nslookup — DNS Query Tool#

What it is#

nslookup (Name Server Lookup) is a built-in Windows command that sends DNS queries and displays the responses. It operates in two modes: non-interactive (a single query from the command line) and interactive (a REPL where you can issue multiple queries, change server, and set query options). Use it to diagnose name resolution failures, verify DNS records, test alternate DNS servers, and inspect MX/TXT records for mail or domain verification purposes. For scripting, the non-interactive form is preferred; for exploration, interactive mode lets you adjust query type and server on the fly.

Availability#

nslookup ships as C:\Windows\System32\nslookup.exe on every Windows version. PowerShell equivalent: Resolve-DnsName.

nslookup /?

Output:

Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

Syntax#

Non-interactive form: optionally specify the DNS server after the hostname.

nslookup [hostname] [server]
nslookup -type=<TYPE> hostname [server]

Output: (DNS response)

Essential options#

Forward lookup (A record)#

A forward lookup resolves a hostname to its IPv4 address. The default query type is A.

nslookup example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    example.com
Address:  93.184.216.34

rem Query a specific DNS server (Cloudflare) instead of the system default
nslookup example.com 1.1.1.1

Output:

Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    example.com
Address:  93.184.216.34

IPv6 lookup (AAAA record)#

-type=AAAA queries for IPv6 addresses.

nslookup -type=AAAA example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    example.com
Address:  2606:2800:220:1:248:1893:25c8:1946

Reverse lookup (PTR record)#

Supplying an IP address instead of a hostname causes nslookup to perform a reverse DNS lookup (PTR record) and return the associated hostname.

nslookup 8.8.8.8

Output:

Server:  dns.google
Address:  8.8.8.8

Name:    dns.google
Address:  8.8.8.8

nslookup 93.184.216.34

Output:

Server:  dns.google
Address:  8.8.8.8

Name:    93.184.216.34.in-addr.arpa

Mail exchange lookup (MX record)#

-type=MX retrieves the mail server priority and hostname for a domain — useful when diagnosing email delivery failures.

nslookup -type=MX example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     MX preference = 10, mail exchanger = mail.example.com

TXT records (SPF, DKIM, verification)#

-type=TXT fetches text records — used for SPF email policy, DKIM keys, and domain ownership verification tokens.

nslookup -type=TXT example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     text =

        "v=spf1 include:_spf.example.com ~all"

NS and SOA records#

-type=NS lists the authoritative name servers for a domain. -type=SOA shows the primary name server, responsible email contact, serial number, and refresh intervals.

nslookup -type=NS example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     nameserver = a.iana-servers.net
example.com     nameserver = b.iana-servers.net

nslookup -type=SOA example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com
        primary name server = ns1.example.com
        responsible mail addr = hostmaster.example.com
        serial  = 2026042801
        refresh = 3600 (1 hour)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

Interactive mode#

Entering nslookup without arguments opens an interactive REPL. Type set type=MX, server 1.1.1.1, or a hostname at the > prompt.

nslookup

Output:

Default Server:  dns.google
Address:  8.8.8.8

> set type=MX
> example.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     MX preference = 10, mail exchanger = mail.example.com

> server 1.1.1.1
Default Server:  one.one.one.one
Address:  1.1.1.1

> example.com
...
> exit

Output: (interactive session — type exit to quit)

Checking against an authoritative server#

Query a zone’s own name server directly (bypassing caches) to confirm what DNS really publishes.

nslookup -type=NS example.com

Output:

...
example.com     nameserver = a.iana-servers.net

nslookup example.com a.iana-servers.net

Output:

Server:  a.iana-servers.net
Address:  199.43.135.53

Name:    example.com
Address:  93.184.216.34

SRV records (services)#

SRV records publish the hostname and port of a service for a domain — used by Active Directory (_ldap._tcp), SIP, XMPP, Matrix federation, Minecraft, and many other protocols. They include priority and weight fields for load balancing.

nslookup -type=SRV _ldap._tcp.example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
_ldap._tcp.example.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.example.com
_ldap._tcp.example.com    SRV service location:
          priority       = 10
          weight         = 100
          port           = 389
          svr hostname   = dc2.example.com

Lower priority is preferred. Within the same priority, weight controls proportional load — a client picks each server with probability weight / sum(weights).

rem Common AD SRV records to know
nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com
nslookup -type=SRV _kerberos._tcp.example.com
nslookup -type=SRV _gc._tcp.example.com

Output: (similar SRV-format records, one per service)

CAA records (certificate authority authorization)#

CAA records tell certificate authorities which CAs are permitted to issue certificates for a domain. Critical for security audits: a missing or wrong CAA record can allow unauthorized cert issuance.

nslookup -type=CAA example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com     CAA = 0 issue "letsencrypt.org"
example.com     CAA = 0 iodef "mailto:security@example.com"

issue controls who can issue certs; iodef is the email address for incident reporting. 0 is the flag (critical bit cleared).

