Nslookup.exe (abbreviation for name server lookup) is a command line utility used for testing and troubleshooting DNS servers. It is built into Unix (including Linux and variants) and Windows. The main purpose of the utility is to query DNS servers to find DNS details, MX records for a domain, NS servers of a domain

In Windows, Nslookup.exe is automatically installed along with the TCP/IP protocol installation which is done by default during a new Windows installation or setup. The actual executable lies in the system directory c:\windows\system32 directory by default in Windows XP and most other versions of Windows.

To get started with Nslookup.exe, the following prerequisites need to be present: 

The TCP/IP protocol must be installed on the computer that you want to execute the Nslookup command without which the command will not be available

When you run the ipconfig /all command, at least one DNS server should exist in the list of DNS servers

The Nslookup command always devolves (delegates from) the domain name from the current context (depending on the DNS Server settings listed). If you fail to use a fully qualified domain name, i.e. ending the domain name with a trailing dot (.), the first query will append the DNS settings to your query domain name. For example, if you have your DNS settings listed as xyz.com and you run a query for www.bing.com, the actual query will go out as www.bing.com.xyz.com because of you entering an unqualified query. However, if you were to query for www.bing.com. [with the trailing dot (.)], then the query would rightly go out to www.bing.com only (diagram below). This strange behavior is specific to the Microsoft version of the Nslookup command. I do not know of how Nslookup behaves while run with other vendors.

If the DNS search list is being used in the Domain suffix search order in TCP/IP advanced properties DNS tab (diagram below), devolution will not take place. The query will be appended to the domain suffixes specified in the list. To override the search list, always use the Fully Qualified Domain Name in your query.

The command can be used directly (non-interactive mode) or with subcommands (interactive mode). Using Nslookup.exe in the non-interactive mode is useful when we just need the output of a specific query and only a single value needs to be returned. But when we need to get the output for multiple queries and actions it is better to use the interactive mode

The syntax of Non Interactive Mode is as follows:

nslookup [-option] [hostname] [server]

 nslookup [-opt ...]                          # interactive mode using default server

nslookup [-opt ...] – server          # interactive mode using ‘server’

nslookup [-opt ...] host                 # just look up ‘host’ using default server

nslookup [-opt ...] host server    # just look up ‘host’ using ‘server’

Option refers to the various options that are available covered below

Hostname refers to the query that we need information on

Server refers to the DNS server to be used to search for the host

 Look at the following output from a unix and windows based host

Command line output (without subcommands)

UNIX

unix% nslookup example.com

Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:

Name:    example.com
Address: 202.7.18.16

 

Windows

C:\>nslookup microsoft.com.

Server:  PQRTVXXXXD002DNS076
Address:  210.213.34.3

Non-authoritative answer:

Name:    microsoft.com
Addresses:  207.46.197.32, 207.46.232.182

Using subcommands (unix example)

nslookup

> server ns1.com

Default Server:  ns1.com
Address:  172.204.22.25

> set
> example.com

Server:  ns1.com
Address:  202.7.18.16

example.com   MX preference = 10, mail exchanger = mail.example.com
> exit

After entering the interactive mode, typing ? or help will reveal all the options that are available

To interrupt interactive commands, press CTRL+C. To exit interactive mode and return to the command prompt, type exit at the command prompt. A number of different options can be set in Nslookup.exe by running the set command at the command prompt. A complete listing of these options is obtained by typing set all.

Looking up different data types: type and querytype 

We will discuss the two options, type and querytype that belong to the set command. To look at different query type options within the domain name space, we use the set type or set querytype command at the command prompt. Both of them are exactly the same and are interchangeable. For example, to query for mail exchanger records (mail server details) of a particular domain like yahoo.com, we can type the following:

C:\>nslookup

> set q=mx
> yahoo.com.

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = a.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = b.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = c.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = e.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = f.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = g.mx.mail.yahoo.com

The first time a remote host is queried, the local DNS server contacts the DNS server that is authoritative for that domain. The local DNS server will then cache that information, so that subsequent queries are answered nonauthoritatively out of the local server’s cache. The first time a query is made for a remote name, the answer is authoritative, but subsequent queries are nonauthoritative.

Querying another name server directly: server  and lserver

If we wanted to use another DNS server on the internet to send our queries, we can use the server or lserver commands. For example, using the DNS server 8.8.8.8 that is the Google Public DNS server

C:\>nslookup

Default Server:  nameserver1.example.com
Address:  10.1.2.3

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

The difference between the server and lserver commands is that the server command is uses the current default server to get the address of the server to switch to, whereas the lserver uses the local server to get the same address. For example, if you have a broadband connection and get a DHCP IP address from your ISP, you would also automatically get some DNS servers (assume dns1.isp1.com), the lserver command forces the usage of these local dns servers that were retrieved from your ISP. However, while using the Nslookup.exe command, if you earlier changed the DNS server that is used to query for other domains (assume you changed it to dns1.somefreedns.com), the server command would use the current default server (dns1.somefreedns.com) and not the local dns servers (dns1.isp1.com)

Zone Transfers : LS command

Nslookup.exe can be used to transfer an entire zone by using the ls command. The best use of this command is if you want to store a list of all host names within a particular remote domain into a local file (example below)

The syntax of this command is

ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.

