Nslookup is a staple of Linux, and network administrators use it extensively to debug a variety of issues from e-mails not being delivered to websites not loading. DNS lookup is a fundamental part of our Internet infrastructure, and nslookup allows us to query a DNS server to see if a given domain name is properly mapping to a specific IP address. We can also do the reverse and get the domain name from an IP address. This is particularly useful when we’ve changed servers and want to ensure that the new IP address is being used, otherwise, visitors won’t be access your website.
I’ll first show you how to install nslookup, and then go through the various options, alternative tools, and use cases.
Checking if Nslookup is Already Installed on Ubuntu
The nslookup tool is part of the dnsutils package. It’s such a common tool that it’s usually installed by default on all Ubuntu installations. If this is the case, then you don’t need to manually install nslookup or dnsutils. To check if this is the case, type this command:
nslookup -version
Here’s what I get when I run it on my Linux system:
As you can see, nslookup is already installed. If you’re using Ubuntu, chances are that it’s installed for you as well. But if it isn’t installed, correcting that is easy.
Installing nslookup on Ubuntu
If the above command throws an error, then the dnsutils package containing nslookup doesn’t exist. Installing it is easy. Just type the following command:
sudo apt install dnsutils
If you don’t have root access, then the “sudo” command will ask you for your account password. If you belong to the group that has sudo access, you can run these commands. If you don’t belong to the group, then you need to read my tutorial on how to run sudo commands on Linux.
Once the dnsutils package is installed, you can run nslookup and you can verify this by checking the version as we did in the first command.
Basic Usage of nslookup
Nslookup is easy to use. For example, I have a website wp-tweaks.com, and I want and I want to know to which IP address it maps when I type it into a browser, I use the following command:
nslookup wp-tweaks.com
Running the above command, here’s what I get:
The above output shows the address of the website wp-tweaks.com. In the “Non-authoritative” answer section, it shows that the website maps to four different IP addresses, indicating that there might be something like a proxy or a load balancer between the server and the open Internet. And this is indeed the case, as I route my traffic through Cloudflare.
Local Caching of Responses
There’s an important detail when interpreting the output of the above nslookup command. You can see the following lines:
Server: 127.0.0.53
Address: 127.0.0.53#53
This is the IP address of the DNS server that the tool nslookup is querying. However, if you’re familiar with the conventions of IP addresses, you’ll recognize that this is a local address on the server and not an external DNS server. What has happened here, is that nslookup first checks the local DNS server, if available, to see if it already has a response cached.
Unfortunately, there’s no way to disable this behavior, because nslookup uses Ubuntu’s DNS resolution service which includes a check on the local DNS server by default. If you suspect that the local DNS cache available on the server is outdated or inaccurate, you have to force nslookup to query a specific authoritative server. Another option is to flush the DNS cache and so force the Ubuntu DNS resolution system to look elsewhere.
Forcing nslookup to Use an External DNS Server
One way to get an authoritative response with nslookup, is to force the system to consult a well-known external server. For example, I always use Cloudflare’s DNS servers with the IP address of “1.1.1.1”. To do this, use the following command:
nslookup wp-tweaks.com 1.1.1.1
And here’s what it looks like on my system:
This time, nslookup uses the DNS server that we specify. You can see that despite the entries being in a different order, they’re still the same, as you would expect. You can replace Cloudflare’s DNS servers with any other well-known server. Another popular option is Google’s servers with an IP address of “8.8.8.8”.
Getting Authoritative Answers
In both the screenshots above, you’ll notice that the IP addresses to which the domain name is resolved are labeled as “non-authoritative”. This means that we haven’t queried the main DNS that holds the 100% correct, “best” answer. What happens is that each domain is associated with an “authoritative” DNS, and those DNS entries are then propagated to other DNS servers around the world, including the ones we saw earlier – Cloudflare and Google. But this process also comes with a delay, and if for whatever reason, these DNS servers have an out-of-date DNS entry, then they’ll give the wrong IP address.
For this reason, all responses that come from DNS servers – except for one – are labeled “non-authoritative”. To get an authoritative response, we first need to find out the IP of the authoritative DNS server for a particular domain name, and then query that one directly.
The first step is to get the IP address of the authoritative name server for the domain in question. We do this using the “dig” command like this:
dig wp-tweaks.com NS
Here’s the output:
You can see from the “Answer Section”, that my domain name wp-tweaks.com has two DNS servers:
- jason.ns.cloudflare.com
- vita.ns.cloudflare.com
Since I have registered my domain name with Cloudflare, it’s not surprising that these are Cloudflare’s servers. Now that we have these, we can query them directly using nslookup to get authoritative answers like this:
nslookup wp-tweaks.com vita.ns.cloudflare.com
And here’s the output:
This time, you can see that the section is presented “as is”. There’s no disclaimer stating that it’s a “Non Authoritative” answer. This means that the response we’re getting is guaranteed to be the right one.
Why Not Always Use Authoritative Servers?
The foregoing section raises the question – why doesn’t nslookup always use an authoritative name server to get its response? After all, isn’t it better to be 100% sure of the IP address of a domain name?
The answer is the trade-off between speed and accuracy. When a DNS record changes on an authoritative name server, the change propagates to all the major DNS servers in the world. So most of the time, when you query a huge DNS server like the one used by Cloudflare or Google, you’re getting the right answer. But these servers are also blazing fast and can handle almost unimaginable traffic loads. The “true” authoritative name server is often nothing but a simple VPS sitting on an ordinary web host. If everyone were to be sending queries only to the authoritative name server constantly, it would quickly become overwhelmed.
For this reason, we usually trust the DNS response from the big external nameservers and resort to querying the authoritative nameserver only when we have an extra need to be 100% sure we’re getting the right answer.
Conclusion
You can see from above, that using nslookup is very easy. Just a few commands suffice for the vast majority of situations. However, understanding the architecture of the DNS infrastructure is important for you to make the best use of it.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply