Networked communities
3.8 Local network orientation and analysis
3.8.2 Using nslookup and dig
Thenslookupprogram is for querying the Domain Name Service (DNS). On Unix it has now been officially deprecated and replaced by a new program,digorhost, in the source implementations of the BIND software. On Windows one hasNslookup.
It is still in widespread use, however, both in Unix and Windows milieux. Moreover, IPv6 lookup does not work in all implementations ofnslookup. The name service provides a mapping or relationship between Internet numbers and Internet names, and contains useful information about domains: both our own and others. The first thing we need to know is the domain name. This is the suffix part of the Internet name for the network. For instance, suppose our domain is calledexample.org.
Hosts in this domain have names likehostname.example.org.
If you don’t know your DNS domain name, it can probably be found by looking at the file/etc/resolv.confon Unix hosts. For instance:
gnu% more /etc/resolv.conf domain example.org
nameserver 192.0.2.10 nameserver 192.0.2.17 nameserver 192.0.2.244
Also most Unix systems have a command called domainname. This prints the name of the local Network Information Service (NIS) domain which is not the same thing as the DNS domain name (though, in practice, many sites would use the same name for both). Do not confuse the output of this command with the DNS domain name.
Once you know the domain name, you can find out the hosts which are registered in your domain by running the name service lookup programnslookup, ordig.
gnu% nslookup
Default Server: mother.example.org Address: 192.0.2.10
>
nslookup always prints the name and the address of the server from which it obtains its information. Then you get a new prompt>for typing commands. Typing helpprovides a list of the commands whichnslookupunderstands.
Hostname/IP lookup
Type the name of a host or Internet (IP) address and nslookup returns the equivalent translation. For example:
host% nslookup
Default Server: mother.example.org Address: 192.0.2.10
> www.gnu.org
Server: mother.example.org Address: 192.0.2.10
Name: www.gnu.org
Address: 206.126.32.23
> 192.0.2.238
Server: mother.example.org Address: 192.0.2.10
Name: dax.example.org Address: 192.0.2.238
In this example we look up the Internet address of the host called www.gnu.org and the name of the host which has Internet address192.0.2.238. In both cases the default server is the name server mother.example.org which has Internet address192.0.2.10.
Note that the default server is the first server listed in the file/etc/resolv.conf which answers queries on startingnslookup. Usingdig, we write the following to find IPv4 A records:
host% dig -t a www.gnu.org
; <<>> DiG 9.2.1 <<>> -t a www.gnu.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.gnu.org. IN A
;; ANSWER SECTION:
www.gnu.org. 86376 IN A 199.232.41.10
;; AUTHORITY SECTION:
gnu.org. 86388 IN NS nic.cent.net.
gnu.org. 86388 IN NS ns1.gnu.org.
gnu.org. 86388 IN NS ns2.gnu.org.
gnu.org. 86388 IN NS ns2.cent.net.
gnu.org. 86388 IN NS ns3.gnu.org.
;; ADDITIONAL SECTION:
nic.cent.net. 101919 IN A 140.186.1.4 ns1.gnu.org. 118216 IN A 199.232.76.162 ns2.gnu.org. 118216 IN A 195.68.21.199 ns2.cent.net. 101919 IN A 140.186.1.14 ns3.gnu.org. 118216 IN A 209.115.72.62
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 6 13:21:28 2002
;; MSG SIZE rcvd: 223
The ‘-t’ argument specifies the type of record to be looked up when using the hostname as an argument. Thus, to look up IPv6 ‘AAAA’ records, we write
host% dig -t aaaa daneel.iu.hio.no
; <<>> DiG 9.2.1 <<>> -t aaaa daneel.iu.hio.no
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61573
;; QUESTION SECTION:
;daneel.iu.hio.no. IN AAAA
;; ANSWER SECTION:
daneel.iu.hio.no. 14400 IN AAAA 2001:700:700:3:290:27ff:fea2:477b
;; AUTHORITY SECTION:
iu.hio.no. 14400 IN NS cube.iu.hio.no.
iu.hio.no. 14400 IN NS nexus.iu.hio.no.
;; ADDITIONAL SECTION:
dns.hio.no. 5582 IN A 158.36.161.3 dns.hio.no. 86038 IN AAAA 2001:700:700:1::3 cube.iu.hio.no. 14400 IN A 128.39.74.16
cube.iu.hio.no. 14400 IN AAAA 2001:700:700:4:290:27ff:fe93:6723 nexus.iu.hio.no. 14400 IN A 128.39.89.10
quetzalcoatal.iu.hio.no. 14400 IN A 128.39.89.26
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 6 13:23:09 2002
;; MSG SIZE rcvd: 292
Similarly, IPv4 reverse lookup is performed with:
dig -x 192.0.1.3
As to what works with IPv6 – this is a study in confusion. To date the only method that seems to work on newer versions of BIND is
host -n 2001:700:700:4:290:27ff:fe93:6723
There has been disagreement about the name of the reverse lookup domain for IPv6. As of January 2003, it has finally been decided that it will be called ip6.arpa, but some resolvers still try to look up ip6.int. This can cause all manner of confusion (see section 9.5.9). Try this:
host$ host -n 2001:700:700:3:0:0:0:1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int domain name pointer ip6-gw.p52.hio.no.
host$ host -t PTR 1....3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.arpa
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.arpa domain name pointer ip6-gw.p52.hio.no.
host$ host -t PTR 1....3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.7.0.0.0.7.0.1.0.0.2.ip6.int domain name pointer ip6-gw.p52.hio.no.
