When a domain points to the wrong address or email delivery starts failing, the nslookup command in Linux gives you a fast way to ask DNS what it currently publishes. It can check normal address records, mail routing, name server delegation, reverse DNS, TXT authentication records, and certificate-authority policy records without opening a browser.
Implementation matters because BIND and BusyBox do not expose the exact same option set. Full Linux distributions provide BIND nslookup through packages such as bind9-dnsutils, bind-utils, bind, or bind-tools. Alpine’s BusyBox applet can handle common lookups, but install bind-tools there when you need BIND-style output, timeout controls, or companion tools such as dig and host.
Understand the nslookup Command in Linux
Think of nslookup as a direct DNS question. You provide a domain, IP address, record type, or resolver, and the tool prints the response from the DNS server it contacted. That makes it useful when your browser, mail server, or application only tells you that a name failed.
Basic nslookup Syntax
The basic syntax uses an optional setting, the name or address to query, and an optional DNS server:
nslookup [option] [hostname] [server]- [option]: Optional setting that refines the query, such as
-type=mx,-debug, or-timeout=5. - [hostname]: Domain name or IP address you want to query, such as
example.com,8.8.8.8, orsubdomain.example.org. - [server]: Optional DNS server IP that replaces your default resolver, such as
1.1.1.1for Cloudflare DNS or8.8.8.8for Google DNS.
Quick nslookup Reference Table
Use these common patterns to choose the right nslookup query for the DNS question you are testing.
| Task | Command Pattern | What It Does |
|---|---|---|
| Forward lookup | nslookup example.com | Returns A and AAAA address records for a host name. |
| Reverse lookup | nslookup 8.8.8.8 | Returns the PTR name tied to an IP address when one exists. |
| Specific record type | nslookup -type=mx example.com | Queries one DNS record type, such as MX, NS, TXT, SOA, CNAME, or CAA. |
| Specific DNS server | nslookup example.com 1.1.1.1 | Asks a chosen resolver instead of the system default resolver. |
| Debug output | nslookup -debug example.com | Shows query sections, answer records, TTL values, and response details. |
| Timeout control | nslookup -timeout=5 example.com | Sets the initial wait time in seconds before retry behavior starts. |
| Interactive session | nslookup | Opens a prompt where you can run several DNS queries in one session. |
Choose nslookup, dig, or host
BIND ships nslookup, dig, and host as related DNS clients. Use nslookup for quick human checks and interactive sessions, use dig when you need script-friendly or highly detailed output, and use host for short name-to-address checks. The BIND diagnostic tools documentation treats dig as the most complete DNS query client, but nslookup remains useful because it is familiar and widely available.
Install or Verify nslookup on Linux
Minimal server images and containers often omit DNS clients, so verify the command before troubleshooting. The package name changes by distro family: Debian and Ubuntu use bind9-dnsutils, Fedora and RHEL-family systems use bind-utils, Arch uses bind, Alpine uses bind-tools for the full BIND client, and Void uses bind-utils.
Verify nslookup Availability
Check whether nslookup is already installed and visible in your shell path:
command -v nslookup || echo "nslookup not found"A working installation prints the binary path:
/usr/bin/nslookup
If the command prints nslookup not found, install the package for your distribution.
Install nslookup on Debian, Ubuntu, and Linux Mint
APT does not install a package named nslookup. Install bind9-dnsutils, which provides nslookup, dig, and related BIND DNS clients. Older Debian and Ubuntu releases may still accept dnsutils as a transitional or virtual alias, but the direct package name is clearer on current systems.
sudo apt install bind9-dnsutils -yInstall nslookup on Fedora, RHEL, Rocky Linux, and AlmaLinux
DNF systems provide nslookup through bind-utils, not a separate nslookup package. If dnf install nslookup fails, install bind-utils instead.
sudo dnf install bind-utils -yInstall nslookup on Arch Linux and Manjaro
Arch packages nslookup inside the main bind package.
