Query DNS Records in Linux with dig and nslookup

Introduction

In this lab, you will learn the fundamentals of querying Domain Name System (DNS) records from the command line in a Linux environment. You will use two powerful and common utilities, dig and nslookup, to perform various types of DNS lookups. This hands-on experience is essential for network administrators and system engineers for troubleshooting name resolution issues and understanding network configurations.

You will begin by identifying your system's default DNS server by examining the /etc/resolv.conf file. Then, you will proceed to perform several common DNS queries, including finding a domain's IP address (A record), discovering a hostname from an IP address with a reverse lookup (PTR record), and looking up mail exchange (MX) records for a domain. Finally, you will learn how to direct your queries to a specific public DNS server instead of using your system's default.

Identify Your System's Default DNS Server with cat

In this step, you will learn how to identify the default DNS servers your system is configured to use. DNS (Domain Name System) servers are responsible for translating human-readable domain names (like www.google.com) into machine-readable IP addresses (like 142.250.186.132). Understanding which DNS servers your system queries by default is the first and most crucial step in diagnosing any name resolution issues.

On most Linux systems, this configuration is stored in a file located at /etc/resolv.conf. We will use the cat command, a standard utility for concatenating and displaying file content, to view this file.

Open your terminal and execute the following command to display the contents of the resolv.conf file:

cat /etc/resolv.conf

You will see output similar to the following. The IP addresses listed after the nameserver directive are the DNS servers your system will contact to resolve domain names.

## Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
##     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
## 127.0.0.53 is the systemd-resolved stub resolver.
## run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
options timeout:2 attempts:3 rotate single-request-reopen

From the output, you can see that 127.0.0.53 is the primary DNS server for this system. Any DNS queries you make without specifying a particular server will be sent here by default. Now that you know how to find your default DNS server, you are ready to perform your first DNS query in the next step.

Find a Domain's IP Address (A Record) with dig and nslookup

In this step, you will perform a standard forward DNS lookup, which is the process of resolving a domain name to an IP address. This is one of the most common functions of DNS. The specific type of record that maps a domain name to an IPv4 address is called an A record. We will use two popular command-line tools for this task: nslookup and dig.

First, you need to ensure these tools are installed. They are part of the dnsutils package on Debian-based systems like Ubuntu. Let's update your package list and install it.

sudo apt-get update
sudo apt-get install -y dnsutils

Now that the tools are ready, let's use nslookup (which stands for "name server lookup") to find the IP address for www.google.com.

nslookup www.google.com

The output shows you the server that answered the query (your default from Step 1) and the "Non-authoritative answer," which contains the IP address(es) associated with www.google.com.

Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.189.196
Name:   www.google.com
Address: 2607:f8b0:4005:80d::2004

Next, let's perform the same query using dig (Domain Information Groper). dig is often preferred by system administrators because it provides more detailed, structured output.

dig www.google.com

Examine the output from dig. It is divided into sections. The QUESTION SECTION shows what you asked for (an A record for www.google.com). The ANSWER SECTION provides the result, including the IP address and the TTL (Time To Live) value, which indicates how long a resolver can cache this information.

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         7       IN      A       142.251.46.196

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jul 14 14:55:18 CST 2025
;; MSG SIZE  rcvd: 59

By comparing the two outputs, you can see that while both tools achieve the same goal, dig offers a much more comprehensive view of the DNS response.

Find a Hostname from an IP Address (PTR Record) with dig -x

In this step, you will perform a reverse DNS lookup. While a forward lookup resolves a domain name to an IP address, a reverse lookup does the opposite: it finds the hostname associated with a given IP address. This process relies on a special type of DNS record called a PTR (Pointer) record. Reverse lookups are commonly used by mail servers to verify the sender's identity and in network troubleshooting to identify the source of traffic.

We will use one of the IP addresses for www.google.com that you discovered in the previous step. Let's use 142.251.46.196 as our example.

First, let's try a reverse lookup with nslookup, which you are already familiar with. Simply provide the IP address as the argument:

nslookup 142.251.46.196

The output will show the name associated with the IP address, which is stored in a special in-addr.arpa domain used for reverse DNS.