Note that these horrendous lines are too wide for the page of the book, so in reverse ‘nibble’ format, one must type all of the ‘.0.0’s between the 1 and the 3 above.
Special information
The domain name service identifies certain special hosts which perform services like the name service itself and mail-handlers (called mail exchangers). These servers are identified by special records so that people outside of a given domain can find out about them. After all, the mail service in one domain needs to know how to send mail to a neighboring domain. It also needs to know how to find out the names and addresses of hosts for which it does not keep information personally.
We can usenslookupto extract this information by setting the ‘query type’ of a request. For instance, to find out about the mail exchangers in a domain we write
> set q=mx
> domain name For example
> set q=mx
> otherdomain.org
Server: mother.example.org Address: 192.0.2.10
Non-authoritative answer:
otherdomain.org preference = 0,
mail exchanger = mercury.otherdomain.org Authoritative answers can be found from:
otherdomain.org nameserver = mercury.otherdomain.org otherdomain.org nameserver = delilah.otherdomain.org mercury.otherdomain.org internet address = 158.36.85.10
delilah.otherdomain.org internet address = 129.241.1.99 Or
dig -t mx otherdomain.org
Here we see that the only mail server forotherdomain.orgis mercury.otherdo-main.org.
Another example, is to obtain information about the nameservers in a domain.
This will allow us to find out information about hosts which is not contained in our local database. To get this, we set the query-type tons.
> set q=ns
> otherdomain.org
Server: mother.example.org Address: 192.0.2.10
Non-authoritative answer:
otherdomain.org nameserver = delilah.otherdomain.org otherdomain.org nameserver = mercury.otherdomain.org Authoritative answers can be found from:
delilah.otherdomain.org internet address = 192.0.2.78 mercury.otherdomain.org internet address = 192.0.2.80
>
Here we see that there are two authoritative nameservers for this domain called delilah.otherdomain.organdmercury.otherdomain.org.
Finally, other lookup criteria are provided. For instance, if we set the query type to ‘any’, we get a summary of all this information.
Listing hosts belonging to a domain
To list every registered Internet address and hostname for a given domain one can use thelscommand insidenslookup. For instance
> ls example.org [mother.example.org]
example.org. server = mother.example.org example.org. server = mercury.otherdomain.org
pc61 192.0.2.61
pc59 192.0.2.59
pc59 192.0.2.59
pc196 192.0.2.196
etc...
Newer nameservers can restrict access to prevent others from obtaining this list all in one go, since it is now considered a potential security hazard. First the nameservers are listed and then the host names and corresponding IP addresses are listed.
If we try to look up hosts in a domain for which the default nameserver has no information, we get an error message. For example, suppose we try to list the names of the hosts in the domain over ours:
> ls otherdomain.org [mother.example.org]
*** Can’t list domain otherdomain.org: Query refused
>
This does not mean that it is not possible to get information about other domains, only that we cannot find out information about other domains from the local server. See section 3.8.1.
Changing to a different server
If we know the name of a server which contains authoritative information for a domain, we can tell nslookup to use that server instead. That way it might be possible to list the hosts in a remote domain and find out detailed infor-mation about it. At the very least, it is possible to find out about key records, like nameservers and mail exchangers (MX). To change the server we simply type
> server new-server
Once this is done we uselsto list the names.
> server ns.college.edu
Default Server: ns.college.edu Address: 192.0.2.10
> ls college.edu (listing ..)
Another advantage to using the server which is directly responsible for the DNS data, is that we obtain extra information about the domain, namely a contact address for the person responsible for administrating the domain. For example:
> server ns.college.edu
Default Server: ns.college.edu Address: 192.0.2.10
> college.edu
Server: ns.college.edu Address: 192.0.2.10
college.edu preference = 0, mail exchanger = ns.college.edu college.edu nameserver = ns.college.edu
college.edu
origin = ns.college.edu
mail addr = postmaster.ns.college.edu serial = 1996120503
refresh = 3600 (1 hour) retry = 900 (15 mins) expire = 604800 (7 days) minimum ttl = 86400 (1 day)
college.edu nameserver = ns.college.edu ns.college.edu internet address = 192.0.2.10
This is probably more information than we are interested in, but it does tell us that we can address queries and problems concerning this domain to postmas-ter@ns.college.edu. (Note that DNS does not use the@symbol for ‘at’ in these data.)