Troubleshooting DNS


Whois
Online Whois Tool
Dig
Online Dig Tool
Nslookup
Online Nslookup Tool

whois

whois is the most basic of all tools used to troubleshoot DNS and DNS related problems. It allows you to query information from the root name servers to find out what DNS servers provide authoritative DNS for a given domain or IP range.

The most basic usage is simply checking to see if a domain is registered and if, then what are the responsible name servers for that domain:

[www]:[8:03pm]:[/home/training/www/backroom] > whois verio.com

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: VERIO.COM
   Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
   Whois Server: whois.inww.com
   Referral URL: http://www.inww.com
   Name Server: NS0.VERIO.NET
   Name Server: NS1.VERIO.NET
   Name Server: NS2.VERIO.NET
   Updated Date: 13-jun-2001


>>> Last update of whois database: Mon, 1 Oct 2001 05:39:20 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.


Domain Name.......... verio.com
  Creation Date........ 1996-12-07
  Registration Date.... 2000-05-10
  Expiry Date.......... 2001-12-06
  Organisation Name.... Verio Inc
  Organisation Address. 8005 South Chester Street
  Organisation Address. Suite 200
  Organisation Address. Englewood
  Organisation Address. 80112
  Organisation Address. CO
  Organisation Address. UNITED STATES

Admin Name........... Hostmaster Verio
  Admin Address........ 8005 South Chester Street
  Admin Address........ Suite 200
  Admin Address........ Englewood
  Admin Address........ 80112
  Admin Address........ CO
  Admin Address........ UNITED STATES
  Admin Email.......... domainAdmin@verio.net
  Admin Phone.......... 214 290 8620
  Admin Fax............

Tech Name............ Hostmaster Verio
  Tech Address......... 8005 South Chester Street
  Tech Address......... Suite 200
  Tech Address......... Englewood
  Tech Address......... CO
  Tech Address......... 80112
  Tech Address......... UNITED STATES
  Tech Email........... hostmaster@verio.net
  Tech Phone........... 214 290 8620
  Tech Fax............. .
  Name Server.......... NS0.VERIO.NET
  Name Server.......... NS1.VERIO.NET
  Name Server.......... NS2.VERIO.NET

[www]:[8:03pm]:[/home/training/www/backroom] >

From this output, we can tell quite a bit about the domain verio.com. Verio.com has 3 name servers, NS0.VERIO.NET, NS1.VERIO.NET, and NS2.VERIO.NET. We know that the Registrar is MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE who has a website of www.inww.com. The domain was created on December 7th, 1996 and the next time it needs to be updated will be December 6th, 2001.

If the domain was not registered, or if we made a mistake while entering the command, you would see the following:

[www]:[8:03pm]:[/home/training/www/backroom] > whois blahblah123.com

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "BLAHBLAH123.COM".

>>> Last update of whois database: Mon, 1 Oct 2001 05:39:20 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[www]:[8:06pm]:[/home/training/www/backroom] >

To test this command online, try our online Internet WHOIS Search. This tool will accept both names and IP's and provide you with any registration information that can be found.

Another way to use the whois tool is to see who administers a block of IP's. IP's are delegated, or given out, by ARIN within this hemisphere. To see who an IP is delegated to, you need to query a different server than the default one that whois uses. Instead, you use the server whois.arin.net for these types of queries.

[tethys]:[5:14pm]:[/home/rnejdl] > whois -h whois.arin.net 216.185.79.251
Hamilton Hydro / FibreWired (NETBLK-FIBREWIRED) FIBREWIRED
                                                 216.185.64.0 - 216.185.95.255
WorldWithoutWire.com (NETBLK-FW-WORLDWITHOUTWIRE-4) FW-WORLDWITHOUTWIRE-4
                                                 216.185.79.0 - 216.185.79.255
@Computer Plus (NETBLK-ACOMP-WWOW-1) ACOMP-WWOW-1
                                               216.185.79.247 - 216.185.79.254
 
To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.
 
