Back to Learn

Using NSLOOKUP to Query DNS Data | NOC.org

What Is NSLOOKUP?

nslookup (Name Server Lookup) is a command-line tool available on Windows, macOS, and Linux that queries Domain Name System (DNS) servers to retrieve information about domain names, IP addresses, and other DNS records. It is one of the most commonly used utilities for diagnosing DNS issues, verifying record propagation, and understanding how a domain is configured.

While more advanced tools like dig are preferred by many system administrators, nslookup remains widely used because it is pre-installed on virtually every operating system and its output is straightforward to read.

Basic Syntax

The simplest form of an nslookup command queries the default DNS server for the A record of a domain:

nslookup example.com

This returns the IP address associated with the domain. The output includes the DNS server that answered the query and the result:

Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:       example.com
Address:    93.184.216.34

The "Non-authoritative answer" label means the response came from a cached copy on the DNS resolver, not directly from the domain's authoritative name server.

Querying Specific Record Types

A Records (IPv4 Address)

A records map a domain to an IPv4 address. This is the default query type:

nslookup example.com
nslookup -type=A example.com

AAAA Records (IPv6 Address)

AAAA records map a domain to an IPv6 address:

nslookup -type=AAAA example.com
example.com    has AAAA address 2606:2800:220:1:248:1893:25c8:1946

MX Records (Mail Exchange)

MX records define which mail servers handle email for a domain. This is essential when troubleshooting email delivery issues or verifying DMARC and SPF configurations:

nslookup -type=MX example.com
example.com    mail exchanger = 10 mail.example.com.
example.com    mail exchanger = 20 mail2.example.com.

The numbers (10, 20) indicate priority. Lower values have higher priority, so mail servers try mail.example.com first.

NS Records (Name Server)

NS records identify the authoritative name servers for a domain:

nslookup -type=NS example.com
example.com    nameserver = ns1.example.com.
example.com    nameserver = ns2.example.com.

TXT Records

TXT records contain arbitrary text data and are commonly used for SPF records, DKIM keys, domain verification, and other purposes:

nslookup -type=TXT example.com
example.com    text = "v=spf1 include:_spf.google.com ~all"

CNAME Records (Canonical Name)

CNAME records create an alias from one domain name to another:

nslookup -type=CNAME www.example.com
www.example.com    canonical name = example.com.

SOA Records (Start of Authority)

SOA records contain administrative information about a DNS zone, including the primary name server, the responsible party's email, and timing parameters:

nslookup -type=SOA example.com

Specifying a DNS Server

By default, nslookup queries your system's configured DNS resolver. You can override this by specifying a server as the second argument:

# Query Google's public DNS
nslookup example.com 8.8.8.8

# Query Cloudflare's DNS
nslookup example.com 1.1.1.1

# Query a specific authoritative name server
nslookup example.com ns1.example.com

This is useful for verifying that DNS changes have propagated to specific resolvers, or for comparing results between different DNS providers.

Interactive vs Non-Interactive Mode

Non-Interactive Mode

Non-interactive mode is what you use when you pass all arguments on the command line. You get a single result and return to your shell prompt:

nslookup -type=MX example.com 8.8.8.8

Interactive Mode

Interactive mode starts an nslookup session where you can run multiple queries without retyping the command. Enter interactive mode by running nslookup with no arguments:

$ nslookup
>
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
>
> set type=MX
> example.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
example.com    mail exchanger = 10 mail.example.com.
>
> set type=A
> example.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:    example.com
Address: 93.184.216.34
>
> exit

Interactive mode is efficient when you need to run multiple lookups in a row. Type exit to leave.

Useful Set Commands

In interactive mode, the set command configures various query options:

  • set type=ANY — Query all available record types for a domain.
  • set type=MX — Set the query type to MX records.
  • set timeout=10 — Set the query timeout to 10 seconds (default is usually 5).
  • set retry=3 — Number of retries if the query fails.
  • set recurse / set norecurse — Enable or disable recursive queries. With norecurse, the server only returns data it already has.
  • set debug / set nodebug — Enable or disable verbose debug output.
  • set d2 — Enable even more detailed debug output.

Debugging with set debug

The set debug option reveals the full DNS response, including TTL values, response codes, and additional sections that are normally hidden:

$ nslookup
> set debug
> example.com
Server:     8.8.8.8
Address:    8.8.8.8#53

------------
    QUESTIONS:
        example.com, type = A, class = IN
    ANSWERS:
    ->  example.com
        internet address = 93.184.216.34
        ttl = 3542
    AUTHORITY RECORDS:
    ->  example.com
        nameserver = ns1.example.com
        ttl = 86400
    ADDITIONAL RECORDS:
    ->  ns1.example.com
        internet address = 198.51.100.1
        ttl = 86400
------------

Debug mode is invaluable when you need to check TTL values (how long a record is cached), identify which name servers are authoritative, or diagnose unexpected DNS behavior.

Reverse DNS Lookups

You can perform reverse DNS lookups (finding a domain name from an IP address) by querying the PTR record:

nslookup 93.184.216.34

Or explicitly:

nslookup -type=PTR 34.216.184.93.in-addr.arpa

Reverse DNS is important for email deliverability, as many mail servers reject connections from IPs without valid PTR records.

Common Use Cases

  • Verify DNS propagation: After changing DNS records, query multiple public resolvers to confirm the new values have propagated.
  • Troubleshoot email delivery: Check MX records, SPF TXT records, and DKIM records to diagnose why email is being rejected or marked as spam.
  • Identify hosting providers: Look up A records and NS records to determine where a website is hosted and who manages its DNS.
  • Check domain configuration: Verify that CNAME aliases, subdomains, and other records are configured correctly before going live.
  • Diagnose slow resolution: Use set debug to check TTL values and identify whether excessive DNS lookups are slowing down page loads.

NSLOOKUP vs Dig

Both nslookup and dig query DNS servers, but they differ in several ways:

Feature nslookup dig
Availability Pre-installed on Windows, macOS, Linux Pre-installed on macOS, Linux; requires installation on Windows
Output format Simplified, human-readable Detailed, script-friendly
DNSSEC support Limited Full support with +dnssec flag
Batch queries Interactive mode Batch file support with -f
Trace mode Not available +trace follows delegation chain
Scripting Harder to parse output +short flag for clean output

For quick checks, nslookup is perfectly adequate. For detailed DNS troubleshooting, scripting, or DNSSEC validation, dig is the better tool.

Summary

nslookup is a fundamental DNS troubleshooting tool that every system administrator should know. It provides a quick and reliable way to query any type of DNS record, test against specific DNS servers, and diagnose resolution issues. While dig offers more advanced features, nslookup is universally available and its straightforward output makes it ideal for everyday DNS diagnostics.

For a comprehensive overview of DNS record types, see CleanBrowsing's DNS record types guide.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started