sudo pacman -S bindInstall nslookup on openSUSE
sudo zypper install bind-utilsInstall nslookup on Alpine Linux
Alpine includes a lightweight BusyBox nslookup applet on many minimal installs. BusyBox builds commonly handle record-type and debug checks, but install bind-tools when you need BIND nslookup behavior, timeout controls such as -timeout=, or companion tools like dig and host. If apk add nslookup fails, use bind-tools; the full BIND toolset is packaged under that name.
sudo apk add bind-toolsInstall nslookup on Gentoo
sudo emerge --ask net-dns/bind-toolsInstall nslookup on Void Linux
sudo xbps-install -S bind-utilsPractical nslookup Command Examples
These examples start with routine lookups, then move into record-type checks, resolver comparisons, debug output, and interactive sessions. Output can vary by resolver, DNS provider, and cache state, so treat the preformatted blocks as verified examples rather than permanent DNS inventory.
Example 1: Run a Basic Domain Name Query
Use a basic nslookup query when you need to confirm that a host name resolves to at least one address record. This is usually the first DNS check before you investigate mail, delegation, or application-specific failures.
nslookup example.comExample output shows the resolver that answered and the address records it returned:
Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: example.com Address: 104.20.23.154 Name: example.com Address: 172.66.147.243 Name: example.com Address: 2606:4700:10::6814:179a Name: example.com Address: 2606:4700:10::ac42:93f3
The Non-authoritative answer label means the response came from a caching resolver, not directly from the domain’s authoritative name server. Multiple IPv4 and IPv6 addresses are normal for domains that use load balancing or anycast networks.
Example 2: Query a Specific DNS Server
When you troubleshoot propagation or compare resolver caches, put the DNS server IP at the end of the command. This asks that resolver directly instead of using the system default.
nslookup example.com 1.1.1.1Cloudflare’s resolver answers when 1.1.1.1 appears as the server:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: example.com Address: 172.66.147.243 Name: example.com Address: 104.20.23.154 Name: example.com Address: 2606:4700:10::6814:179a Name: example.com Address: 2606:4700:10::ac42:93f3
Compare this answer with your local resolver or another public resolver such as 8.8.8.8 or 9.9.9.9. Different answers can indicate propagation delay, resolver filtering, split-horizon DNS, or a stale cache.
Example 3: Query Mail Exchange (MX) Records
Before configuring a mail server or troubleshooting delivery, identify which hosts accept mail for the domain. MX records list those servers with priority values that control delivery order when multiple hosts exist.
nslookup -type=mx google.com 1.1.1.1Example output shows the mail exchanger and its priority:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: google.com mail exchanger = 10 smtp.google.com. Authoritative answers can be found from:
The number before the mail server (10 in this example) is the priority. Lower numbers indicate preferred servers. When multiple MX records exist, mail delivery attempts the lowest priority first and falls back to higher numbers if needed.
Example 4: Perform a Reverse DNS Lookup
Reverse DNS reveals the domain name tied to an IP address. Use it when reading server logs that show only IP addresses or when tracking spam sources. Mail servers often require forward and reverse DNS to match (forward-confirmed reverse DNS), so check both directions when troubleshooting email delivery.
nslookup 8.8.8.8Expected output when a PTR record exists:
Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: 8.8.8.8.in-addr.arpa name = dns.google. Authoritative answers can be found from:
If no PTR record exists, nslookup reports “server can’t find” with NXDOMAIN. Many residential ISP and cloud provider IP ranges lack reverse entries, which causes some mail servers to reject outgoing mail from those addresses.
Example 5: Query Name Server (NS) Records
Query NS records to learn which DNS servers are authoritative for a domain. Do this when migrating DNS hosting, troubleshooting delegation, or verifying that nameserver changes propagated after a registrar update.
nslookup -type=ns example.com 1.1.1.1Example output lists the authoritative name servers published for the domain:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: example.com nameserver = hera.ns.cloudflare.com. example.com nameserver = elliott.ns.cloudflare.com. Authoritative answers can be found from:
Domains typically publish multiple name servers for redundancy. If you recently changed nameservers at your registrar, query different public DNS servers to verify the change propagated globally.