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
[tethys]:[5:14pm]:[/home/rnejdl] >

This example shows that 216.185.79.251 is part if Hamilton Hydro / FibreWired's IP block. They then delegated a Class C of theirs to WorldWithoutWire.com, who in turn delegated 8 IP's to @Computer Plus.

To get more detailed information about what name servers provide reverse DNS for those IP's, you would run the same command again except to exchange the IP for the IP Block code, which is in parenthesis. An example of that is:

[tethys]:[5:18pm]:[/home/rnejdl] > whois -h whois.arin.net NETBLK-FW-WORLDWITHOUTWIRE-4
WorldWithoutWire.com (NETBLK-FW-WORLDWITHOUTWIRE-4)
   253 King St. N
   Waterloo, ON N2J 2Y8
   CA
 
   Netname: FW-WORLDWITHOUTWIRE-4
   Netblock: 216.185.79.0 - 216.185.79.255
   Maintainer: WWWR
 
   Coordinator:
      Krusky, Paul  (PK289-ARIN)  pkrusky@worldwithoutwire.com
      519-725-0606
 
   Domain System inverse mapping provided by:
 
   NS1.WORLDWITHOUTWIRE.COM     209.162.224.10
   NS2.WORLDWITHOUTWIRE.COM     216.185.76.4
 
   Record last updated on 12-Apr-2001.
   Database last updated on 29-Sep-2001 23:14:31 EDT.
 
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
[tethys]:[5:18pm]:[/home/rnejdl] >

Whois Exercises

To perform these exercises, you can either open a UNIX shell prompt or use the Online WHOIS Tool. Once you have one of these two tools open, perform the following exercises.

  1. Do a whois for "msn.com".

    How many authoritative name servers does this domain have?

    Who is the registrar?

    Who is the technical contact?

  2. Do a whois for google.com?

    Did the output show you something usable?

    To get more descriptive output, try doing a whois against whois.networksolutions.com by doing whois -h whois.networksolutions.com google.com If you are using the webtool, then enter just -h whois.networksolutions.com google.com. Here, we just guessed which registrar might have registered google.com and by doing so, we found the information we were looking for for google.com.

  3. Let's do a whois for the IP address 129.250.35.250 and see what comes back. If you are using a command prompt, then enter whois -h whois.arin.net 129.250.35.250 and if you are using the online tool, simply enter the IP address as the tool will redirect you to the proper whois server.

    You should have gotten something that looks like this:
    [www]:[3:54pm]:[/home/rnejdl] > whois -h whois.arin.net 129.250.35.250
    [No name] (X-HST)               U.NS.VERIO.NET                  129.250.35.250
    Verio, Inc. (NET-VRIO-129-250)  VRIO-129-250     129.250.0.0 - 129.250.255.255
    
    To single out one record, look it up with "!xxx", where xxx is the
    handle, shown in parenthesis following the name, which comes first.
    
    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.
    [www]:[3:54pm]:[/home/rnejdl] >
    
    To get more specific information, if you are using the command prompt, then enter whois -h whois.arin.net NET-VRIO-129-250 and if you are using the online tool, then enter -h whois.arin.net NET-VRIO-129-250.

    Who would you contact for reverse DNS for these IP addresses?

    How large is this IP block that is delegated to Verio?

dig

Dig has two main uses in troubleshooting DNS. The first is to see if a domain name is having problems. That is, whether or not the domain is on hold or if the authoritative name servers are not answering for the given domain. To see this in action, simply type dig domainname and interpret the results. For example:

[tethys]:[5:18pm]:[/home/rnejdl] > dig howdydoody.com

; <<>> DiG 8.3 <<>> howdydoody.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      howdydoody.com, type = A, class = IN
 
;; ANSWER SECTION:
howdydoody.com.         5M IN A         216.74.139.88
 
;; AUTHORITY SECTION:
howdydoody.com.         6H IN NS        ns.ge.com.
howdydoody.com.         6H IN NS        ns2.ge.com.
howdydoody.com.         6H IN NS        mason.ge.com.
 
