as https://www.comparitech.com/net-admin/what-is-saas-monitoring/, the browser focuses on the www.comparitech.com part, and in fact, initially, just comparitech.com.

The first step that the browser takes to get the IP address of the computer that hosts comparitech.com is to look in its own storage system. This is called a cache. Browsers store the DNS resolution information for frequently-accessed sites. If the address isn’t there, the browser has to contact a DNS resolver. This service is also called a recursive resolver, or a DNS recursor. The resolver implements a number of transactions in order to identify the IP address that is associated with a given domain name.

The DNS resolver checks in its own cache for the IP address – the resolver serves many browsers and so might have recently been asked for the address of the requested domain’s host by another client and then stored the results. If that doesn’t bring up a result, the DNS resolver enters a routine:

  1. The resolver contacts a root DNS server. There are 13 root DNS servers in the world and every recursive server has all of its contact details. The root nameserver returns the address of a TLD nameserver (top-level domain) to contact.
  2. The DNS resolver contacts the TLD nameserver and receives back the address of an authoritative nameserver for the given domain name.
  3. The DNS recursor contacts the authoritative name server, giving the domain name that it needs to reference, and gets back the IP address associated with that domain name.
  4. The DNS resolver returns the IP address to the browser that requested the DNS resolution.

This process is explained in the diagram below. The numbers on each arrow indicate the sequence of transmissions and not the step numbers in the list above.

How DNS works

Network DNS systems

The DNS system that operates on a private network is a little different from the methods used by the global DNS service.

Some applications use hostnames to identify the destination of their communications on the network. This is a very good strategy to use on networks that use the Dynamic Host Configuration Protocol (DHCP) because that scenario changes the allocation of IP addresses to devices on the network.

DHCP “leases” IP addresses to all of the network-connected devices. Those addresses are not fixed forever, so if networked applications relied on IP addresses to identify other equipment, they would periodically end up sending data to the wrong device as IP addresses get reallocated or sending it to an address that is no longer associated with any device.

So, in the network environment, the DNS server has a hostname for each device. When the DHCP server allocates an IP address to a device, it passes that information on to the DNS server, which updates its records for that hostname.

The DNS server and the DHCP server are part of a suite of network facilities that need to keep constantly coordinated on the status of IP addresses. This group of facilities is known as DDI. The I in DDI stands for IP Address Manager or IPAM. The IPAM checks on the usage of each IP address enabling it to spot when an address has been abandoned but not reclaimed by the DHCP server. In such a case, both the DHCP server and the DNS server need to be updated.

A network DNS server receives queries with two types of addresses to reference: hostnames and domain names. When a network DNS server receives a domain name to dereference, it passes that through to an external DNS resolver if it hasn’t already stored the IP address for the domain in its cache.

DNS format

A DNS server stores address mappings in a plain text file. This is called a DNS zone file. Each line of text in the file is called a DNS resource record. A typical resource record has the following fields:

Owner Name
It is also known as the left-hand name, this the domain name
TTL
The length of time that the record can be cached – it’s refresh time.
Class
Usually IN for “Internet.”
Type
Examples are A, AAAA, CNAME
ValueThe IP address.

There are 31 possible values for the Type field. This is represented by a code and the most common of these are:

AThe record that holds the IP address of a domain (IPv4)
AAAAThe IPv6 address of a domain
CNAMEForwards a domain or subdomain to another (doesn’t contain an address)
MXDirects mail to an email server
TXTLets an admin store text notes in the record
NSStores the name server for a DNS entry
SOAStores admin information about a domain
SRVSpecifies a port for specific services
PTRProvides a domain name in reverse-lookups

Of all of these types, when an inquiry is looking for a host address in order to access a Web page, it wants the A record.

DNS problems

A faulty DNS record stops all possibilities of communicating with a host. Without a corresponding IP address, there can be no way for any browser to access a page on a website. Sometimes, DNS records are intentionally incorrect.

Authoritarian regimes and controlling Internet service providers use a method, called a DNS sinkhole to block access to certain sites. In this strategy, the DNS zone file doesn’t contain the real IP address of the host of a domain. Instead, the blocker puts a fake, unassigned address or an address that leads to a page with a warning message rather than the intended website.

