Nslookup utility

So any useful tips for this tool? I know how to open it and search records like:
set type=mx (for exchange/mail?)

but I don't fully understand the results sometimes. I see a lot of different servers, many of which probably aren't even part of that domain.

Also, I hear people use nslookup for troubleshooting email problems...how does that work?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Netstudent

I usually use it to make sure that my service provider's Name servers have correct records for my services that are accessed from the outside or even if they have the records.

sometimes I use it to resolve an internal host name if all I know is the hostname.

when you set type=mx then you are querying the name server for the mx records it knows for some domain.

Ahriakin

In AD environments the best use I've had for it is to verify that the most efficient/closest DNS server is being used. For example say users are experience delays in logging in or for general network access initially, you flush the DNS cache and do a quick DNS test by pinging their supposed login Server by name, that resolves and the ICMP latency is fine but the reply took a bit longer than you expected. You run NSLOOKUP against the DC name and find that a 2ndary DNS in another site is servicing the requests, hence the extra latency in operations. At this point you know to start checking the primary DNS server.
Another is if you have an incorrect DNS resolution and want to track down which server has the error. Or if you want to know which Server to change an A record on (if it's not AD integrated/replicated).

KGhaleon

Wouldn't you just do a ipconfig /all to see what DNS server the computers are using?

Ahriakin wrote:

Another is if you have an incorrect DNS resolution and want to track down which server has the error. Or if you want to know which Server to change an A record on (if it's not AD integrated/replicated).

Eh, how does that work exactly? You just browse each server in your organization and look for incorrect records?

keatron

Security wise it's sometimes used to see if DNS servers are configured to allow zone transfers to any server, or configured (properly) to only allow zone transfers to authorized servers or in Microsoft language, "Servers on the Name Servers Tab" or specific IP addresses. For example, to test the security of your DNS servers do the following.

From the command prompt just type nslookup

Then type nslookup yourdomain.com

It should come back with the ip of your dns server/servers.

Now enter this command server [ip address of one of the servers that came back in the list]

After pressing enter to set that server as the authoritive server, enter the following

nslookup -d yourdomain.com

If the command comes back with an error (usually saying check the security settings on your dns servers), then you're good. If you get back a list of dns records, then you need to secure it immediately, by only allowing transfers to authorized servers. Nslookup is a very powerful tool.

KGhaleon

That's a good idea. I'll have to try that on my domain and see what I find. If I recall, zone transfer security is set up optionally.

phreak

Good thread!

Just don't do the above things in North Dakota........

http://www.theinquirer.net/gb/inquirer/news/2008/01/18/dns-zone-transfers-illegal

Pash

KGhaleon wrote:

Wouldn't you just do a ipconfig /all to see what DNS server the computers are using?

Ahriakin wrote:

Another is if you have an incorrect DNS resolution and want to track down which server has the error. Or if you want to know which Server to change an A record on (if it's not AD integrated/replicated).

Eh, how does that work exactly? You just browse each server in your organization and look for incorrect records?

When a user tries to logon to the domain the first thing that is done is to search for the zone file for that AD Domain via DNS search (which points to your DC). Normally, the closest DNS server in terms of latency will respond first. This is what Ahriakin meant. So in other words, yes, its a good tool to troubleshoot problems like this.

Claymoore

KGhaleon wrote:

So any useful tips for this tool? I know how to open it and search records like:
set type=mx (for exchange/mail?)

but I don't fully understand the results sometimes. I see a lot of different servers, many of which probably aren't even part of that domain.

Also, I hear people use nslookup for troubleshooting email problems...how does that work?

I use nslookup to find the ip addresses of mail servers I need to whitelist.

My company is too cheap to buy an Ironport so I use SMTP connection filtering in Exchange 2003 and subscribe to 6 different block lists (different methodologies) and 1 blacklist that I maintain. Every now and then a legitimate company winds up being blocked. Even though I am nice enough to include the name of the blocking list in NDR I bounce back, some mail admins can't (or don't) read the message and follow the links for removal instructions - this mostly happens with companies who have outsourced their mail hosting. When that happens I do a type=mx lookup on their domain and get the addresses of their mail servers so I can add them to our whitelist. Sometimes there is more than one server and nslookup will even give you the priority order of their mail servers as well as the Name Servers that are authoritative for the domain.

As an aside, one of the vendors pitching us a SAN solution had their email blocked by one of the lists to which we subscribe. When they asked me to fix it, I told them that if they couldn't fix it themselves by following the simple instructions included in the NDR then I'm not sure we can trust that they have the technical ability to implement our SAN. A few weeks later I had to whitelist their servers so they could send us quotes - and no, we didn't buy anything from them.

keatron

phreak wrote:

Good thread!

Just don't do the above things in North Dakota........

http://www.theinquirer.net/gb/inquirer/news/2008/01/18/dns-zone-transfers-illegal

Notice I said to test the security of YOUR dns servers, which equates to ones you have permission to be doing such things on.