mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 10. DNS Diagnostics and Tools

This chapter defines tools that may be provided with BIND releases, are generally available or just jolly useful! The tools described either provide specific services or may help in diagnosing problems.


  1. 10.1 Introduction and Overview
  2. 10.2 NSLOOKUP
  3. 10.3 DIG
  4. 10.4 dnssec-keygen
  5. 10.5 dnssec-signzone
  6. 10.6 rndc

10.1 Overview and Introduction

BIND provides a number of tools that are invaluable when testing or diagnosing problems. Of these named-checkzone (validates zone files for correctness) and named-checkconf (checks the named.conf file) are invaluable for finding those stupid problems that we can all introduce when editing files. They have the additional property that they may prolong life by removing the blind panic that ensues after making a trivial edit and reloading BIND only to find that the live system is no longer functional due a parameter error and which always seems to take longer to find when we know that hundred of queries are being rejected because the name server is off-the-air.

rndc is the remote access tool that allows selective reload of zones and to which many dns administrators are addicted. It has serious security implications if not properly installed and configured.

nsupdate is a tool that allows dynamic updating (DDNS) of zone files. Extreme care must be taken when configuring BIND to enable DDNS since you may inadvertently open up your DNS zone files to the world - while this is an extremely friendly, neighborly, thing to do it may not always be wise.

Finally, the Really Big Issue™ is whether to use nslookup or dig. With the macho guys generally regarding nslookup users as wimps. There is no doubt that dig provides more useful information than nslookup for those that understand the detailed information that is displayed, however if you work with multiple platforms, especially windows, you have no choice but to be familiar with nslookup since this is the only tool provided with the standard release. One of the happy side-effects of installing BIND on Windows is that you get all its diagnostic tools including dig.

up icon


nslookup is officially deprecated in favour of dig (though we note that current versions no longer ouput that deprectated warning message which may indicate a change of heart). nslookup is however almost universally available - even when dig is not - this especially true on windows systems where dig is still pretty exotic. Old utilities do not die they just slowly fade away!

Command Format

nslookup in general returns A or PTR records but specific options can be used to override the default. There are both command line and interactive formats available.

nslookup maintains a set of configuration parameters (that may be modified) to add power to the command line. These parameters can be displayed using the -all (or set all in interactive mode) argument.

Quick Usage examples

The following are quick examples of common usage - all the options are explained below in mind numbing detail:

# lookup a specific host
# get MX and NS records for the domain
nslookup -type=ANY
# get SOA record and display all nslookup default parameters
nslookup -all -type=SOA

The generic command format is:

# format 1 lookup target using default DNS server
nslookup [-opt] target
# format 2 lookup target using the specific dns
nslookup [-opt] target dns
# format 3 enter interactive mode using default DNS server
nslookup [-opt]
# format 4 enter interactive mode using the specific dns
nslookup [-opt] - dns

Simple examples

Format 1 - Host lookup

# will return


Returns the A record for using the default DNS server - in this case (defined in Windows Network Properties or /etc/resolv.conf in *nix systems).

Format 1 - Reverse MAP IP lookup

# will return


Returns the PTR record for using the IN-ADDR.ARPA domain hierarchy.

Format 2 - Host lookup

# will return


Returns the A record for using the DNS server at The command format allows either an IP or a name so the above command could have been written as:


Interactive Format

Interactive format (format 3 and 4 above) provides a single prompt (>) and allows any command line option to be entered. To terminate interactive mode you can use CTRL-C (Windows and *nix) or CTRL-D (*nix only) or exit (Windows and *nix).


nslookup provides a dizzy number of options that vary its processing. Some of these options are only available in interactive mode. The Windows version adds a couple of commands. In each case Mode defines B = Interactive and command line format, I = Interactive only, C = command line only, W = Windows only. Multiple options can be specified with a single command.