DNSSEC records#

DNSSEC records (DNSKEY, DS, RRSIG, NSEC, NSEC3) form the chain of trust that validates DNS responses. nslookup can query them but does not perform validation — that requires a DNSSEC-aware resolver.

nslookup -type=DNSKEY example.com

Output:

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
example.com
        primary name server = ...
        Key Flags = 257 (Zone Signing Key, Secure Entry Point)
        Protocol  = 3
        Algorithm = 8 (RSASHA256)
        ...

nslookup -type=DS example.com

Output: (DS record with key tag, algorithm, digest type, and hex digest)

The DS (Delegation Signer) record is published in the parent zone (.com in this case) and forms the link in the DNSSEC chain. If a domain is signed but the DS record is missing or stale at the parent, validation fails and resolvers report SERVFAIL.

Server selection (-port, -timeout, -retry)#

By default nslookup queries port 53 with a 2-second timeout and a single retry. Adjust them for slow servers or non-standard ports (DNS-over-TCP, custom resolver ports).

rem Use a custom port (some private resolvers listen on 5353)
nslookup -port=5353 example.com 127.0.0.1

Output:

Server:  127.0.0.1
Address:  127.0.0.1#5353

Non-authoritative answer:
Name:    example.com
Address:  93.184.216.34

rem Increase timeout and retries on a slow link
nslookup -timeout=10 -retry=3 example.com slow.dns.example.com

Output:

Server:  slow.dns.example.com
Address:  198.51.100.53

Non-authoritative answer:
Name:    example.com
Address:  93.184.216.34

Debug mode in depth#

-debug shows the full query/response packet structure, including flags, opcode, response code (RCODE), and timing. -d2 is even more verbose and shows the request being sent.

nslookup -debug example.com

Output:

Server:  dns.google
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        example.com, type = A, class = IN
    ANSWERS:
    ->  example.com
        internet address = 93.184.216.34
        ttl = 86400 (1 day)
------------
Non-authoritative answer:
Name:    example.com
Address:  93.184.216.34

RCODE values worth recognising:

Trace a DNSSEC failure by inspecting RCODE — SERVFAIL from a validating resolver but NOERROR from a non-validating one is the signature.

PowerShell equivalent: Resolve-DnsName#

Resolve-DnsName is the modern PowerShell DNS query cmdlet, with first-class structured output, type-specific record fields, and DNSSEC validation flags. It is significantly more script-friendly than nslookup.

# Basic A record lookup
Resolve-DnsName example.com

# Specific record type
Resolve-DnsName example.com -Type MX

# Use a specific DNS server
Resolve-DnsName example.com -Server 1.1.1.1

# Force a fresh query (bypass local resolver cache)
Resolve-DnsName example.com -NoHostsFile -DnsOnly

# Validate DNSSEC and return signature records
Resolve-DnsName example.com -DnssecOk

# Return only the IP addresses
(Resolve-DnsName example.com -Type A).IPAddress

Output:

Name                                     Type   TTL   Section    IPAddress
----                                     ----   ---   -------    ---------
example.com                              A      300   Answer     93.184.216.34

# All MX records, sorted by preference
Resolve-DnsName example.com -Type MX |
    Sort-Object Preference |
    Select-Object Preference, NameExchange

Output:

Preference NameExchange
---------- ------------
        10 mail1.example.com
        20 mail2.example.com

Unlike nslookup, Resolve-DnsName properly returns negative results as PowerShell errors that can be caught:

try {
    Resolve-DnsName nonexistent.example -ErrorAction Stop
} catch {
    "Lookup failed: $($_.Exception.Message)"
}

Output:

