Examining Zones with Nslookup
When you run into problems with DNS, the Nslookup utility is the tool of choice for tracking down problems. Nslookup enables you to perform selective zone transfers so that you can examine resource records in the zone. You can also use Nslookup to verify that a DNS server exists, find out what zone it manages, verify that the DNS server has a particular resource record, and browse the resource records as if you were browsing a directory.
Nslookup has two modes: Interactive and Non-Interactive. If you run Nslookup and specify parameters on the command line, you run the utility in Non-Interactive mode. To see the IP address for www.guam.net and the name servers that are authoritative for the zone that holds the A record, for example, issue the Nslookup command followed by the name of the server as follows:
C:\>nslookup www.guam.net c.root-servers.net.
4.33.192.in-addr.arpa nameserver = NS.PSI.NET
NS.PSI.NET internet address = 220.127.116.11
To use the Interactive mode, just enter Nslookup with no parameters.
When you enter Interactive mode, you get a listing of the default name server followed by a command prompt, >:
Default Server: dns1.primenet.net
From the command prompt, enter a question mark (?) to see the list of Nslookup commands.
If you want to see the default settings for Nslookup, use set all. (You cannot just type set like a DOS command. This makes Nslookup think that you are querying for a server named set.) For example,
> set all
Default Server: dns1.primenet.net
nodebug defname search recurse
nod2 novc noignoretc port=53
querytype=A class=IN timeout=2 retry=3
The following sections cover the most common Nslookup interactive commands and Set parameters.
Use this command to change the name of the DNS server that fields the Nslookup queries. Be sure to use FQDNs with a trailing dot. For example, if your default name server is dns1.company.com but you want to troubleshoot another DNS server, dns02.company.com, you would enter the following:
> server dns02.company.com.
Default server: dns02.company.com
The lserver command works like server, but always uses the default name server. This enables you to escape from a dead end when you use the server command to get onto a name server that is not authoritative and cannot resolve another server name. If you use server to change to a name server that has no zone file, you won't be able to use the server command to go to another server because it cannot resolve the new host name. The lserver command gets you back to your home DNS server by using the original server to resolve the name.
This command works like the server command to change the default DNS server, but it selects the name from the top of the server list in the CACHE.DNS file. This is usually a public TLD root server. If the server is a private root server, the file would contain one or more internal name servers.
This command lists the resource records in a particular zone. In essence, ls does a zone transfer of the selected record type. You can limit the scope of the transfer by specifying a record type using the Цt switch. Here is an example showing the host records (A records) in the company.com zone:
> ls -t a company.com.
company.com. A 10.1.1.1
gc._msdcs.company.com. A 10.1.1.1
dns01.branch1.company.com. A 10.3.1.1
dc01.company.com. A 10.1.1.1
nt30.company.com. A 10.1.1.201
If you specify any as the record type, or use the Цd switch with ls, Nslookup returns the entire zone file. Use caution: This can be quite an extensive list on some name servers. Use the indirection pipe (>) to save the output of ls to a file.
You may be thinking that ls represents a security problem. You would be correct. Because ls works by performing a zone transfer, you can block it by controlling the servers that are allowed to pull a zone transfer. See "Enabling Zone Transfers and Update Notifications" earlier in this chapter for details.
When debug is set, the report from an interactive command includes debugging information. This debugging information shows the results of a query including intermediate name servers included in the search. The following example is the result of a recursive query for roswellnm.org:
> set debug
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 3, additional = 3
roswellnm.org, type = A, class = IN
internet address = 18.104.22.168
ttl = 900 (15 mins)
nameserver = dns1.interland.net
ttl = 0 (0 secs)
internet address = 22.214.171.124
ttl = 900 (15 mins)
The debug option is especially useful for locating improper referrals caused by incorrect delegations.
Set this parameter if you aren't satisfied knowing the results of the query and you also need to know the exact format of the query itself. Here is the additional d2 information from a roswellnm.org lookup:
> set d2
;truncated to show differences from standard debug listing
SendRequest(), len 32
opcode = QUERY, id = 10, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
Roswellnm.org, type = A, class = IN
You may have noticed a trailing period at the end of each server name in the example lookups. The trailing dot tells Nslookup that the name is fully qualified. If you do not include the period, Nslookup appends the default domain name for the client. If you have a hard time remembering to include the trailing period, you can use set nodefname to tell Nslookup not to append the domain name.
If you want Nslookup queries to emulate a DNS server rather than a DNS client, queries should be configured as iterative and not recursive. Use this switch to change the query type as needed.
You can limit or change the scope of a query by setting a certain record type. If you want to query for the MX records on a name server, for example, give the following command:
> set type=mx
roswellnm.org MX preference = 5, mail exchanger = mail.roswellnm.org
roswellnm.org nameserver = DNS1.INTERLAND.NET
mail.roswellnm.org internet address = 126.96.36.199
DNS1.INTERLAND.NET internet address = 188.8.131.52