The 2 NSLOOKUP modes and the most frequently used options
Sunday, November 10, 2013 4:02 PM
nslookup.exe can be run in two different modes:
The interactive and the noninteractive
The noninteractive mode
is useful when only a single piece of data needs to be returned.
You have to open a cmd.exe (or PS) Shell and from there you can enter "nslookup" together with the desired options. After the result is returned, you are back at the dos – prompt (eg. "C:\>" in my example below). In noninteractive mode you always have to type the "nslookup" – command together with the options!
Here is the SYNTAX in detail of nslookup in the noninteractive mode:
nslookup [-option] [hostname] [server]
type=X - set query type
querytype=X - same as type
hostname = name of the host | domain to query it's ip
server NAME - set default server to NAME, using current default server
With the following query I want to look for the MX record(s) of the "zuerich.ch" domain and for this I don't want to query my (default) local Microsoft Windows DNS Server. Instead I want't to query the specific DNS Server "ns1.ip-plus.net".
"nslookup –type=MX zuerich.ch ns1.ip-plus.net"
Because I run the query from a "normal" workstation which isn't allowed for "direct queries out to a NS" I had to add the additional Firewall rule 20 to the (always) existing rule 19 first.
Interactive mode is better, when the queries are more complex and you need more than one.
You can "switch" to interactive mode by typing "nslookup" in a dos box:
The Default NameServer to be queried is displayed and the command prompt changes to ">".
You can leave interactive mode by typing the "exit" command
For help you can enter "?" or "help"
Interactive mode query examples:
Default Server: ns1.domain.com
> set q=mx
mailhost.domain.com MX preference = 0, mail exchanger =
mailhost.domain.com internet address = 10.0.0.5
Default Server: dc001.gibel.org
> server ns14.zoneedit.com
Default Server: ns14.zoneedit.com
In general the default Server for your nslookup queries is your first DNS – Server you get when you run "ipconfig /all"
On my client I run the query from, the Default DNS Server is my local DNS Server dc001.gibel.org (192.168.170.8).
and Non-authoritative answers
to get an authoritative answer you have to "go" to an authoritative nameserver ( in my case one from zoneedit.com) which is a nameserver registered for your domain (*1)
When you ask the "ns14.zoneedit.com" (or another zoneedit) server you get an authoritative answer for records of my "gibel.net" domain hosts. Any other DNS server returns a non-authoritative answer.
When I run "whoisQ from the online service page http://whois.net/whois/gibel.net I get the following 2 nameserver for my gibel.net domain. = Authoritative Nameserver
On zoneedit.com I host my public records for the gibel.net domain.
The two nameserver of my Internet provider are:
DNS uses caching, this reduces the load on authoritative name servers but means that sometimes records can be out of date.
To see how long a record will be cached, this requires the debug switch.
in interactive mode:
in non-interactive mode:
In the following example you see a (more complex) query example in an AD-Domain with debugging on the root domain is .kitszh.loc with a subdomain
org.kitszh.loc - the client where the query is started is located in the "org.kitszh.loc" domain
I query for the "www.gibel.net" record (in non-interactive mode)
At first a DNS server (kcm0003) in the ORG subdomain is asked for
then in the Root domain a DNS server (kcm0001) is asked for
the third query returns an non-authoritative answer (answers = 0)
With the following network properties (in the DNS tab) of your active network card, you can change the query - order by activating
(x) Append these DNS suffix (in order): and add the desired domains below
Here is the link to the original MS Technet document about "nslookup"