>ls example.com

[nameserver1.example.com]

nameserver1.example.com.    NS     server = ns1.example.com
nameserver2.example.com     NS     server = ns2.example.com
nameserver1                            A      10.0.0.1
nameserver2                            A      10.0.0.2

While this is obviously a security issue, zone transfers can be blocked at the DNS Server level and this would be the case most of the time on the internet (unless someone foolish enough would like you to see his internal structure and naming conventions). This command is useful if we want to see the structure of hosts within a LAN environment. If zone transfers have been blocked, we would get output like the following

> ls google.com.
*** Can’t list domain example.com.: Query refused

When we want to send the output to a file (the file will be saved in the location that was mentioned in the command prompt before the nslookup command was started, we can do so as follows

> ls google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In the following example below, we want to view all mail server records within a particular domain and store the output to a file

> ls –t MX google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In this article the Nslookup command was covered. While this was just a brief overview, there are many other issues like troubleshooting and whether using Nslookup itself is recommend which will be covered in future articles

I use the NETSTAT command frequently during my consulting assignments, however apart from the common options; I never delved into using all options of the command. My curiosity got the better of me and I went on to explore all the options of the NETSTAT command, so here goes

NETSTAT (network statistics) is a command-line utility that displays incoming & outgoing network connections, routing tables and various network interface statistics. The command has various parameters that can be used and is available on Unix, Linux and Windows based operating systems

Parameters of the netsat command on Windows based systems. Linux, Unix, BSD based systems have most of the parameters common with a few exceptions

A quick output of the help of the netstat command by appending /? gives us the following parameter options

A detailed explanation of each parameter with examples follows

-a   Displays all connections and listening ports

Running the netstat command with the -a parameter displays the of active connections as is displayed in the output below

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address              State
  TCP    host540:19208          microsoft.com:http    CLOSE_WAIT
  TCP    host540:19473          yahoo.com:http             ESTABLISHED

Starting with the protocol as the first column which could be either TCP/UDP based. The “host540:19208″ in the second column is a combination of the host name of the computer that the command is being run on which in this case is host540 and the local port number which is 19208. For well known services the protocol would be appended, for example host540:ntp but for services that are not well known the local port number would be mentioned

The foreign address is the website and the service that the connection was opened to which is microsoft.com:http in this case with port 80 (http) or web traffic and the connection state is CLOSE_WAIT

If the port is not yet established, the port number is shown as a * which would normally be seen in the output as “*:*”

-b   Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed.

C:\>netstat -b

Active Connections

Proto  Local Address          Foreign Address               State                        PID
  TCP    host540:19208       microsoft.com:http   CLOSE_WAIT       1148
  [iexplore.exe]

  TCP    host540:19473       yahoo.com:http             ESTABLISHED   7848
  [firefox.exe]

 

Additionally the process id of the process is also available. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions

-e   Displays Ethernet statistics. This may be combined with the -s option
 

C:\>netstat -e
Interface Statistics

                                                    Received            Sent

Bytes                                              41185465        10381455
Unicast packets                      248414             246100
Non-unicast packets           48535               303
Discards                                        0                          0
Errors                                             0                          1
Unknown protocols             0

The number of packets, bytes, errors and other information received and sent is displayed. This may be useful when tracking network usage and can be combined with the -s option.  For example one may only want to see received packets of type http, which can be done using the -e and -s options

-n   Displays addresses and port numbers in numerical form

This is similar to the standard netstat option without any parameters, however dns queries are done to convert all addresses and port numbers into numerical form. For example, in the output microsoft.com would be listed as its corresponding ip address and http would be displayed as 80
 

-o   Displays the owning process ID associated with each connection

The process ID which owns the connection can be viewed and then other utilities like Sysinternals Process Explorer can be used to drill down and get further information. The process id is also displayed other options like -b as was mentioned above

-p proto   Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s option to display per-protocol statistics, proto may be any of IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6

This is one of the most useful options to view specific connections opened by the protocol specified. For example, if one wants to view the opened UDP connections, the command netstat -p proto UDP could be used

-r   Displays the routing table

Here all interfaces present in the system with their netmask, gateway, metric and name of the ethernet adapter is displayed. It gives you  a quick overview of ip addresses assigned and interface name, etc. Active as well as persistent routes are displayed

-s   Displays per-protocol statistics.  By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default

Another useful option to view statistics per protocol. For example, to view only UDP statistics, the following command could be used

C:\>netstat -s -p UDP

UDP Statistics for IPv4

  Datagrams Received    = 328852
  No Ports              = 16880
  Receive Errors        = 79
  Datagrams Sent        = 197475

Active Connections

  Proto  Local Address          Foreign Address        State

  The output above does not have any active UDP connections

-v            When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.

After we have used the -b option to drill down and find out that a component [iexplore.exe] as well as other components were involved in creating the connection, we can further use the -v option to order the components involved in creating the connection. This is useful when understanding the sequencing of connection requests by an arbitrary application. It gives you an internal listing of .dll’s being called in real time

interval      Redisplays selected statistics, pausing interval seconds between each display.  Press CTRL+C to stop redisplaying statistics.  If omitted, netstat will print the current configuration information once

This is a good way to auto refresh the screen with any output desired. I might want to see the output of the netstat -n every 5 seconds. I would then use the netstat -n 5 command

To summarize, netstat is an external tool that is built into Windows, Unix, Linux, etc and displays a lot of useful information