Lookup failed: nonexistent.example : DNS name does not exist

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)#

nslookup only speaks plaintext DNS on port 53; it does not support DoH (RFC 8484, port 443) or DoT (RFC 7858, port 853). Windows 11 added system-level DoH support, configurable via netsh dns add encryption. As of the February 2026 Windows Server 2025 update, DoH is also available in public preview on the Windows DNS Server side for client-facing traffic. Reports from May 2026 confirm the Windows 11 DNS client may still fall back to plaintext DNS under some conditions unless administrators explicitly require encrypted resolution (autoupgrade=yes udpfallback=no):

rem Configure system to prefer DoH for 1.1.1.1
netsh dns add encryption server=1.1.1.1 dohtemplate=https://cloudflare-dns.com/dns-query autoupgrade=yes udpfallback=no
netsh dns show encryption

Output:

Server: 1.1.1.1
DohTemplate           : https://cloudflare-dns.com/dns-query
AutoUpgrade           : yes
UdpFallback           : no

For testing DoH queries directly, use PowerShell’s Invoke-RestMethod against the JSON DoH endpoint:

$response = Invoke-RestMethod `
    -Uri 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' `
    -Headers @{Accept='application/dns-json'}
$response.Answer

Output:

name        type TTL data
----        ---- --- ----
example.com    1 300 93.184.216.34

Bypassing the local DNS cache#

Windows caches DNS responses in the DNS Client service (svchost). nslookup always queries the server directly and bypasses the cache, so it shows the resolver’s view rather than the local view. To inspect or clear the cache:

ipconfig /flushdns
ipconfig /displaydns | findstr Record

Output: (lists each cached Record Name line, e.g. Record Name . . . . . : example.com)

Clear-DnsClientCache
Get-DnsClientCache | Where-Object Data -ne $null

Output:

Entry                  RecordName   RecordType  Status   Section  TimeTo Data
                                                                  Live   Length
-----                  ----------   ----------  ------   -------  ------ ------
example.com            example.com  A           Success  Answer      62      4

Negative cache entries (NXDOMAIN, SERVFAIL) are cached too; if a lookup persistently fails after the upstream is fixed, flush the cache.

Reading PTR responses correctly#

Reverse lookups return PTR records that themselves point to a forward name. Verify the pair matches (forward-confirmed reverse DNS, or FCrDNS) — many mail servers reject mail from senders without matching FCrDNS.

nslookup 93.184.216.34
nslookup the-resulting-name

Output: (first command returns PTR; second command should return the same IP for a valid pair)

If the second lookup returns 93.184.216.34, the FCrDNS is valid; otherwise the reverse delegation is misconfigured.

function Test-FCrDNS {
    param([string]$IP)
    $reverse = (Resolve-DnsName $IP -Type PTR -ErrorAction SilentlyContinue).NameHost
    if (-not $reverse) { return "$IP -> no PTR" }
    $forward = (Resolve-DnsName $reverse -Type A -ErrorAction SilentlyContinue).IPAddress
    if ($forward -contains $IP) { return "$IP <-> $reverse [VALID]" }
    return "$IP -> $reverse -> $forward [MISMATCH]"
}
Test-FCrDNS 8.8.8.8

Output:

8.8.8.8 <-> dns.google [VALID]

Interactive mode advanced commands#

Interactive mode supports many set commands beyond type. Useful ones:

> set d2                  # very verbose debug
> set retry=5             # retry count per query
> set timeout=10          # per-query timeout in seconds
> set port=5353           # query non-standard port
> set norecurse           # send a non-recursive query (talk to an auth server)
> set vc                  # use TCP (virtual circuit) instead of UDP
> ls -d example.com       # zone transfer (almost universally refused now)
> view file.txt           # display a file in the pager
> root                    # set server to the root hint
> server 8.8.8.8          # change server
> finger user@host        # invoke finger (deprecated, rarely works)
> help                    # show all commands

DNS query types reference#

A full reference of the most useful types nslookup recognises with -type= or set type=:

Common pitfalls#

1. “Non-authoritative answer” — most results come from a caching resolver, not the zone’s primary server; query the authoritative NS directly for the source-of-truth value.
2. “Server failed” ≠ “host doesn’t exist” — the queried DNS server may be unreachable or refusing RTYPE queries; try a different server with nslookup hostname 8.8.8.8.
3. Default server shown in output is your resolver — the Server: line is your configured DNS, not the authoritative server for the domain.
4. -type=ANY is increasingly blocked — DNSSEC and resolver policies often refuse ANY queries (RFC 8482); query specific types instead.
5. No -- flag separator — options must come before the hostname; nslookup example.com -type=MX does not work. Use nslookup -type=MX example.com.
6. Interactive mode exit — type exit or press Ctrl+C; Ctrl+Z followed by Enter also works.
7. TXT records may be truncated in output — long DKIM keys span multiple quoted strings; Resolve-DnsName -Type TXT joins them transparently.
8. nslookup is deprecated in Windows roadmap — Microsoft has signalled that Resolve-DnsName is the preferred tool; nslookup is still shipped but no longer enhanced.
9. CNAME chain depth — nslookup follows CNAMEs but only displays the final A/AAAA; use -debug to see intermediate CNAMEs.
10. ls (zone transfer) returns “Query refused” — almost no public server allows AXFR; use it only on authorized internal name servers.
11. Cached negative responses — a failed lookup may stay in Get-DnsClientCache for the TTL of the SOA; flush with ipconfig /flushdns before retrying.
12. Hosts file overrides DNS — C:\Windows\System32\drivers\etc\hosts entries take precedence over DNS; check there if nslookup returns one value and ping returns another.
13. DNS server in Server: line is empty — happens when system has no DNS configured or all servers are unreachable; check ipconfig /all.
14. Default Server: UnKnown — printed when the resolver IP has no PTR; harmless, the queries still work.
15. IPv6-only DNS servers require -6 — older nslookup builds may not handle IPv6 resolvers correctly.

Real-world recipes#

Verify SPF record is published#

nslookup -type=TXT example.com 8.8.8.8

Output:

...
        "v=spf1 include:_spf.example.com ~all"

Check DNS propagation against multiple resolvers#

@echo off
for %%s in (8.8.8.8 1.1.1.1 9.9.9.9) do (
    echo --- %%s ---
    nslookup example.com %%s | findstr "Address"
)

Output:

--- 8.8.8.8 ---
Address:  93.184.216.34
--- 1.1.1.1 ---
Address:  93.184.216.34
--- 9.9.9.9 ---
Address:  93.184.216.34

Find the mail server for a domain#

nslookup -type=MX corp.example.com 8.8.8.8

Output:

corp.example.com     MX preference = 10, mail exchanger = mail.corp.example.com

Debug a resolution failure with full packet detail#

nslookup -debug broken.example.com

Output:

------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 1, rcode = NXDOMAIN
        ...
------------
*** dns.google can't find broken.example.com: Non-existent domain

Find every Active Directory domain controller#

AD publishes domain controllers via SRV records. A single query returns the full list.

nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com

Output:

_ldap._tcp.dc._msdcs.example.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.example.com
_ldap._tcp.dc._msdcs.example.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc2.example.com

Resolve-DnsName "_ldap._tcp.dc._msdcs.example.com" -Type SRV |
    Sort-Object Priority | Select-Object NameTarget, Port, Priority, Weight

Bulk-verify SPF, DKIM, and DMARC records#

A pre-deployment checklist for any mail-sending domain.

$domain = 'example.com'
@(
    @{Label='SPF';   Q="$domain";              Type='TXT';  Filter={$_.Strings -like '*v=spf1*'}},
    @{Label='DMARC'; Q="_dmarc.$domain";       Type='TXT';  Filter={$_.Strings -like '*v=DMARC1*'}},
    @{Label='DKIM';  Q="default._domainkey.$domain"; Type='TXT'; Filter={$_.Strings -like '*v=DKIM1*' -or $_.Strings -like '*k=rsa*'}},
    @{Label='MX';    Q="$domain";              Type='MX';   Filter={$true}}
) | ForEach-Object {
    $records = Resolve-DnsName $_.Q -Type $_.Type -ErrorAction SilentlyContinue |
        Where-Object $_.Filter
    if ($records) {
        "$($_.Label): OK"
    } else {
        "$($_.Label): MISSING"
    }
}

Output:

SPF: OK
DMARC: OK
DKIM: OK
MX: OK

Get all A and AAAA records for a load-balanced hostname#

For a hostname behind GSLB or anycast, the resolver may return different IPs each query. Sample multiple resolvers to see the full set.

$servers = '8.8.8.8','1.1.1.1','9.9.9.9','8.8.4.4','149.112.112.112'
$all = $servers | ForEach-Object {
    Resolve-DnsName www.example.com -Type A -Server $_ -ErrorAction SilentlyContinue
} | Select-Object -ExpandProperty IPAddress -Unique
$all

Output:

93.184.216.34
93.184.216.35
93.184.216.36

Time DNS query latency to multiple resolvers#

A benchmark of resolver speed helps pick the right DNS server for ipconfig configuration.

