The last thing you want is to have problems with your troubleshooting tool. Unfortunately, some types of failures render the troubleshooting tool mostly useless. Other types of nslookup failures are, at best, confusing because they don't give you any direct information to work with. Although there may be a few problems with nslookup itself, most of the problems you encounter will be with name server configuration and operation. We'll cover a few odd problems here.
This isn't really a problem, per se, but it can be awfully confusing. If you use nslookup to look up a type of data for a domain name and the domain name exists but no data of the type you're looking for exists, you'll get an error like this:
C:\> nslookup Default Server: terminator.movie.edu Address: 18.104.22.168 > movie.edu. Name: movie.edu >
Huh? It looks like we got an empty answer. In fact, that's exactly what happened: there are no A records for movie.edu, and the response from the name server has no records in the Answer section of the message. nslookup renders this empty response from the name server as an empty response to us. It's not very helpful or clear (previous versions of nslookup printed a better response).
So what types of records do exist? You can use set type=any to find out:
> set type=any > movie.edu. Server: terminator.movie.edu Address: 22.214.171.124 movie.edu nameserver = terminator.movie.edu movie.edu nameserver = wormhole.movie.edu movie.edu primary name server = terminator.movie.edu responsible mail addr = hostmaster.movie.edu serial = 21 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) movie.edu MX preference = 10, mail exchanger = wormhole.movie.edu terminator.movie.edu internet address = 126.96.36.199 wormhole.movie.edu internet address = 188.8.131.52 wormhole.movie.edu internet address = 184.108.40.206 wormhole.movie.edu internet address = 220.127.116.11 wormhole.movie.edu internet address = 18.104.22.168
Why are the IP addresses for terminator and wormhole returned? If you receive the NS records for movie.edu listing these two hosts as that zone's name servers, chances are the next thing you'll want are those hosts' IP addresses. The name server anticipates that and sends along address records in the Additional section. The same thing goes for the movie.edu MX record pointing to wormhole: if you get that record, you'll want wormhole's IP address next. That explains why wormhole's IP addresses show up twice, but this is arguably a bug in the Microsoft DNS Server.
Here's a cryptic message:
C:\> nslookup *** Can't find server name for address 22.214.171.124: Non-existent domain Default Server: UnKnown Address: 126.96.36.199 >
The "Non-existent domain" message means that there's no PTR record for 188.8.131.52.in-addr.arpa. In other words, nslookup couldn't find the name for 184.108.40.206, which is the first name server the resolver is configured to query. The only reason nslookup looks up this address is to print the "Default Server" startup message. Obviously, this name server's data is messed up, at least for the 249.249.192.in-addr.arpa zone, so nslookup prints "UnKnown."
What if your resolver is pointing to a name server that isn't running or a host that can't be reached? Here's what happens:
C:\> nslookup DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 220.127.116.11: Timed out Default Server: UnKnown Address: 18.104.22.168 >
The resolver is configured to use the name server 22.214.171.124 (and only that name server). nslookup tries valiantly to contact it but times out, prints "UnKnown" for the default server, and gives you a prompt. You can't really do anything productive without changing servers at this point?after all, no server is running at that IP address?but at least you've got a prompt.
Occasionally you'll see timeouts during the course of an nslookup session. If you are looking up some remote information, the name server could fail to respond because it is still trying to look up the item and nslookup gave up waiting. How can you tell the difference between a name server that isn't running and a name server that is running but didn't respond? nslookup's responses point out the difference. In this case, the response indicates no name server process is running:
C:\> nslookup Default Server: terminator.movie.edu Address: 126.96.36.199 > movie.edu. Server: terminator.movie.edu Address: 188.8.131.52 *** terminator.movie.edu can't find movie.edu.: No response from server
The "No response from server" message is quite misleading because nslookup actually did get a response from the server. What actually happened was this: nslookup sent a DNS query in a UDP packet addressed to port 53 on terminator. Since no name server was running on terminator, there was no process listening on UDP port 53 and the TCP/IP software on terminator responded with an ICMP destination port unreachable message. nslookup received this response and printed the misleading message shown previously.
If a name server is simply not responding, you'll see the following timeout message:
C:\> nslookup Default Server: terminator.movie.edu Address: 184.108.40.206 > movie.edu. Server: terminator.movie.edu Address: 220.127.116.11 DNS request timed out. timeout was 2 seconds. *** Request to terminator.movie.edu timed-out
You generally see a "query refused" error message under two conditions. The first is when you attempt a zone transfer and the server refuses for security reasons (for example, based on the settings in the Zone Transfers tab of the zone properties window). This is what you'll see:
C:\> nslookup Default Server: terminator.movie.edu Address: 18.104.22.168 > ls movie.edu This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu.: Query refused The DNS server refused to transfer the zone movie.edu. to your computer. If this is incorrect, check the zone transfer security settings for movie.edu. on the DNS server at IP address 22.214.171.124. >
You might also see a "query refused" error from a name server running a recent version of BIND, which has the ability to restrict queries to different zones based on the querier's source IP address.