;; ADDITIONAL SECTION:
ns.ge.com.              6H IN A         192.35.39.24
ns2.ge.com.             6H IN A         192.35.39.25
mason.ge.com.           6H IN A         205.173.93.34
 
;; Total query time: 368 msec
;; FROM: tethys.ringofsaturn.com to SERVER: default -- 127.0.0.1
;; WHEN: Mon Oct  1 17:19:55 2001
;; MSG SIZE  sent: 32  rcvd: 154
 
[tethys]:[5:19pm]:[/home/rnejdl] >

This domain has a status of NOERROR, which means that the domain is not on hold and that the authoritative name servers answered correctly. Below is a table showing the different types of statuses that you could receive.

Status Meaning
NOERROR A NOERROR indicates that the domain does exist according to the root name servers and that the authoritative name servers are answering queries correctly for that domain.
SERVFAIL SERVFAIL means that the domain does exist and the root name servers have information on this domain, but that the authoritative name servers are not answering queries for this domain.
NXDOMAIN NXDOMAIN can means that the root name servers are not providing any authoritative name servers for this domain. This can be because the domain does not exist or that the domain is on-hold. Make sure that you use whois when you see an NXDOMAIN.

dig is also useful for finding all of the resource records for a given domain. To do this, you must know the name or IP of one of the authoritative name servers. Here is an example.

[tethys]:[5:28pm]:[/home/rnejdl] > dig @209.39.6.4 training.verio.net axfr

; <<>> DiG 8.3 <<>> @209.39.6.4 training.verio.net axfr
; (1 server found)
$ORIGIN training.verio.net.
@                       6H IN SOA       ns rnejdl.verio.net. (
                                        2001091101      ; serial
                                        3H              ; refresh
                                        1H              ; retry
                                        1W              ; expiry
                                        6H )            ; minimum

                        6H IN NS        ns
                        6H IN NS        ns2
                        6H IN NS        ns1.verio.net.
                        6H IN A         209.39.6.4
                        6H IN MX        10 onyx
                        6H IN MX        20 backupmx1.veriomail.com.
                        6H IN MX        20 backupmx2.veriomail.com.
dhcp-253                6H IN A         209.39.6.253
...

This pulls a copy of the entire zone file for the domain and outputs it to your screen. The above example, due to its large size, has been truncated. This is very useful when you want to see why a certain host will not resolve while the domain itself does work properly. Using this command, you can see if there was a typo in a hostname or the adminstrator forgot a trailing dot when entering the resource record.

Dig Exercises

For these exercises, you will either need to open a command prompt to shell.training.verio.net or open the Online DIG Tool on the training site. Once you have that open, do the following exercises.

  1. Do a dig on forever.com.

    What is the status of this domain?

    How many name servers does this domain have and what are they?

  2. Do a dig on blahblah123.com.

    What is the status of this domain?

    Is this domain registered? Use whois to find out.

  3. How would you do a dig for reverse DNS? Do a dig for 6.39.209.in-addr.arpa to find out.

    What does the 6.39.209.in-addr.arpa mean?

nslookup

The cornerstone of DNS troubleshooting is by far the nslookup command. This tool allows you to lookup any type of DNS record from any server for any domain. The most basic usage is to use the command line, non-interactive version. For example, to lookup the IP for www.verio.com, do the following:

[tethys]:[5:29pm]:[/home/rnejdl] > nslookup www.verio.com
Server:  localhost.ringofsaturn.com
Address:  127.0.0.1
 
Non-authoritative answer:
Name:    www.verio.com
Address:  204.0.52.20
 
[tethys]:[6:01pm]:[/home/rnejdl] >

You can also specific the query type on the command line. For example, supposed you wanted to the what the mail servers are for msn.com:

[tethys]:[6:01pm]:[/home/rnejdl] > nslookup -q=mx msn.com
Server:  localhost.ringofsaturn.com
Address:  127.0.0.1
 
Non-authoritative answer:
msn.com preference = 20, mail exchanger = smtp-gw-4.msn.com
 
Authoritative answers can be found from:
msn.com nameserver = DNS1.CP.MSFT.NET
msn.com nameserver = DNS1.TK.MSFT.NET
msn.com nameserver = DNS3.UK.MSFT.NET
msn.com nameserver = DNS3.JP.MSFT.NET
msn.com nameserver = DNS1.DC.MSFT.NET
msn.com nameserver = DNS1.SJ.MSFT.NET
smtp-gw-4.msn.com       internet address = 207.46.181.13
DNS1.CP.MSFT.NET        internet address = 207.46.138.20
DNS1.TK.MSFT.NET        internet address = 207.46.232.37
DNS3.UK.MSFT.NET        internet address = 213.199.144.151
DNS3.JP.MSFT.NET        internet address = 207.46.72.123
DNS1.DC.MSFT.NET        internet address = 207.68.128.151
DNS1.SJ.MSFT.NET        internet address = 207.46.97.11
[tethys]:[6:02pm]:[/home/rnejdl] >

According to the output, msn.com has only one SMTP server, which is smtp-gw-4.msn.com.

Interactive mode nslookup allows you to do all of the queries you can do on the command line and more. To get into interactive mode, simply type nslookup and hit enter.

Once in this mode, you can simply type in a hostname to lookup the IP for that host, or type in an IP to lookup to the hostname for that IP. For example:

[tethys]:[6:07pm]:[/home/rnejdl] > nslookup
Default Server:  localhost.ringofsaturn.com
Address:  127.0.0.1
 
> www.amazon.com
Server:  localhost.ringofsaturn.com
Address:  127.0.0.1
 
Non-authoritative answer:
Name:    www.amazon.com
Address:  207.171.181.16
 
> 207.171.181.16
Server:  localhost.ringofsaturn.com
Address:  127.0.0.1
 
Name:    www.amazon.com
Address:  207.171.181.16
 
>

More interesting things you can do include changing the query type and using the debug feature. In this next example, I will check the MX records for a domain and will use the debug feature to see the query as it is happening.

[tethys]:[6:10pm]:[/home/rnejdl] > nslookup
Default Server:  localhost.ringofsaturn.com
Address:  127.0.0.1

> set type=mx
> set debug
> shoutcast.com
Server:  localhost.ringofsaturn.com
Address:  127.0.0.1

;; res_nmkquery(QUERY, shoutcast.com, IN, MX)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 40638, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 2,  additional = 3

    QUESTIONS:
        shoutcast.com, type = MX, class = IN
    ANSWERS:
    ->  shoutcast.com
        preference = 10, mail exchanger = mail.winamp.com
        ttl = 3600 (1H)
    AUTHORITY RECORDS:
    ->  shoutcast.com
        nameserver = dns-01.spinner.net
        ttl = 3600 (1H)
    ->  shoutcast.com
        nameserver = dns-02.spinner.net
        ttl = 3600 (1H)
    ADDITIONAL RECORDS:
    ->  mail.winamp.com
        internet address = 64.236.148.85
        ttl = 3600 (1H)
    ->  dns-01.spinner.net
        internet address = 152.163.159.239
        ttl = 3600 (1H)
    ->  dns-02.spinner.net
        internet address = 205.188.157.239
        ttl = 3600 (1H)
 
------------
shoutcast.com
        preference = 10, mail exchanger = mail.winamp.com
        ttl = 3600 (1H)
shoutcast.com
        nameserver = dns-01.spinner.net
        ttl = 3600 (1H)
shoutcast.com
        nameserver = dns-02.spinner.net
        ttl = 3600 (1H)
mail.winamp.com
        internet address = 64.236.148.85
        ttl = 3600 (1H)
dns-01.spinner.net
        internet address = 152.163.159.239
        ttl = 3600 (1H)
dns-02.spinner.net
        internet address = 205.188.157.239
        ttl = 3600 (1H)
>

The first line started the interactive nslookup session. The next line defines what name server we're using presently, which in this case is localhost, which has an IP address of 127.0.0.1, the loopback IP. Next, we set the query type to be MX, or Mail Exchanger, to see the mail servers. We then enable debug, which will show us the details of what name server was contacted and such. Finally, we input shoutcast.com for the domain and press enter. We are then presented with detailed information on the MX records and the addresses and TTL's (Time to Live) for each smtp host.