DNS troubleshooting with nslookup

Nslookup is a command-line environment. When you enter the command nslookup, it takes you through to a new prompt, away from the operating system. To get back to the operating system prompt, you need to type the exit command.

As well as granting entry to the environment, the nslookup command can be run at the command line with a string of options and parameters.

To get to the command line in Windows, type cmd in the Start menu search bar and then select the Command Prompt app that appears in the results popup.

Command Prompt

To enter the nslookup environment, just type nslookup and press RETURN.

A list of nslookup options is available if you type help or ?.

Here is the format of a query within nslookup.

NAME                      - print info about the host/domain NAME using the default server
NAME1 NAME2               - as above, but use NAME2 as server
help or ?                 - print info on common commands
set OPTION                - set an option
server NAME               - set default server to NAME, using the current default server
lserver NAME              - set default server to NAME, using the initial server
root                      - set current default server to the root
ls [opt] DOMAIN [> FILE]  - list addresses in DOMAIN (optional: output to FILE)
view FILE                 - sort an 'ls' output file and view it with pg
exit                      - exits the program

The basic query function in this list is the NAME instruction. That means you just have to type in a domain and hit return to get its DNS entry.

For example:

C:\Windows\system32>nslookup
Default Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
> comparitech.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
Non-authoritative answer:
Name: comparitech.com
Address:  95.168.178.100
 
> google.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
Non-authoritative answer:
Name: google.com
Addresses:  2a00:1450:4009:81a::200e
       216.58.210.206
 
> 
 

In the above query, the computer referred to its nearest DNS server by default, which is one provided by the ISP, Virgin Media. In the case of the query for the comparitech.com host address, the DNS server returned an IPv4 address. In the case of the query for google.com, the DNS server returned an IPv6 address and then an IPv4 address.

Investigating DNS problems

Here is an attempt to access the NordVPN website. The browser reports a problem.

DNS problems

It seems as though there is something wrong with the NordVPN web server. Chrome reports that the site doesn’t have a valid SSL certificate. Dear oh dear. Attempts to get to ExpressVPN.com and Pornhub.com were also unsuccessful.

Let’s take a look at the DNS records for those three sites with nslookup.

C:\Windows\system32>nslookup
Default Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
> nordvpn.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
Non-authoritative answer:
Name: nordvpn.com
Addresses:  2a02:8801:200:1::1
       81.99.162.48
 
> expressvpn.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
Non-authoritative answer:
Name: expressvpn.com
Addresses:  2a02:8801:200:1::1
       81.99.162.48
 
> pornhub.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
Non-authoritative answer:
Name: pornhub.com
Addresses:  2a02:8801:200:1::1
       81.99.162.48

Strangely, all three websites have the same IP address, according to the Virgin Media DNS server: 81.99.162.48. Is that possible? Do the two rival VPN services plus a porn site all operate from the same IP address? Why can’t these three successful online businesses afford to pay for a valid SSL certificate between them?

Fortunately, the nslookup query system allows users to query a different DNS server other than the default just by putting its name or address after the domain name in the query. Cloudflare operates a global DNS service from the IP address 1.1.1.1. Here are its records for NordVPN, ExpressVPN, and Pornhub.

C:\Windows\system32>nslookup
Default Server:  cache1.service.virginmedia.net
Address:  194.168.4.100
 
> nordvpn.com 1.1.1.1
Server:  [1.1.1.1]
Address:  1.1.1.1
 
Non-authoritative answer:
Name: nordvpn.com
Addresses:  104.17.49.74
       104.17.50.74
 
> expressvpn.com 1.1.1.1
Server:  [1.1.1.1]
Address:  1.1.1.1
 
Non-authoritative answer:
Name: expressvpn.com
Addresses:  13.224.246.124
       13.224.246.69
       13.224.246.98
       13.224.246.76
 
> pornhub.com 1.1.1.1
Server:  [1.1.1.1]
Address:  1.1.1.1
 
Non-authoritative answer:
Name: pornhub.com
Address:  66.254.114.41
 
>

Wow. It turns out that, according to Cloudflare DNS, these three sites don’t have the same IP address. In fact, NordVPN has two addresses and ExpressVPN has four.

