Online Whois Tool
Online Dig Tool
Online Nslookup Tool
whois is the most basic of all tools used to troubleshoot DNS and DNS related problems. It allows you to query information from the root name servers to find out what DNS servers provide authoritative DNS for a given domain or IP range.
The most basic usage is simply checking to see if a domain is registered and if, then what are the responsible name servers for that domain:[www]:[8:03pm]:[/home/training/www/backroom] > whois verio.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: VERIO.COM Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE Whois Server: whois.inww.com Referral URL: http://www.inww.com Name Server: NS0.VERIO.NET Name Server: NS1.VERIO.NET Name Server: NS2.VERIO.NET Updated Date: 13-jun-2001 >>> Last update of whois database: Mon, 1 Oct 2001 05:39:20 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Domain Name.......... verio.com Creation Date........ 1996-12-07 Registration Date.... 2000-05-10 Expiry Date.......... 2001-12-06 Organisation Name.... Verio Inc Organisation Address. 8005 South Chester Street Organisation Address. Suite 200 Organisation Address. Englewood Organisation Address. 80112 Organisation Address. CO Organisation Address. UNITED STATES Admin Name........... Hostmaster Verio Admin Address........ 8005 South Chester Street Admin Address........ Suite 200 Admin Address........ Englewood Admin Address........ 80112 Admin Address........ CO Admin Address........ UNITED STATES Admin Email.......... domainAdmin@verio.net Admin Phone.......... 214 290 8620 Admin Fax............ Tech Name............ Hostmaster Verio Tech Address......... 8005 South Chester Street Tech Address......... Suite 200 Tech Address......... Englewood Tech Address......... CO Tech Address......... 80112 Tech Address......... UNITED STATES Tech Email........... email@example.com Tech Phone........... 214 290 8620 Tech Fax............. . Name Server.......... NS0.VERIO.NET Name Server.......... NS1.VERIO.NET Name Server.......... NS2.VERIO.NET [www]:[8:03pm]:[/home/training/www/backroom] >
From this output, we can tell quite a bit about the domain verio.com. Verio.com has 3 name servers, NS0.VERIO.NET, NS1.VERIO.NET, and NS2.VERIO.NET. We know that the Registrar is MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE who has a website of www.inww.com. The domain was created on December 7th, 1996 and the next time it needs to be updated will be December 6th, 2001.
If the domain was not registered, or if we made a mistake while entering the command, you would see the following:[www]:[8:03pm]:[/home/training/www/backroom] > whois blahblah123.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for "BLAHBLAH123.COM". >>> Last update of whois database: Mon, 1 Oct 2001 05:39:20 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. [www]:[8:06pm]:[/home/training/www/backroom] >
To test this command online, try our online Internet WHOIS Search. This tool will accept both names and IP's and provide you with any registration information that can be found.
Another way to use the whois tool is to see who administers a block of IP's. IP's are delegated, or given out, by ARIN within this hemisphere. To see who an IP is delegated to, you need to query a different server than the default one that whois uses. Instead, you use the server whois.arin.net for these types of queries.[tethys]:[5:14pm]:[/home/rnejdl] > whois -h whois.arin.net 126.96.36.199 Hamilton Hydro / FibreWired (NETBLK-FIBREWIRED) FIBREWIRED 188.8.131.52 - 184.108.40.206 WorldWithoutWire.com (NETBLK-FW-WORLDWITHOUTWIRE-4) FW-WORLDWITHOUTWIRE-4 220.127.116.11 - 18.104.22.168 @Computer Plus (NETBLK-ACOMP-WWOW-1) ACOMP-WWOW-1 22.214.171.124 - 126.96.36.199 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [tethys]:[5:14pm]:[/home/rnejdl] >
This example shows that 188.8.131.52 is part if Hamilton Hydro / FibreWired's IP block. They then delegated a Class C of theirs to WorldWithoutWire.com, who in turn delegated 8 IP's to @Computer Plus.
To get more detailed information about what name servers provide reverse DNS for those IP's, you would run the same command again except to exchange the IP for the IP Block code, which is in parenthesis. An example of that is:[tethys]:[5:18pm]:[/home/rnejdl] > whois -h whois.arin.net NETBLK-FW-WORLDWITHOUTWIRE-4 WorldWithoutWire.com (NETBLK-FW-WORLDWITHOUTWIRE-4) 253 King St. N Waterloo, ON N2J 2Y8 CA Netname: FW-WORLDWITHOUTWIRE-4 Netblock: 184.108.40.206 - 220.127.116.11 Maintainer: WWWR Coordinator: Krusky, Paul (PK289-ARIN) firstname.lastname@example.org 519-725-0606 Domain System inverse mapping provided by: NS1.WORLDWITHOUTWIRE.COM 18.104.22.168 NS2.WORLDWITHOUTWIRE.COM 22.214.171.124 Record last updated on 12-Apr-2001. Database last updated on 29-Sep-2001 23:14:31 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [tethys]:[5:18pm]:[/home/rnejdl] >
To perform these exercises, you can either open a UNIX shell prompt or use the Online WHOIS Tool. Once you have one of these two tools open, perform the following exercises.
