The following sections describe tricks you'll probably have to use less often but are still handy to have in your repertoire. Most of these will be helpful when you're trying to troubleshoot a DNS problem; they'll enable you to grub around in the messages the resolver sees and mimic a name server querying another name server or transferring zone data.
If you need to, you can direct nslookup to show you the queries it sends out and the responses it receives. Turning on debug shows you the responses. Turning on d2 shows you the queries as well. When you want to turn off debugging completely, you have to use set nodebug, since set nod2 turns off only level 2 debugging. After the following trace, we'll explain some parts of the message output. If you want, you can pull out your copy of RFC 1035, turn to page 25, and read along with our explanation.
C:\> nslookup Default Server: terminator.movie.edu Address: 188.8.131.52 > set debug > set type=mx > oreilly.com. Server: terminator.movie.edu Address: 184.108.40.206 ------------ Got answer: HEADER: opcode = QUERY, id = 11, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 1 QUESTIONS: oreilly.com, type = MX, class = IN ANSWERS: -> oreilly.com MX preference = 20, mail exchanger = smtp2.oreilly.com ttl = 21598 (5 hours 59 mins 58 secs) ADDITIONAL RECORDS: -> smtp2.oreilly.com internet address = 220.127.116.11 ttl = 21598 (5 hours 59 mins 58 secs) ------------ Non-authoritative answer: oreilly.com MX preference = 20, mail exchanger = smtp2.oreilly.com ttl = 21598 (5 hours 59 mins 58 secs) smtp2.oreilly.com internet address = 18.104.22.168 ttl = 21598 (5 hours 59 mins 58 secs) > > set d2 > oreilly.com. Server: terminator.movie.edu Address: 22.214.171.124
This time the query is also shown:
------------ SendRequest( ), len 29 HEADER: opcode = QUERY, id = 12, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: oreilly.com, type = MX, class = IN ------------ ------------ Got answer (67 bytes):
The answer is the same as in the previous example.
Between the dashes are the query and response messages. As promised, we will go through the message contents. DNS messages are composed of five sections:
The Header section is present in every query and response. The operation code is always QUERY. (Other opcodes are used for other DNS operations, such as the Notify and Dynamic Update protocol extensions described in Chapter 11.) The ID is used to associate a response with a query and to detect duplicate queries or responses. You have to look in the header flags to see which messages are queries and which are responses. The string "want recursion" indicates that the querier wants the name server to do all the work. The flag is parroted in the response. The string "auth. answer," when present, means that the response is authoritative?in other words, that the response comes from the name server's authoritative data, not from its cache data. (This response isn't authoritative, so that string is absent.) The response code, rcode, can be one of no error, server failure, name error (also known as "NXDOMAIN" or "nonexistent domain"), not implemented, or refused. The server failure, name error, not implemented, and refused response codes cause the nslookup "Server failed," "Nonexistent domain," "Not implemented," and "Query refused" errors, respectively. The last four entries in the Header section are counters?they indicate how many resource records there are in each of the next four sections.
A DNS message always contains one and only one question; it includes the name and the requested data type and class. There is never more than one question. Handling more than one question in a DNS message would require a redesign of its format. For one thing, the single authority bit would have to be changed, because the Answer section could contain a mix of authoritative answers and nonauthoritative answers. In the present design, setting the authoritative answer bit means that the name server is an authority for the domain name in the Question section.
This section contains the resource records that answer the question. There can be more than one resource record in the response. For example, if the host is multihomed, there will be more than one address resource record.
The Authority section is where name server records are returned. When a response refers the querier to some other name servers, those name servers are listed here.
The Additional records section adds information that may complete information included in other sections. For instance, if a name server is listed in the Authority section, the name server's address is added to the Additional records section. After all, to contact the name server, you need to have its address.
You can make nslookup send out the same query message a name server would. Name server query messages are not much different from resolver messages. The primary difference in the query messages is that resolvers request recursion and name servers seldom do. Recursion is the default with nslookup, so you have to explicitly turn it off. The difference in operation between a resolver and a name server is that the resolver implements the search list and the name server doesn't. By default, nslookup implements the search list, so that, too, has to be turned off. Of course, judicious use of the trailing dot will have the same effect.
In nslookup terms, this means that to query like a resolver, you use nslookup's default settings. To query like a name server, use set norecurse and set nosearch. On the command line, that's nslookup -norecurse -nosearch.
When a name server gets a query, it looks for the answer in its cache. If it doesn't have the answer and it is authoritative for the zone, the name server responds that the name doesn't exist or that there is no data for that type. If the name server doesn't have the answer and it is not authoritative for the zone, it starts walking up the namespace looking for NS records. There will always be NS records somewhere higher in the domain tree. As a last resort, it will use the NS records at the root domain, the highest level.
If the name server received a nonrecursive query, it would respond to the querier by giving the NS records that it had found. On the other hand, if the original query was a recursive query, the name server would then query the remote name servers in the NS records that it found. When the name server receives a response from one of the remote name servers, it caches the response and repeats this process, if necessary. The remote server's response will contain either the answer to the question or a list of name servers lower in the namespace and closer to the answer.