Virgin Media is owned by Liberty Global, which is the largest broadband service provider in the world outside of the USA. Of course, such a prominent Internet service provider isn’t going to get the resource records for these three major eCommerce sites wrong – it has deployed a DNS sinkhole.

Switching the default DNS server

In the investigation into connection problems shown above, there is little that can be done to fix the problem. There is no point contacting the ISP to tell them that its DNS server is wrong because they already know. In their opinion, the entry is right – those sites are intentionally blocked.

Happily, it is very easy to change the default DNS server. In order to do this, you need administrator privileges, so close down your Command Prompt window, go back to the Start search field, and enter cmd. This time, click Run as Administrator underneath the Command Prompt headline in the search results screen.

In the Command Prompt window:

  1. Enter netsh
  2. At the netsh prompt, enter interface ip show config
  3. Look for the interface that you want to change the DNS server for. Note down its name.
  4. Enter interface ip set dns <interface_name> static <DNS_IP_address>
  5. Run interface ip show config again to check that the DNS server has been updated.

Here is an example run. First, here is part of the output from interface ip show config.

Configuration for interface "WiFi"
DHCP enabled:                      Yes
IP Address:                        192.168.0.38
Subnet Prefix:                     192.168.0.0/24 (mask 255.255.255.0)
Default Gateway:                   192.168.0.1
Gateway Metric:                    0
InterfaceMetric:                   55
DNS servers configured through DHCP:  194.168.4.100
                                          194.168.8.100
Register with which suffix:        Primary only
WINS servers configured through DHCP: None

I want to change the WiFi interface settings.

netsh>interface ip set dns "WiFi" static 1.1.1.1

Now, here are the results of the interface status inquiry after the change.

Configuration for interface "WiFi"
DHCP enabled:                      Yes
IP Address:                        192.168.0.38
Subnet Prefix:                     192.168.0.0/24 (mask 255.255.255.0)
Default Gateway:                   192.168.0.1
Gateway Metric:                    0
InterfaceMetric:                   55
Statically Configured DNS Servers: 1.1.1.1
Register with which suffix:        Primary only
WINS servers configured through DHCP: None

For a check on the addresses reported by nslookup, here are the results for nordvpn.com after the DNS server change.

C:\Windows\system32>nslookup nordvpn.com
Server:  one.one.one.one
Address:  1.1.1.1
 
Non-authoritative answer:
Name: nordvpn.com
Addresses:  104.17.49.74
       104.17.50.74
 
 
C:\Windows\system32>

Here is the result when accessing NordVPN through a browser after the change in the default DNS server.

A change in the default DNS server

The bottom line

Network and internet access problems can often be caused by DNS resource records. If you are in charge of your network in a business and you run your own DNS server, you need to look at whether the DNS server is being updated by the DHCP server. If there is one device on the network that no one can reach, check its DNS record first and look whether there is a record there at all and then if the IP address listed is the right one.

If you have no control over the DNS server and you seem to be getting erroneous reports of websites not being available, try the nslookup check and then complain to the network manager that the system default DNS server is wrong. If you are a private user, test domain name records in other DNS servers like in the example above. If the DNS server is wrong about the address of a site, just switch to a different default DNS server.

Try these free, global DNS servers that usually do not experience problems:

  • Google DNS: 8.8.8.8 and 8.8.4.4
  • Cloudflare: 1.1.1.1 and 1.0.0.1
  • Open DNS: 208.67.222.222 and 208.67.220.220

Nslookup FAQs

Does nslookup query DNS?

The nslookup command was created to query DNS records. It is a command line tool and is available on all operating systems that connect to a network.

How do I view a TXT record in nslookup?

In order to see the text records that are attached to a DNS entry, open a Command Prompt window and enter nslookup -q=TXT <domain name>.

What are the five main DNS record types?

There are 31 different DNS record types. Perhaps, the five most important of these are:

  • A – IPv4 host address
  • AAAA – IPv6 host address
  • CNAME – Canonical name for an alias
  • MX – Mail exchange
  • TXT – Text notes