- Do a whois for "msn.com".
How many authoritative name servers does this domain have?
Who is the registrar?
Who is the technical contact?
- Do a whois for google.com?
Did the output show you something usable?
To get more descriptive output, try doing a whois against whois.networksolutions.com by doing whois -h whois.networksolutions.com google.com If you are using the webtool, then enter just -h whois.networksolutions.com google.com. Here, we just guessed which registrar might have registered google.com and by doing so, we found the information we were looking for for google.com.
- Let's do a whois for the IP address 126.96.36.199 and see what comes back. If you are using a command prompt, then enter whois -h whois.arin.net 188.8.131.52 and if you are using the online tool, simply enter the IP address as the tool will redirect you to the proper whois server.
You should have gotten something that looks like this:[www]:[3:54pm]:[/home/rnejdl] > whois -h whois.arin.net 184.108.40.206 [No name] (X-HST) U.NS.VERIO.NET 220.127.116.11 Verio, Inc. (NET-VRIO-129-250) VRIO-129-250 18.104.22.168 - 22.214.171.124 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [www]:[3:54pm]:[/home/rnejdl] >To get more specific information, if you are using the command prompt, then enter whois -h whois.arin.net NET-VRIO-129-250 and if you are using the online tool, then enter -h whois.arin.net NET-VRIO-129-250.
Who would you contact for reverse DNS for these IP addresses?
How large is this IP block that is delegated to Verio?
Dig has two main uses in troubleshooting DNS. The first is to see if a domain name is having problems. That is, whether or not the domain is on hold or if the authoritative name servers are not answering for the given domain. To see this in action, simply type dig domainname and interpret the results. For example:[tethys]:[5:18pm]:[/home/rnejdl] > dig howdydoody.com ; <<>> DiG 8.3 <<>> howdydoody.com ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUERY SECTION: ;; howdydoody.com, type = A, class = IN ;; ANSWER SECTION: howdydoody.com. 5M IN A 126.96.36.199 ;; AUTHORITY SECTION: howdydoody.com. 6H IN NS ns.ge.com. howdydoody.com. 6H IN NS ns2.ge.com. howdydoody.com. 6H IN NS mason.ge.com. ;; ADDITIONAL SECTION: ns.ge.com. 6H IN A 188.8.131.52 ns2.ge.com. 6H IN A 184.108.40.206 mason.ge.com. 6H IN A 220.127.116.11 ;; Total query time: 368 msec ;; FROM: tethys.ringofsaturn.com to SERVER: default -- 127.0.0.1 ;; WHEN: Mon Oct 1 17:19:55 2001 ;; MSG SIZE sent: 32 rcvd: 154 [tethys]:[5:19pm]:[/home/rnejdl] >
This domain has a status of NOERROR, which means that the domain is not on hold and that the authoritative name servers answered correctly. Below is a table showing the different types of statuses that you could receive.
Status Meaning NOERROR A NOERROR indicates that the domain does exist according to the root name servers and that the authoritative name servers are answering queries correctly for that domain. SERVFAIL SERVFAIL means that the domain does exist and the root name servers have information on this domain, but that the authoritative name servers are not answering queries for this domain. NXDOMAIN NXDOMAIN can means that the root name servers are not providing any authoritative name servers for this domain. This can be because the domain does not exist or that the domain is on-hold. Make sure that you use whois when you see an NXDOMAIN.
dig is also useful for finding all of the resource records for a given domain. To do this, you must know the name or IP of one of the authoritative name servers. Here is an example.[tethys]:[5:28pm]:[/home/rnejdl] > dig @18.104.22.168 training.verio.net axfr ; <<>> DiG 8.3 <<>> @22.214.171.124 training.verio.net axfr ; (1 server found) $ORIGIN training.verio.net. @ 6H IN SOA ns rnejdl.verio.net. ( 2001091101 ; serial 3H ; refresh 1H ; retry 1W ; expiry 6H ) ; minimum 6H IN NS ns 6H IN NS ns2 6H IN NS ns1.verio.net. 6H IN A 126.96.36.199 6H IN MX 10 onyx 6H IN MX 20 backupmx1.veriomail.com. 6H IN MX 20 backupmx2.veriomail.com. dhcp-253 6H IN A 188.8.131.52 ...