option params mode processing
d - C Lists information for the domain. Gives SOA record and NS record details.
ls [opt] domain I list all the information for the target domain. Takes the optional extensions > or >> filename to output to a file for subsequent processing. The options supported are:
-a lists aliases (CNAME) in the domain (synonym for -t CNAME)
-d The default behaviour. Lists all records in the domain (synonym for -t ANY)
-h Lists all information records in the domain (synonym for -t HINFO)
-s Lists all well known service records in the domain (synonym for -t WKS)
-t List the specific record type in the domain e.g. -t A
lserver dns I sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the original default dns (before any server or lserver commands were issued).
root root-dns B changes to root server used in various commands.
server dns I sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the current default dns. The default server is defined in /etc/resolv.conf for *nix systems and network properties for Windows systems.
options which work with 'set' in interactive mode
In interactive mode these options are preceded with set and operate until changed with another set directive. In command line mode they are preceded with - and operate on a single command. In a number of cases a short form is also provided.
all - B displays a list of the default values used by nslookup, including the DNS server. Typical ouput
Set options:
  [note: Windows only MS fast zone xfer]
  [note: Windows only incremental zone xfer]
Default Server:
class= IN
B allows the class value to be set for all subsequent commands
domain= domain-name B allows a base to be set for all subsequent searches e.g.
# assume default domain =
> set
> www
# returns results for
# but will handle full format
# returns correct result for

The default domain is defined in /etc/resolv.conf for *nix systems and network properties for Windows systems. Setting domain= will reset any previously defined srchlist.

- I allows control over the debugging information - debug (short form deb) turns it on, nodebug (or nodeb) turns it off. The default is nodebug
[no]d2 - I enables/disable voluminous debugging information - d2 turns it on, nod2 turns it off. Default is nod2
- I controls whether a domain name (in either domain or srchlist) is added to a target which does not end with a dot i.e. is NOT a FQDN. See also search below for full behaviour description.
[no]ignoretc - I controls if packet truncation errors are ignored (ignoretc) or whether they cause termination (noignoretc - default).
[no]msxfer - W Controls use of MS Fast zone transfer. msxfer turns it on, nomsxfer (default) turns it off.
- B Controls recursive behaviour. recurse (default) turns it on norecurse turns it off.
[no]vc - I controls whether to use TCP (vc) or UDP (novc) - default is novc.
- I This parameter controls how the srchlist= value is used. search and defname are interrelated based on the following matrix for targets which are not FQDNs:
search defname add domain names from srchlist or until answer found
nosearch defname add domain name from domain
nosearch nodefname must be FQDN
search nodefname must be FQDN
In all cases the first result will terminate the command - you cannot use the srchlist to look up multiple targets. In general the srchlist is most useful with subdomains but can be used with different domains.
port= port no. B changes the default port from the normal (53) to that specified by port no..
B When using type= anything except A the following commands will only work on the domain root e.g.:
# enter interactive mode
> set type=MX
# fails with 'domain non-existent'
# provides correct answers
ANY with a domain root name will return any DNS RR with a blank name (label) entry - these include NS and MX records and thus it provides a quick way to get useful domain info.
retry= number B controls the number of retries that will be attempted. Default is 4.
root= dns B controls the dns used in the root command. Default is typically (on *nix) and on windows.
srchlist= dom1/dom2 I allows setting of a searchlist (up to six names are allowed separated by forward slash).

Examples - command line

# get mail records for a domain
nslookup -type=MX
# list all the options being used and get host address
nslookup -all
# get SOA record using a specific DNS 
nslookup -type=SOA

Examples - interactive mode

# enter interactive mode and list default options
nslookup -all
# list all records in the domain
> ls
# list all text records in domain
> ls -t TXT
# set the base domain to be used for subsequent commands
> set
# find host
> mail
# returns 
# exit interactive mode
> exit

up icon

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
5 install bind
6 samples
7 named.conf
8 zone records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




share page via facebook tweet this page


email us Send to a friend feature print this page Decrease font size Increase font size Display full width page



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: October 21 2015.