Let's assume for our example that we are trying to satisfy a recursive query and that we didn't find any NS records until we checked the com domain. That is, in fact, the case when we ask the name server on terminator.movie.edu about www.theonion.com?it doesn't find any NS records in its cache until the com domain. From there we switch servers to a com name server and ask the same question. It directs us to the theonion.com servers. We then switch to a theonion.com name server and ask the same question:
C:\> nslookup Default Server: terminator.movie.edu Address: 126.96.36.199 > set norec Query like a name server: turn off recursion. > set nosearch Turn off the search list. > www.theonion.com We don't need to dot-terminate since we've turned search off. Server: terminator.movie.edu Address: 188.8.131.52 Name: www.theonion.com Served by: - a.gtld-servers.net 184.108.40.206 COM - b.gtld-servers.net 220.127.116.11 COM - c.gtld-servers.net 18.104.22.168 COM - d.gtld-servers.net 22.214.171.124 COM - e.gtld-servers.net 126.96.36.199 COM - f.gtld-servers.net 188.8.131.52 COM - g.gtld-servers.net 184.108.40.206 COM - h.gtld-servers.net 220.127.116.11 COM - i.gtld-servers.net 18.104.22.168 COM - j.gtld-servers.net 22.214.171.124 COM
Switch to a com name server. You may have to turn recursion back on temporarily, if the name server doesn't have the address already cached:
> server a.gtld-servers.net. Default Server: a.gtld-servers.net Address: 126.96.36.199
Ask the same question of the com name server. It will refer us to name servers closer to our desired answer:
> www.theonion.com. Server: a.gtld-servers.net Address: 188.8.131.52 Name: www.theonion.com Served by: - ns2.rackspace.com 184.108.40.206 theonion.com - ns.rackspace.com 220.127.116.11 theonion.com
Switch to a theonion.com name server?either of them will do:
> server ns.rackspace.com. Default Server: ns.rackspace.com Address: 18.104.22.168 > www.theonion.com. Server: ns.rackspace.com Address: 22.214.171.124 Name: theonion.com Address: 126.96.36.199 Aliases: www.theonion.com
We hope this example gives you a feeling for how name servers look up names. If you need to refresh your understanding of what this looks like graphically, see Figures Figure 2-12 and Figure 2-13.
Before we move on, notice that we asked each of the servers the very same question: "What's the address for www.theonion.com?" What do you think would happen if the com name server itself had already cached www.theonion.com's address? The com name server would have answered the question out of its cache instead of referring us to the theonion.com name servers. Why is this significant? Suppose you messed up a particular host's address in your zone. Someone points it out to you, and you clean up the problem. Even though your name server now has the correct data, some remote sites find the old, messed-up data when they look up the name. One of the name servers higher up in the domain tree has cached the incorrect data; when it receives a query for that host's address, it returns the incorrect data instead of referring the querier to your name servers. What makes this problem hard to track down is that only one of the "higher up" name servers has cached the incorrect data, so only some of the remote lookups get the wrong answer?the ones that use this server. Fun, huh? Eventually, though, the "higher up" name server will time out the old record. If you're pressed for time, you can contact the administrators of the remote name server and ask them to kill and restart their name servers to flush the cache. Of course, if the remote name server is an important, much-used name server, they may tell you where to go with that suggestion.
You can use nslookup to transfer a whole zone with the ls command. This feature is useful for troubleshooting, for figuring out how to spell a remote host's name, or just for counting how many hosts are in some remote zone. Since the output can be substantial, nslookup allows you to redirect the output to a file.
Beware: a lot of hosts won't let you pull a copy of their zones, either for security reasons or to limit the load on their name server hosts.
nslookup filters zone transfer data: it shows you only some of the zone unless you tell it otherwise. By default, you see only address and name server data. You will see all of the zone data if you tell nslookup to display data of any type. The nslookup help (available from the Help and Support Center) or command summary (shown by typing help at the nslookup prompt) tells you all the parameters to the ls command. We are going to show only the -t parameter, since the others can be emulated with -t. The -t option takes one argument: the data type to filter. So, to pull a copy of a zone and see all the MX data, use ls -t mx. Let's do some zone transfers:
C:\> nslookup Default Server: terminator.movie.edu Address: 188.8.131.52 > ls movie.edu. List NS and A records for movie.edu. [terminator.movie.edu] movie.edu. NS server = terminator.movie.edu movie.edu. NS server = wormhole.movie.edu carrie A 184.108.40.206 diehard A 220.127.116.11 misery A 18.104.22.168 robocop A 22.214.171.124 shining A 126.96.36.199 terminator A 188.8.131.52 wh249 A 184.108.40.206 wh253 A 220.127.116.11 wormhole A 18.104.22.168 wormhole A 22.214.171.124 > ls -t any movie.edu > /temp/movie.edu.txt List data into \temp\movie.edu.txt. [terminator.movie.edu] Received 25 records.
Those forward slashes in the ls command aren't a misprint?nslookup was originally written for Unix as part of the BIND distribution. Microsoft must have missed the slashes when porting nslookup to Windows.