Using nslookup to find what name servers were contacted in a query

18.8k views Asked by At

I'm using nslookup to find the DNS name that has the a given IP address as one of its associated addresses. So, I use nslookup interactively...

command line > nslookup -
set query=ptr
24.248.56.68

Non-authoritative answer:
68.56.248.24.in-addr.arpa       name = wsip-24-248-56-68.ri.ri.cox.net.

Authoritative answers can be found from:
24.in-addr.arpa nameserver = x.arin.net.

24.in-addr.arpa nameserver = u.arin.net.

24.in-addr.arpa nameserver = t.arin.net.

24.in-addr.arpa nameserver = v.arin.net.

24.in-addr.arpa nameserver = dill.arin.net.

24.in-addr.arpa nameserver = y.arin.net.

24.in-addr.arpa nameserver = z.arin.net.

24.in-addr.arpa nameserver = w.arin.net.

t.arin.net      internet address = 199.253.249.63

u.arin.net      internet address = 204.61.216.50

u.arin.net      has AAAA address 2001:500:14:6050:ad::1

v.arin.net      internet address = 63.243.194.2

v.arin.net      has AAAA address 2001:5a0:10::2

w.arin.net      internet address = 72.52.71.2

w.arin.net      has AAAA address 2001:470:1a::2

x.arin.net      internet address = 199.71.0.63

x.arin.net      has AAAA address 2001:500:31::63

y.arin.net      internet address = 192.42.93.32

z.arin.net      internet address = 199.212.0.63

z.arin.net      has AAAA address 2001:500:13::63

dill.arin.net   internet address = 192.35.51.32

Now I want to find what name servers were contacted to do that lookup. I think I'm supposed to set query=ns but that returns the same answer. How can I find what name servers were contacted?

1

There are 1 answers

0
Duane Harkness On

The server that processed your query should be displayed along with the result, e.g.

Server:     192.168.1.253
Address:    192.168.1.253#53

Non-authoritative answer:
68.56.248.24.in-addr.arpa   name = wsip-24-248-56-68.ri.ri.cox.net.

Typically this is the default nameserver configured for your workstation. To select a different nameserver use the nslookup "server" command.

Since your query returned a non-authoritative answer that means your nameserver is not authoritative for that pointer. It had to query other nameserver(s) in order to respond. As far as I know, there is no nslookup option to show the lookup sequence performed by your nameserver.

If your objective is to determine the authoritative nameserver for the pointer then you need to do one or more additional nslookup queries based on the authoritative 'hints'. In your example, the first hint is "x.arin.net" (one of the internet root servers). Using this hint, your next step would be send the same query to that server, e.g.

> server x.arin.net
Default server: x.arin.net
Address: 199.71.0.63#53
> 24.248.56.68
Server:     x.arin.net
Address:    199.71.0.63#53

Non-authoritative answer:
*** Can't find 68.56.248.24.in-addr.arpa.: No answer

Authoritative answers can be found from:
248.24.in-addr.arpa nameserver = ns.cox.net.
248.24.in-addr.arpa nameserver = ns.west.cox.net.
248.24.in-addr.arpa nameserver = ns.east.cox.net.

This response shows x.arin.net isn't authoritative either but the new hint indicates the next server to query is "ns.cox.net" (or "ns.west.cox.net" or "ns.east.cox.net"). Set your server to the new hint, execute the query again and repeat the process until you get an authoritative answer, e.g.

> server ns.cox.net
Default server: ns.cox.net
Address: 68.1.16.107#53
> 24.248.56.68
Server:     ns.cox.net
Address:    68.1.16.107#53

Non-authoritative answer:
*** Can't find 68.56.248.24.in-addr.arpa.: No answer

Authoritative answers can be found from:
56.248.24.in-addr.arpa  nameserver = ns2.coxmail.com.
56.248.24.in-addr.arpa  nameserver = ns1.coxmail.com.

> server ns2.coxmail.com
Default server: ns2.coxmail.com
Address: 68.111.106.70#53
> 24.248.56.68
Server:     ns2.coxmail.com
Address:    68.111.106.70#53

68.56.248.24.in-addr.arpa   name = wsip-24-248-56-68.ri.ri.cox.net.

This result shows the authoritative nameserver for the pointer is "ns2.coxmail.com". Depending on how your nameserver is configured, it may have gone through the same series of queries you did. However if your nameserver is set up for caching, the next time you make the same query it may answer from its cache rather than go through the same process.

I hope this helps. Keep in mind this may not be exactly how it works for you because a lot depends on the configuration of your workstation, the configuration of your nameserver as well as the configuration of the additional nameservers that are queried.

Other tools more sophisticated than nslookup may make this process easier for you.