This pulls a copy of the entire zone file for the domain and outputs it to your screen. The above example, due to its large size, has been truncated. This is very useful when you want to see why a certain host will not resolve while the domain itself does work properly. Using this command, you can see if there was a typo in a hostname or the adminstrator forgot a trailing dot when entering the resource record.
For these exercises, you will either need to open a command prompt to shell.training.verio.net or open the Online DIG Tool on the training site. Once you have that open, do the following exercises.
- Do a dig on forever.com.
What is the status of this domain?
How many name servers does this domain have and what are they?
- Do a dig on blahblah123.com.
What is the status of this domain?
Is this domain registered? Use whois to find out.
- How would you do a dig for reverse DNS? Do a dig for 6.39.209.in-addr.arpa to find out.
What does the 6.39.209.in-addr.arpa mean?
The cornerstone of DNS troubleshooting is by far the nslookup command. This tool allows you to lookup any type of DNS record from any server for any domain. The most basic usage is to use the command line, non-interactive version. For example, to lookup the IP for www.verio.com, do the following:[tethys]:[5:29pm]:[/home/rnejdl] > nslookup www.verio.com Server: localhost.ringofsaturn.com Address: 127.0.0.1 Non-authoritative answer: Name: www.verio.com Address: 184.108.40.206 [tethys]:[6:01pm]:[/home/rnejdl] >
You can also specific the query type on the command line. For example, supposed you wanted to the what the mail servers are for msn.com:[tethys]:[6:01pm]:[/home/rnejdl] > nslookup -q=mx msn.com Server: localhost.ringofsaturn.com Address: 127.0.0.1 Non-authoritative answer: msn.com preference = 20, mail exchanger = smtp-gw-4.msn.com Authoritative answers can be found from: msn.com nameserver = DNS1.CP.MSFT.NET msn.com nameserver = DNS1.TK.MSFT.NET msn.com nameserver = DNS3.UK.MSFT.NET msn.com nameserver = DNS3.JP.MSFT.NET msn.com nameserver = DNS1.DC.MSFT.NET msn.com nameserver = DNS1.SJ.MSFT.NET smtp-gw-4.msn.com internet address = 220.127.116.11 DNS1.CP.MSFT.NET internet address = 18.104.22.168 DNS1.TK.MSFT.NET internet address = 22.214.171.124 DNS3.UK.MSFT.NET internet address = 126.96.36.199 DNS3.JP.MSFT.NET internet address = 188.8.131.52 DNS1.DC.MSFT.NET internet address = 184.108.40.206 DNS1.SJ.MSFT.NET internet address = 220.127.116.11 [tethys]:[6:02pm]:[/home/rnejdl] >
According to the output, msn.com has only one SMTP server, which is smtp-gw-4.msn.com.
Interactive mode nslookup allows you to do all of the queries you can do on the command line and more. To get into interactive mode, simply type nslookup and hit enter.
Once in this mode, you can simply type in a hostname to lookup the IP for that host, or type in an IP to lookup to the hostname for that IP. For example:[tethys]:[6:07pm]:[/home/rnejdl] > nslookup Default Server: localhost.ringofsaturn.com Address: 127.0.0.1 > www.amazon.com Server: localhost.ringofsaturn.com Address: 127.0.0.1 Non-authoritative answer: Name: www.amazon.com Address: 18.104.22.168 > 22.214.171.124 Server: localhost.ringofsaturn.com Address: 127.0.0.1 Name: www.amazon.com Address: 126.96.36.199 >
More interesting things you can do include changing the query type and using the debug feature. In this next example, I will check the MX records for a domain and will use the debug feature to see the query as it is happening.[tethys]:[6:10pm]:[/home/rnejdl] > nslookup Default Server: localhost.ringofsaturn.com Address: 127.0.0.1 > set type=mx > set debug > shoutcast.com Server: localhost.ringofsaturn.com Address: 127.0.0.1 ;; res_nmkquery(QUERY, shoutcast.com, IN, MX) ------------ Got answer: HEADER: opcode = QUERY, id = 40638, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 2, additional = 3 QUESTIONS: shoutcast.com, type = MX, class = IN ANSWERS: -> shoutcast.com preference = 10, mail exchanger = mail.winamp.com ttl = 3600 (1H) AUTHORITY RECORDS: -> shoutcast.com nameserver = dns-01.spinner.net ttl = 3600 (1H) -> shoutcast.com nameserver = dns-02.spinner.net ttl = 3600 (1H) ADDITIONAL RECORDS: -> mail.winamp.com internet address = 188.8.131.52 ttl = 3600 (1H) -> dns-01.spinner.net internet address = 184.108.40.206 ttl = 3600 (1H) -> dns-02.spinner.net internet address = 220.127.116.11 ttl = 3600 (1H) ------------ shoutcast.com preference = 10, mail exchanger = mail.winamp.com ttl = 3600 (1H) shoutcast.com nameserver = dns-01.spinner.net ttl = 3600 (1H) shoutcast.com nameserver = dns-02.spinner.net ttl = 3600 (1H) mail.winamp.com internet address = 18.104.22.168 ttl = 3600 (1H) dns-01.spinner.net internet address = 22.214.171.124 ttl = 3600 (1H) dns-02.spinner.net internet address = 126.96.36.199 ttl = 3600 (1H) >
