Tip: Using nslookup to Verify the Status of Your DNS Zones

nslookup is a utility used to query Internet Domain Name Servers ( DNS Servers ). nslookup can be found on most operating systems and is fairly simple to use. This guide is designed to serve as a quick demonstration showing the most basic features of nslookup. There are many different ways to use nslookup; most of which are beyond the scope of this document. You are most welcome to read through the help menu by typing help 🙂

Lets begin by opening a command prompt or terminal and type nslookup. This will now show you nslookup followed by >. From here you will use the command ( set q= ). This tells nslookup what record type you are querying for. By default it will look at the record name and return the type and IP address associated with it. Commonly this returns the A record or CNAME record. If your looking for other records, you will place them after the = sign. For this example we are looking up the mx record for name.com ( set q=mx ).

This shows you how the mx records are currently set at the nameservers you are using. For another example lets look at txt records ( set q=txt )

If you see a result with NXDOMAIN, this means the record does not exist at the nameserver you are querying against. Most likely this either hasn’t propagated out or your non-Authoritative Nameserver does not know it exists. The best thing you can do here is check the Authoritative Nameserver and wait out the TTL if it exists there.

Lets break this down a little further. Notice the two sections?

The Non-authoritative answer represents what your current nameservers believe the record to be. The Authoritative Nameservers are responsible for managing the zones for the domain you are querying. These are the nameservers assigned at the registrar to manage DNS for the domain. In other words; if you want the absolute answer, go to these Nameservers. By default nslookup will go directly to the Nameservers your computer is configured to use.

Now that we know the Authoritative Nameservers, lets run a query and see what results we get. This can be done by using the command ( server _nameserver_).

Because this retrieves the information directly from the Authoritative Server responsible for the domain, the information represented by this request shows what other Nameservers will respond with when data is requested. Why is this important? If your not able to visit a website after making DNS changes, your Nameservers may be showing out of date information. By querying for the data from your currently set Nameservers and then from the Authoritative Nameservers, you can determine if your local Nameservers are seeing the new data.

What if the data is different?

While this question is too deep to discuss entirely here, there is one very common reason a Nameserver will hold onto old data. If the TTL has not expired, the non-authoritative Nameserver will respond with the cached result and not look up the new data until it expires. When your record is set with a TTL of 300, this means the record is good for 300 seconds from the last query. After 300 seconds of the last query, the record is marked as out of date by the non-Authoritative Nameserver and then re-verified from the Authoritative Nameserver at the time of the latest query. If you have a TTL set to 86400, the record will stay in place for 24 hours. This means updates to the domain could take up to 24 hours to fully propagate out. One thing to note here. This is per the previous TTL settings, not the new TTL settings. If you set the new TTL to 300 from 86400, the current TTL setting of 86400 will stay in place until 24 hours after the cached records timestamp. Unfortunately, sometimes the record will not update after the TTL expires and you will need to flush the DNS cache to force your computer to see an update. Use caution here and consult with your ISP or Network Administrators if you are unsure of the ramifications from this action.

If you have any questions regarding the propagation of your records, a good place to start at is with the management group for the Authoritative Nameservers. Once you verify the data is set properly at the Authoritative level, you should then go to the support group that manages the non-Authoritative Nameservers and inquire as to why the records are not showing up. As always, if you’re not sure which support to start with, it never hurts to start with your registrar ’97 they can always point you in the right direction.