$resolvers = @{
    'Cloudflare' = '1.1.1.1'
    'Google'     = '8.8.8.8'
    'Quad9'      = '9.9.9.9'
    'OpenDNS'    = '208.67.222.222'
    'ControlD'   = '76.76.2.0'
}
$resolvers.GetEnumerator() | ForEach-Object {
    $sw = [Diagnostics.Stopwatch]::StartNew()
    Resolve-DnsName example.com -Server $_.Value -Type A -ErrorAction SilentlyContinue | Out-Null
    $sw.Stop()
    [PSCustomObject]@{Resolver=$_.Key; IP=$_.Value; LatencyMs=$sw.ElapsedMilliseconds}
} | Sort-Object LatencyMs

Output:

Resolver   IP              LatencyMs
--------   --              ---------
Cloudflare 1.1.1.1                12
Google     8.8.8.8                14
Quad9      9.9.9.9                18
OpenDNS    208.67.222.222         22
ControlD   76.76.2.0              35

Audit DNS resolver configuration#

A diagnostic snapshot covering local resolver settings, cache stats, and current DoH state.

Get-DnsClient | Format-Table InterfaceAlias, ConnectionSpecificSuffix
Get-DnsClientServerAddress -AddressFamily IPv4 | Format-Table InterfaceAlias, ServerAddresses
Get-DnsClientCache | Measure-Object | Select-Object @{n='CachedEntries';e={$_.Count}}
netsh dns show encryption

Output:

InterfaceAlias ConnectionSpecificSuffix
-------------- ------------------------
Ethernet       lan.example.com

InterfaceAlias ServerAddresses
-------------- ---------------
Ethernet       {1.1.1.1, 1.0.0.1}

CachedEntries
-------------
          247

Detect DNS hijacking on a network#

A quick test: query a known-good DNS server through multiple paths and compare answers. If a network operator is rewriting responses, the answers will differ.

$expected = (Resolve-DnsName example.com -Server 1.1.1.1).IPAddress | Sort-Object
$local    = (Resolve-DnsName example.com).IPAddress | Sort-Object
if (Compare-Object $expected $local) {
    Write-Warning "DNS hijack suspected: local=$local expected=$expected"
} else {
    "DNS responses match across resolvers"
}

Output:

DNS responses match across resolvers

Force a fresh authoritative lookup#

Sometimes the local cache or upstream resolver has a stale value. Go all the way to the authoritative server.

$ns = (Resolve-DnsName example.com -Type NS).NameHost | Select-Object -First 1
Resolve-DnsName example.com -Server $ns -Type A

Output:

Name                                     Type   TTL   Section    IPAddress
----                                     ----   ---   -------    ---------
example.com                              A      3600  Answer     93.184.216.34

This is the equivalent of dig +norecurse @authoritative-server example.com on Linux.

CSV inventory of all DNS records for multiple domains#

Bulk export A/AAAA/MX/NS/TXT for a list of domains — useful for migration planning.

$domains = 'example.com','example.org','example.net'
$types = 'A','AAAA','MX','NS','TXT'
$rows = foreach ($d in $domains) {
    foreach ($t in $types) {
        Resolve-DnsName $d -Type $t -ErrorAction SilentlyContinue |
            Where-Object Type -eq $t |
            ForEach-Object {
                [PSCustomObject]@{
                    Domain = $d
                    Type   = $t
                    TTL    = $_.TTL
                    Data   = ($_.IPAddress, $_.NameExchange, $_.NameHost, ($_.Strings -join ' ')) -ne $null | Select-Object -First 1
                }
            }
    }
}
$rows | Export-Csv -NoTypeInformation C:\Audit\dns_inventory.csv

Output:

(none — writes CSV)

See also#

• ipconfig — /flushdns, /displaydns, /registerdns for the local resolver
• ping — uses DNS to resolve hostnames before sending ICMP
• tracert — relies on PTR records for reverse-DNS hop labels
• route — affects which DNS server is reachable when multi-homed
• netsh — netsh dns for configuration including DoH encryption
• Linux dig — cross-platform comparison; richer query options and output

Sources#

• Secure DNS with DoH: Public Preview for Windows DNS Server — Microsoft Community Hub, Feb 2026
• Does Windows 11 Fall Back to Plain DNS? DoH Privacy Settings — Windows Forum, May 2026
• Enable DNS over HTTPS in Windows 11 — Windows Forum, 2026
• How to Change DNS in Windows 11: DoH Setup, GUI and PowerShell Guide — Windows Forum