Example 6: Query Specific DNS Record Types
DNS stores many record types beyond A records. Each type answers a different troubleshooting question, so choose the type that matches the service you are testing.
| Record Type | Command | When to Use It |
|---|---|---|
| CNAME | nslookup -type=cname www.example.com | Find whether a host name is an alias for another canonical name. |
| TXT | nslookup -type=txt _dmarc.example.com | Read SPF, DKIM, DMARC, ownership verification, or service validation strings. |
| AAAA | nslookup -type=aaaa example.com | Verify IPv6 addresses for dual-stack services. |
| SOA | nslookup -type=soa example.com | Inspect the primary name server, zone serial, and timing values. |
| CAA | nslookup -type=caa example.com | Check which certificate authorities may issue TLS certificates for the domain. |
If a record type does not exist for the queried domain, nslookup returns “No answer” or “can’t find”. Move to the next relevant type until you find the information you need.
Example 7: Run an Advanced Query with Debug Information
Use debug mode when a DNS query fails or returns unexpected data. It shows the query sent, the response received, packet details, and intermediate steps. That deeper view helps diagnose DNSSEC validation failures, incorrect TTL values, and mismatched resolver behavior.
nslookup -debug example.com 1.1.1.1Expected output showing detailed query information including TTL values:
Server: 1.1.1.1
Address: 1.1.1.1#53
------------
QUESTIONS:
example.com, type = A, class = IN
ANSWERS:
-> example.com
internet address = 172.66.147.243
ttl = 149
-> example.com
internet address = 104.20.23.154
ttl = 149
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name: example.com
Address: 172.66.147.243
Name: example.com
Address: 104.20.23.154
The TTL (time-to-live) values show how long resolvers cache the answer in seconds. Low TTLs mean frequent re-queries to authoritative servers, while high TTLs mean changes propagate slowly. This information helps when planning DNS migrations or troubleshooting caching issues.
Example 8: Query IPv6 Address (AAAA Record)
As IPv6 adoption grows, many services publish both A and AAAA records. Query AAAA records when troubleshooting IPv6 connectivity, verifying dual-stack deployments, or confirming that new IPv6 DNS entries exist.
nslookup -type=aaaa example.com 1.1.1.1Expected output when IPv6 records exist:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: example.com Address: 2606:4700:10::ac42:93f3 Name: example.com Address: 2606:4700:10::6814:179a
If no AAAA record exists, nslookup returns “No answer”, meaning the domain is IPv4-only. Most modern clients prefer IPv6 when both record types exist, which can affect troubleshooting if IPv6 connectivity has issues but IPv4 works.
Example 9: Set Query Timeout
When you query slow or unreliable DNS servers, set a timeout so nslookup does not hang indefinitely. Timeouts help when testing distant servers, dealing with latency, or scripting predictable behavior.
nslookup -timeout=5 example.com 1.1.1.1Expected output when the query completes within the timeout:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: example.com Address: 172.66.147.243 Name: example.com Address: 104.20.23.154 Name: example.com Address: 2606:4700:10::6814:179a Name: example.com Address: 2606:4700:10::ac42:93f3
This sets the initial timeout to 5 seconds. Use a longer value for slow links and a shorter value for quick automation checks that should fail fast. If no configured server answers, nslookup eventually prints ;; connection timed out; no servers could be reached.
Example 10: Use nslookup in Interactive Mode
Interactive mode speeds up repetitive DNS testing. Use it to run several queries, compare record types, or test multiple DNS servers without retyping commands. Once inside interactive mode, you can change settings with minimal keystrokes.
nslookupThe command opens an interactive prompt. Type names, settings, and resolver changes directly, then exit when you are finished:
> example.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: example.com Address: 104.20.23.154 Name: example.com Address: 172.66.147.243 > set type=mx > google.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: google.com mail exchanger = 10 smtp.google.com. > server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > exit
Common interactive commands include set type=mx to change record type, server 8.8.8.8 to switch DNS servers, set all to print the current session settings, and exit to leave interactive mode. BIND nslookup reports help as not implemented, so do not rely on it as a command list.