196.46.251.142.in-addr.arpa     name = nuq04s45-in-f4.1e100.net.

Authoritative answers can be found from:

Now, let's perform the same reverse lookup using dig. The dig command uses the -x option to specify a reverse lookup. This is a convenient shortcut that formats the query correctly for you.

dig -x 142.251.46.196

Observe the output. In the ANSWER SECTION, you will find the PTR record that maps the IP address back to its hostname. Notice how the QUESTION SECTION shows the IP address reversed and appended with .in-addr.arpa, which is the standard format for IPv4 reverse DNS queries.

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> -x 142.251.46.196
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46896
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;196.46.251.142.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
196.46.251.142.in-addr.arpa. 10 IN      PTR     nuq04s45-in-f4.1e100.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jul 14 14:56:11 CST 2025
;; MSG SIZE  rcvd: 94

You have now successfully used both nslookup and dig to perform a reverse DNS lookup, translating an IP address back into a hostname.

Look Up Mail Exchange (MX) Records for a Domain with dig

In this step, you will learn how to query for another important type of DNS record: the Mail Exchange (MX) record. MX records are essential for email delivery. They specify which mail servers are responsible for accepting email messages on behalf of a domain. When you send an email to user@example.com, your mail server first performs a DNS lookup for the MX records of example.com to find out where to send the message.

We will continue using the dig command to look up the MX records for the google.com domain. To do this, you specify the domain name followed by the record type (MX).

In your terminal, run the following command:

dig google.com MX

The output will be similar to what you've seen before, but the ANSWER SECTION will now contain MX records instead of A records.

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> google.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45070
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com.                    IN      MX

;; ANSWER SECTION:
google.com.             10      IN      MX      10 smtp.google.com.

;; Query time: 12 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jul 14 14:56:29 CST 2025
;; MSG SIZE  rcvd: 60

Notice the number (10) before the mail server's hostname in the ANSWER SECTION. This is the preference or priority value. Mail servers will attempt to deliver email to the server with the lowest priority number first. If that server is unavailable, they will try the next lowest, and so on. This provides a system of primary and backup mail servers.

Query a Specific Public DNS Server with dig @<server>

In this final step, you will learn how to bypass your system's default DNS server and send a query directly to a specific public DNS server. This is an extremely useful technique for troubleshooting. For example, if you can't resolve a domain using your default server, you can query a reliable public server like Google's (8.8.8.8) or Cloudflare's (1.1.1.1) to determine if the issue is with your local configuration or a more widespread problem.

The dig command makes this easy. You can specify the DNS server you want to use by prefixing its IP address with an @ symbol.

Let's query Google's public DNS server at 8.8.8.8 to find the IP address for www.cloudflare.com.

dig @8.8.8.8 www.cloudflare.com

Now, carefully examine the output. Pay close attention to the SERVER line near the bottom. It should show 8.8.8.8#53, confirming that your query was sent to and answered by Google's DNS server, not your system's default server (127.0.0.53 from Step 1).

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @8.8.8.8 www.cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62439
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     300     IN      A       104.16.123.96
www.cloudflare.com.     300     IN      A       104.16.124.96

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Mon Jul 14 14:56:45 CST 2025
;; MSG SIZE  rcvd: 79

You have successfully directed a DNS query to a specific server, a powerful skill for diagnosing network and name resolution problems. This concludes the lab on using nslookup and dig for client-side DNS queries.

Summary

In this lab, you learned how to perform essential DNS queries on a Linux system. You started by identifying your system's default DNS server by examining the /etc/resolv.conf file with the cat command. Following this, you used the dig and nslookup utilities to perform a standard forward lookup, resolving a domain name to its corresponding IP address (A record).

You then explored more advanced queries, including reverse lookups to find a hostname from an IP address (PTR record) using dig -x, and how to retrieve a domain's mail exchange (MX) records. Finally, you learned how to bypass the system's default settings by directing your DNS query to a specific public server using the dig @<server> syntax, a critical skill for troubleshooting and testing name resolution.