To see a full list of the interactive commands, simply type the ? at an interactive nslookup prompt and press enter.

> ?
$Id: nslookup.help,v 8.5 2000/03/30 23:25:35 vixie Exp $

Commands:       (identifiers are shown in uppercase, [] means optional)
NAME            - print info about the host/domain NAME using default server
NAME1 NAME2     - as above, but use NAME2 as server
help or ?       - print info on common commands; see nslookup(1) for details
set OPTION      - set an option
    all         - print options, current server and host
    [no]debug   - print debugging information
    [no]d2      - print exhaustive debugging information
    [no]defname - append domain name to each query
    [no]recurse - ask for recursive answer to query
    [no]vc      - always use a virtual circuit
    domain=NAME - set default domain name to NAME
    srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
    root=NAME   - set root server to NAME
    retry=X     - set number of retries to X
    timeout=X   - set initial time-out interval to X seconds
    querytype=X - set query type, e.g., A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,WKS,SRV,NAPTR
    port=X      - set port number to send query on
    type=X      - synonym for querytype
    class=X     - set query class to one of IN (Internet), CHAOS, HESIOD or ANY
server NAME     - set default server to NAME, using current default server
lserver NAME    - set default server to NAME, using initial server
finger [USER]   - finger the optional USER at the current default host
root            - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -h          -  list HINFO (CPU type and operating system)
    -s          -  list well-known services
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g., A,CNAME,MX, etc.)
exit            - exit the program, ^D also exits
>

One interesting query listed here is the ls -d option, which allows you to list all records for a domain, if the name server supports this type of query. For example

> ls -d training.verio.net
[localhost.ringofsaturn.com]
*** Can't list domain training.verio.net: Unspecified error
>

The reason that this one did not work is because the name server queried was localhost, which is not authoritative for the domain. However, if I switch to the proper name server and run the command again, I will see the following:

> server 209.39.6.4
Default Server:  www.training.verio.net
Address:  209.39.6.4

> ls -d training.verio.net
[www.training.verio.net]
$ORIGIN training.verio.net.
@                       6H IN SOA       ns rnejdl.verio.net. (
                                        2001091101      ; serial
                                        3H              ; refresh
                                        1H              ; retry
                                        1W              ; expiry
                                        6H )            ; minimum

                        6H IN NS        ns
                        6H IN NS        ns2
                        6H IN NS        ns1.verio.net.
                        6H IN A         209.39.6.4
                        6H IN MX        10 onyx
                        6H IN MX        20 backupmx1.veriomail.com.
                        6H IN MX        20 backupmx2.veriomail.com.
...

As you can see here, the output of this command is almost identical to that of the dig axfrcommand because they both use the same DNS functionality to produce the results. Either command works to do this so it is simply a matter of personal preference on which you use.

nslookup Exercises

For these exercises, you will either need to open a command prompt to shell.training.verio.net or open the Online NSLOOKUP Tool on the training site. Once you have that open, do the following exercises.

  1. Lookup the IP of a hostname.

  2. Lookup the name servers for a domain.

  3. Lookup the mail servers for a domain.

  4. Lookup the name given to an IP address.

  5. Lookup the all records for a domain.

Take the Quiz

If you have read through this document and taken the time to go through the exercises, then you should have no problems passing the quiz that helps you see how much you have learned.

Take the Whois, Dig, and Nslookup Quiz.