Example 11: Check SOA Records
The Start of Authority (SOA) record lists the primary nameserver, admin contact, zone serial, and timing values. Check it when troubleshooting why secondary nameservers have not picked up zone changes or when verifying zone transfer configurations.
nslookup -type=soa example.com 1.1.1.1Expected output showing zone administration details:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: example.com origin = elliott.ns.cloudflare.com mail addr = dns.cloudflare.com serial = 2403488901 refresh = 10000 retry = 2400 expire = 604800 minimum = 1800 Authoritative answers can be found from:
Pay special attention to the serial number. It increments with each zone update. If the serial stays static after you make DNS changes, the zone file did not reload correctly on the primary server.
Example 12: Query TXT Records
TXT records store email authentication data and domain verification strings. SPF records usually live at the root domain, DMARC policies live at _dmarc.example.com, and DKIM keys use selector-based names such as selector._domainkey.example.com.
nslookup -type=txt _dmarc.google.com 1.1.1.1Example output shows Google’s published DMARC policy:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: _dmarc.google.com text = "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com" Authoritative answers can be found from:
For SPF, query the root domain. For DKIM, replace selector with the selector your mail platform actually uses:
nslookup -type=txt google.com 1.1.1.1
nslookup -type=txt selector._domainkey.example.com 1.1.1.1Example 13: Understand Limited ANY Query Results
The ANY query type looks tempting when you want every DNS record, but many modern resolvers refuse or limit it to reduce amplification abuse. Use it only as a quick signal, then query the specific record types you actually need.
nslookup -type=any google.com 1.1.1.1Some public resolvers reject the request instead of returning a full record set:
Server: 1.1.1.1 Address: 1.1.1.1#53 ** server can't find google.com: NOTIMP
A NOTIMP, HINFO, or short partial answer does not prove the domain lacks records. Query MX, NS, TXT, SOA, AAAA, and other needed types one by one for reliable troubleshooting.
Example 14: Run Non-Interactive Multiple Queries
Place multiple nslookup commands on separate lines in a shell script when you need repeatable non-interactive checks. Each command starts a fresh query and prints its own resolver context.
nslookup -type=mx google.com 1.1.1.1
nslookup -type=ns example.com 1.1.1.1Expected output showing both queries run sequentially:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: google.com mail exchanger = 10 smtp.google.com. Authoritative answers can be found from: Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: example.com nameserver = hera.ns.cloudflare.com. example.com nameserver = elliott.ns.cloudflare.com. Authoritative answers can be found from:
Each query runs independently and prints its own results. Use this pattern for simple automation or quick manual comparisons.
Example 15: Inspect Certificate Authority Authorization (CAA) Records
CAA records control which certificate authorities may issue TLS certificates for your domain. Checking them validates automation platforms like Let’s Encrypt, helps prevent unauthorized issuance, and confirms certificate policy before you request a new certificate.
nslookup -type=caa google.com 1.1.1.1Expected output when CAA records exist:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: google.com rdata_257 = 0 issue "pki.goog" Authoritative answers can be found from:
BIND nslookup may display CAA as rdata_257 instead of a friendly CAA label. The record can also include options like issuewild for wildcard certificates or iodef for violation reports. If no CAA records exist, any CA may issue certificates for the domain, which is a security consideration worth addressing.
Troubleshoot Common nslookup Errors
nslookup errors usually point to one of four places: the command is missing, the queried name does not exist, the resolver cannot answer, or another DNS layer is returning a different result. Start with the exact error text, then test against a known public resolver to separate local resolver problems from domain-side problems.
Fix nslookup: command not found
This error means the DNS client package is missing or the binary is not in your shell path:
bash: nslookup: command not found
Install the DNS utility package for your distro, then verify the binary path:
sudo apt install bind9-dnsutils -y
command -v nslookupOn DNF systems, use sudo dnf install bind-utils -y instead. On Arch or Manjaro, install bind. On Alpine, install bind-tools when the BusyBox applet is not enough for the options you need.
