Advanced Guide to nslookup

When you want to call someone on your cell phone, you likely just find the person in your list of contacts and select their name. The handset then uses the unique phone number associated with that person and makes the call. In general, you don’t need to remember the phone number itself, as the address book stores it for you under the name of the contact.

The Internet works in a very similar way. Each server on the Internet has an address assigned to it and a name. There is a global address book which stores the address (or addresses) along with the associated name (or names). This huge address book is known as DNS (Domain Name System). The way it works is that when you type a URL into your browser, e.g., then the browser (via the underlying operating system) queries DNS to get the address for the server which hosts the web site. A similar, but not identical, thing happens when we send emails.

There are two types of addresses on the Internet – IPv4 and IPv6. The former is the current and most prevalent addressing scheme used on the Internet today, and the latter is its replacement, IPv6, which is needed because we are running out of IPv4 addresses.

An IPv4 address is made up of four numbers (less than 256) separated by dots, such as:

An IPv6 address is more complex. It is made up of 16 bytes, grouped in pairs and written in hexadecimal. The pairs are separated by colons, such as:

Most Linux distributions include the “nslookup” utility. It is a program for querying DNS and displaying the resulting information. To look up the address of the server associated with a domain name, use “nslookup” like this:


In this example, we are querying DNS for the address of the server hosting the website. The last line of the response tells us that the server has an IPv4 address of “”.

The first two lines of the response (Server and Address) tell us which DNS server was used to resolve the query. In this case, the server is listed as which is the “loop back” address. In other words, the local host was used to resolve the query. The reason for this is because Ubuntu uses a server called “dnsmasq” by default. Dnsmasq provides a mini DNS server that forwards all queries upstream and then caches the results.

All of the responses that come back from a DNS are classed as either an “Authoritative Answer” or a “Non-Authoritative Answer.” When the response comes from a DNS server which has the “master” information for a domain name, then the response is an authoritative answer. However, most of the time DNS replies will be given by DNS servers which have a cached copy of the necessary information, but they don’t control the original information. In this case, the response is a non-authoritative answer.

To specify a specific DNS server to use for a query, you need to provide the DNS server address as the second parameter:


Where is Google’s public DNS service.

To look up other types of DNS records (other than just simple domain names), you can use the -query flag. Valid parameters for the query flag are MX, NS, SOA and ANY. For example to look up the Mail eXchange (MX) record for a domain, use the following:


When an email is addressed to a user at a certain domain, the MX record tells the sending server where to find a server that is handling the emails for that domain. In our example above, we can see that in this case it is Google.

nslookup also has an interactive mode. If you just start the utility without any parameters, then you go directly into interactive mode. Here, any string you type will be interpreted as a query with the exception of a few special commands:

  • server domain or lserver domain –  Changes the default DNS server to domain; “lserver” uses the initial server to look up information about domain, whereas “server” uses the current default server.
  • type = querytype – Change the query type, just like with the -query flag. The “querytype” parameter can be A, MX, SOA, or ANY.

The nslookup utility can retrieve a lot of useful information about a domain, and it is especially useful when transferring a domain from one server to another or when you have just purchased a new domain name.

If you have any trouble using the example above, please feel free to use the comments section below to ask any questions you may have.


  1. How does one obtain the IPv6 address using nslookup?

  2. Set the type of record you are looking for. IPv6 type is aaaa.
    Example: nslookup -type=aaaa

    1. Wow that’s nice! I tried this on Facebook and I got the most amazing IP address. It said face::booc. Who knew!!

  3. nslookup is deprecated, why not a guide for dig?

    1. Matt, since BIND 9.9.0a3 nslookup is no longer deprecated.

Comments are closed.

Sponsored Stories