The first line started the interactive nslookup session. The next line defines what name server we're using presently, which in this case is localhost, which has an IP address of 127.0.0.1, the loopback IP. Next, we set the query type to be MX, or Mail Exchanger, to see the mail servers. We then enable debug, which will show us the details of what name server was contacted and such. Finally, we input shoutcast.com for the domain and press enter. We are then presented with detailed information on the MX records and the addresses and TTL's (Time to Live) for each smtp host.
To see a full list of the interactive commands, simply type the ? at an interactive nslookup prompt and press enter.> ? $Id: nslookup.help,v 8.5 2000/03/30 23:25:35 vixie Exp $ Commands: (identifiers are shown in uppercase,  means optional) NAME - print info about the host/domain NAME using default server NAME1 NAME2 - as above, but use NAME2 as server help or ? - print info on common commands; see nslookup(1) for details set OPTION - set an option all - print options, current server and host [no]debug - print debugging information [no]d2 - print exhaustive debugging information [no]defname - append domain name to each query [no]recurse - ask for recursive answer to query [no]vc - always use a virtual circuit domain=NAME - set default domain name to NAME srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc. root=NAME - set root server to NAME retry=X - set number of retries to X timeout=X - set initial time-out interval to X seconds querytype=X - set query type, e.g., A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,WKS,SRV,NAPTR port=X - set port number to send query on type=X - synonym for querytype class=X - set query class to one of IN (Internet), CHAOS, HESIOD or ANY server NAME - set default server to NAME, using current default server lserver NAME - set default server to NAME, using initial server finger [USER] - finger the optional USER at the current default host root - set current default server to the root ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE) -a - list canonical names and aliases -h - list HINFO (CPU type and operating system) -s - list well-known services -d - list all records -t TYPE - list records of the given type (e.g., A,CNAME,MX, etc.) exit - exit the program, ^D also exits >
One interesting query listed here is the ls -d option, which allows you to list all records for a domain, if the name server supports this type of query. For example> ls -d training.verio.net [localhost.ringofsaturn.com] *** Can't list domain training.verio.net: Unspecified error >
The reason that this one did not work is because the name server queried was localhost, which is not authoritative for the domain. However, if I switch to the proper name server and run the command again, I will see the following:> server 188.8.131.52 Default Server: www.training.verio.net Address: 184.108.40.206 > ls -d training.verio.net [www.training.verio.net] $ORIGIN training.verio.net. @ 6H IN SOA ns rnejdl.verio.net. ( 2001091101 ; serial 3H ; refresh 1H ; retry 1W ; expiry 6H ) ; minimum 6H IN NS ns 6H IN NS ns2 6H IN NS ns1.verio.net. 6H IN A 220.127.116.11 6H IN MX 10 onyx 6H IN MX 20 backupmx1.veriomail.com. 6H IN MX 20 backupmx2.veriomail.com. ...
As you can see here, the output of this command is almost identical to that of the dig axfrcommand because they both use the same DNS functionality to produce the results. Either command works to do this so it is simply a matter of personal preference on which you use.
For these exercises, you will either need to open a command prompt to shell.training.verio.net or open the Online NSLOOKUP Tool on the training site. Once you have that open, do the following exercises.
- Lookup the IP of a hostname.
- Lookup the name servers for a domain.
- Lookup the mail servers for a domain.
- Lookup the name given to an IP address.
- Lookup the all records for a domain.
Take the Quiz
If you have read through this document and taken the time to go through the exercises, then you should have no problems passing the quiz that helps you see how much you have learned.
Take the Whois, Dig, and Nslookup Quiz.