NXDOMAIN: Domain Does Not Exist
This error appears when the DNS server cannot find any records for the queried domain:
** server can't find nonexistent.example.com: NXDOMAIN
NXDOMAIN means the queried name does not exist in the resolver’s DNS view. Compare the result with another resolver before treating it as a permanent domain problem:
nslookup nonexistent.example.com 1.1.1.1If several independent resolvers return NXDOMAIN, check for a typo, expired domain, deleted record, or missing zone delegation. If your local resolver returns NXDOMAIN but a public resolver succeeds, clear the local resolver cache or inspect local DNS filtering rules.
Connection Timed Out
Timeout errors occur when the DNS server does not respond within the allowed time:
;; connection timed out; no servers could be reached
This indicates a reachability problem between your system and the DNS server, or a firewall path that blocks DNS traffic. First, verify basic connectivity to the resolver:
ping -c 3 8.8.8.8If ping works but DNS queries time out, a firewall, VPN, captive portal, or upstream resolver issue may be blocking DNS on UDP or TCP port 53. Some networks block ICMP ping, so treat it as a quick reachability signal rather than final proof. Test another resolver to see whether the failure follows your network path or only the configured DNS server.
SERVFAIL: Server Failure
SERVFAIL indicates the DNS server encountered an error while processing the query:
** server can't find example.com: SERVFAIL
Common causes include DNSSEC validation failures, broken authoritative nameservers, lame delegation, or temporary upstream failure. Test with a different resolver to see whether the failure is local to one resolver:
nslookup example.com 1.1.1.1If multiple resolvers return SERVFAIL, inspect the domain’s authoritative name servers, DNSSEC chain, and zone health. If only one resolver fails, the resolver may have a stale validation state or a temporary upstream problem.
No Answer for Record Type
When querying a specific record type that does not exist, nslookup returns “No answer”:
Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: *** Can't find example.com: No answer
This is usually not a resolver failure. It means the domain exists, but the requested record type does not exist at that name. Verify with another useful record type before changing DNS:
nslookup example.com
nslookup -type=mx example.comFor example, an IPv4-only domain can return No answer for AAAA records while still resolving normally for A records. A root-domain TXT record also does not prove that a DMARC record exists at _dmarc.example.com.
Browser or curl Results Differ from nslookup
A browser, application, or curl can disagree with nslookup because it uses cached results, DNS-over-HTTPS, /etc/hosts, or a library resolver path that nslookup does not use. Compare the DNS answer with an explicit resolver first:
nslookup example.com 1.1.1.1If nslookup succeeds but another command reports a name-resolution error, check the application’s resolver settings and local host mappings. For curl: (6) Could not resolve host, use the separate curl DNS resolution troubleshooting guide because the fix may involve URL quoting, proxy settings, resolver configuration, or shell parsing rather than the DNS record itself.
Resolver Configuration Issues
If nslookup fails for every domain through the default resolver, inspect the resolver configuration that your system is handing to DNS clients:
cat /etc/resolv.confA usable resolver file includes at least one nameserver line. If the file says it is managed by NetworkManager or systemd-resolved, change DNS through that service instead of hand-editing the generated file.
On systems using systemd-resolved, the active per-link DNS servers can be clearer than the stub file:
resolvectl statusLook for DNS Servers under the active network link, then verify that the listed resolvers are reachable and expected for the network you are using. An empty resolver file, unreachable DNS server, stale VPN DNS setting, or split-DNS configuration can make default lookups fail while explicit public-resolver tests still work.
Conclusion
With nslookup, Linux DNS checks can move from a simple address lookup to MX, TXT, SOA, CAA, reverse, and resolver-specific tests without leaving the terminal. For wider network triage, pair it with the grep command in Linux to filter output, Nmap command examples to inspect exposed services, and tail command examples to watch DNS or application logs while reproducing the failure.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>