Trilight Zone

[digital8]

Nslookup is a great little tool for making DNS queries that comes with NT,
Linux, etc. The easiest way to use nslookup is in non- interactive mode.
This means that you submit a request at the command line, and you get a
response back with no other input. For example, from the command prompt, type:

$nslookup foobar.edu

Server: localhost
Address: 127.0.0.1

Name: foobar.edu
Address: 289.13.266.37

The Server and Address response you see above will vary depending upon your
operating system, and how it's set up. But you can see that this is a quick
and easy way to look up the IP address of a host given the name...we have
performed a query for the "A" resource record. We can do a "reverse
lookup" by entering the IP address at the command prompt, rather than the
host name:

$nslookup 289.13.266.37

Server: localhost
Address: 127.0.0.1

Name: www.foobar.edu
Address: 289.13.266.37

Wait a minute! What's this "www.foobar.edu" stuff? Well, what we've found
is an alias for the host "foobar.edu". A single host can have multiple
host names that all point to the same IP address.

The other way to play with nslookup is to enter interactive mode by typing
"nslookup" (with no arguments) at the command prompt, and then hitting
<Enter>. You will get a prompt back that looks
like:

>

>From here you can enter commands. For example, type:

>foobar.edu

Wow! We get the same information back as we did for the non- interactive
mode query. To look up specific resource records for the foobar.edu
domain, all we need to do is tell nslookup which RR type we want:

>set type=<RR>

where <RR> refers to the resource record type, as we saw listed above (A,
PTR, MX, CNAME, etc). This way you can look up just those records you are
interested in. Note: If you enter "ANY" in place of "<RR>", you will be
doing a lookup in the domain for all resource records...mail exchangers
(email servers), name servers, etc.

Now, let's try one more little trick. This involves listing hosts within
the domain we are interested in...it doesn't mean _all_ of the hosts,
though. We already know the names and IP addresses of the nameservers that
point to foobar.edu, so start nslookup in interactive mode. Then change
the nameserver used to resolve queries to the nameserver that points to the
foobar.edu domain:

$nslookup

Once you're in interactive mode, change the default nameserver that is used
to resolve your queries to a nameserver that points to the foobar.edu
domain...this information was retrieved using the whois query above:

>server 287.128.192.4

Now we want to list the hosts in the domain that have records available, so
type:

>ls foobar.edu

You will see something similar to:

[ns01.nameserver.org]
foobar.edu. server = ns.nameserver.org

foobar.edu. server = ns2.nameserver.org
foobar.edu. server = ns3.nameserver.org
foobar.edu. 289.13.266.37
ftp 289.13.266.37
smtp 289.13.266.37
www 289.13.266.37

In the real world (vice the "example" world) you will likely get a lot more
hosts back than this...in fact, you may get upwards to 500 or more hosts!
However, what this tells us is that the host "foobar.edu" has the same IP
address as the hosts listed as "ftp", "smtp", and "www". This means that
these are services aliased to the host...performing a lookup on
"ftp.foobar.edu" or trying to connect to "ftp.foobar.edu" will
point or connect you to the host "foobar.edu".

If you do list the hosts in the domain, you may want to use redirection to
save this information in a file, so that you can read over it: