nslookup tutorial — DNS queries on Windows, macOS, and Linux
Learn how to use nslookup for DNS queries across Windows, macOS, and Linux, plus when to switch to dig or PowerShell's Resolve-DnsName for richer output and scripting.
Answer snapshot
nslookup is the universally-available DNS lookup tool — built into Windows, macOS, and Linux without extra packages. Less powerful than dig (no DNSSEC inspection, sparser output, awkward batch usage), but the right pick when you need a quick lookup on a machine where you can't install anything. On Windows, PowerShell's `Resolve-DnsName` is a strict upgrade and worth knowing alongside.
What you'll learn
- Run basic and record-type-specific DNS queries with nslookup on any platform
- Switch nameservers, set query options, and use interactive mode
- Recognise nslookup's limitations and know when to switch to dig or PowerShell
- Use Windows PowerShell's Resolve-DnsName as a richer alternative
nslookup is the universally-available DNS lookup tool — pre-installed on Windows, macOS, and Linux without extra packages. It's less powerful than dig, but it's the right pick when you need a quick check on a system where you can't install anything. This guide covers nslookup itself plus the modern PowerShell equivalent on Windows.
When to reach for nslookup
- You're on a fresh Windows machine without dig installed, and you need a quick lookup.
- You're on a stripped-down container and only
nslookupis on the path. - You just need a one-off "is this name resolving?" check — nslookup is fine.
For anything more — DNSSEC validation, batch queries, scripting, parsing output — switch to dig or PowerShell.
Basic syntax
nslookup <name> [resolver]The [resolver] is optional; without it, nslookup uses your system's default resolver.
Example 1 — Simple lookup
nslookup www.example.comOutput:
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.example.com
Address: 93.184.216.34The Server: and Address: lines tell you which resolver answered. Non-authoritative answer: means the response came from a cache, not directly from the authoritative server.
Example 2 — Query a specific resolver
nslookup www.example.com 1.1.1.1
nslookup www.example.com ns1.dnscale.euPass the resolver as the second argument. Querying the authoritative nameserver directly gives you the ground truth — what the zone actually serves, bypassing any caches.
Example 3 — Specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=AAAA www.example.com
nslookup -type=NS example.com
nslookup -type=SOA example.com-type= (or shorter, -q=) selects the record type. Without it, nslookup defaults to A.
Example 4 — Reverse DNS
nslookup 192.0.2.1
nslookup 2001:db8::1Pass an IP address; nslookup recognises it and queries the PTR record automatically.
Interactive mode
nslookup has an interactive mode you enter by running it with no arguments:
nslookup
> www.example.com
> set type=MX
> example.com
> server 1.1.1.1
> www.example.com
> exitUseful for running a sequence of queries without re-typing options. Mostly a Windows convention; less common on Linux/macOS where shell history is more flexible.
Common options
| Option | Effect |
|---|---|
-type=<type> | Set query type (A, MX, TXT, NS, etc.) |
-port=<port> | Use non-default port (rarely needed) |
-timeout=<sec> | Set per-query timeout |
-retry=<n> | Retry count |
-debug | Verbose protocol-level output (varies by platform) |
Example with multiple options:
nslookup -type=MX -timeout=2 example.com 1.1.1.1Worked examples
Example 5 — Verify a record was published
nslookup www.example.com ns1.dnscale.euQuerying authoritative directly. If this returns the expected IP, the record is correctly published; any failure to resolve elsewhere is a caching or local-resolver issue.
Example 6 — Compare two resolvers
nslookup www.example.com 8.8.8.8
nslookup www.example.com 1.1.1.1If they disagree, propagation is in progress (or one resolver is misbehaving). See DNS propagation.
Example 7 — MX records and email troubleshooting
nslookup -type=MX example.comOutput lists each MX record with priority. Lower priority = preferred mail server. Use this to confirm mail-routing configuration.
Example 8 — TXT records (SPF, DKIM, DMARC)
nslookup -type=TXT example.com
nslookup -type=TXT default._domainkey.example.com # DKIM with selector "default"
nslookup -type=TXT _dmarc.example.com # DMARCExample 9 — NS delegation
nslookup -type=NS example.comLists the authoritative nameservers. Match against the registrar's NS configuration; mismatches signal delegation problems.
Example 10 — Diagnose NXDOMAIN
nslookup wwww.example.com
# *** Can't find wwww.example.com: Non-existent domainThe "Non-existent domain" error is nslookup's NXDOMAIN message. Causes: typo, deleted record, propagation lag, DNSSEC failure. See NXDOMAIN explained.
Where nslookup falls short
Compared to dig:
- No DNSSEC inspection. No equivalent of
dig +cdto bypass validation, no easy way to inspect RRSIG or DNSKEY records. - No
+traceequivalent. Can't walk the delegation hierarchy from root. - No AXFR. nslookup doesn't support zone transfers cleanly.
- Output is harder to script against. No equivalent of
dig +shortfor clean machine-parseable output. - Inconsistent across platforms. Windows nslookup and Linux nslookup have small but annoying differences in flags and output format.
For production diagnostic work, prefer dig.
Windows: Resolve-DnsName (PowerShell)
If you're on Windows and don't want to install dig, PowerShell ships Resolve-DnsName — a native cmdlet that's strictly better than nslookup. Returns structured PowerShell objects.
Example 11 — Basic Resolve-DnsName
Resolve-DnsName www.example.comOutput is a table with Name, Type, TTL, Section, IPAddress.
Example 12 — Specific record type
Resolve-DnsName www.example.com -Type AAAA
Resolve-DnsName example.com -Type MX
Resolve-DnsName example.com -Type TXTExample 13 — Specific resolver
Resolve-DnsName www.example.com -Server ns1.dnscale.eu
Resolve-DnsName www.example.com -Server 1.1.1.1Example 14 — Use in pipelines
Resolve-DnsName example.com -Type MX | Sort-Object Preference | Format-Table
Resolve-DnsName example.com -Type TXT | Where-Object { $_.Strings -match "v=spf1" }PowerShell's structured output makes filtering and sorting trivial — much harder with text-only nslookup.
Example 15 — DNSSEC validation
Resolve-DnsName www.example.com -DnssecOk -DnssecCd-DnssecOk requests DNSSEC records; -DnssecCd is the equivalent of dig's +cd. Useful for diagnosing DNSSEC-related failures on Windows.
Example 16 — Reverse DNS
Resolve-DnsName 192.0.2.1PowerShell automatically detects IP-format input and runs reverse DNS. Same for IPv6.
Example 17 — Batch queries
"www.example.com", "mail.example.com", "api.example.com" | ForEach-Object {
Resolve-DnsName $_ | Select-Object Name, IPAddress
}Pipeline-friendly batch lookup — much cleaner than nslookup's interactive mode.
Comparison: nslookup vs dig vs Resolve-DnsName
| Capability | nslookup | dig | Resolve-DnsName |
|---|---|---|---|
| Pre-installed on Windows | ✓ | — | ✓ |
| Pre-installed on macOS | ✓ | ✓ | — |
| Pre-installed on most Linux | ✓ | ✓ | — |
| Specific record type | ✓ | ✓ | ✓ |
| Specific resolver | ✓ | ✓ | ✓ |
+short-style clean output | — | ✓ | ✓ (via pipeline) |
+trace from root | — | ✓ | partial |
| DNSSEC inspection | — | ✓ | ✓ |
| Reverse DNS | ✓ | ✓ | ✓ |
| AXFR zone transfer | — | ✓ | — |
| Pipeline-friendly output | — | ✓ (with flags) | ✓ (native) |
| Batch queries from file | — | ✓ | ✓ (via pipeline) |
Recommendation: dig if available; Resolve-DnsName on Windows; nslookup as the universal fallback.
Common pitfalls
- Treating "Non-authoritative answer" as a problem. It just means the response came from a cache. That's normal. To get an authoritative answer, query the authoritative server directly.
- Trusting nslookup's default resolver in VPN setups. VPNs often inject their own DNS. Specify the resolver explicitly when troubleshooting:
nslookup www.example.com 1.1.1.1. - Forgetting
-type=. Without it, nslookup queries A only. If you wanted MX, you got nothing useful. - Confusing nslookup output formats across OSes. Windows and macOS / Linux nslookup print slightly different sections. If a tutorial's output doesn't match yours, the difference is usually cosmetic.
- Not checking for the " server can't find " message. That's nslookup's way of saying NXDOMAIN, SERVFAIL, or generic failure — you need to look at the surrounding context to tell which.
Related guides
- dig command tutorial
- NXDOMAIN errors
- SERVFAIL errors
- DNS propagation explained
- How to flush DNS cache
References
- Microsoft documentation: Resolve-DnsName cmdlet reference
- IETF RFC 1035 — DNS basic specification
Frequently asked questions
- Should I use nslookup or dig?
- dig is more powerful and produces parseable output suitable for scripting; use it for anything beyond a quick lookup. nslookup is fine for ad-hoc 'is this name resolving?' checks, especially on Windows where dig isn't installed by default. Real diagnostic work — DNSSEC validation, batch queries, propagation checks — should use dig (or PowerShell's Resolve-DnsName on Windows).
- Is nslookup installed by default everywhere?
- Yes — Windows, macOS, and most Linux distributions ship it as part of the OS or basic networking utilities. On stripped-down container images you may need to install it (`apk add bind-tools` on Alpine, `apt install dnsutils` on Debian-derived). It's also available in cloud shells like AWS CloudShell and Google Cloud Shell.
- Why does nslookup show two answers — non-authoritative and authoritative?
- nslookup's output prefixes the answer with 'Server:' (which resolver you queried) and 'Address:' (the IP of that resolver). Then 'Non-authoritative answer:' means the response came from a recursive resolver's cache, not directly from the authoritative server. To force authoritative, query the authoritative nameserver directly: `nslookup www.example.com ns1.dnscale.eu`.
- Can nslookup do reverse DNS?
- Yes. Run `nslookup 192.0.2.1` — nslookup automatically does the in-addr.arpa expansion and queries the PTR record. Same for IPv6: `nslookup 2001:db8::1`. dig's `-x` flag does the same with cleaner output.
- How do I query a specific record type with nslookup?
- Use `-type=` (or `-q=`). Example: `nslookup -type=MX example.com`. Record types: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, PTR, ANY. Compare to dig's syntax: `dig MX example.com` — slightly cleaner.
- What's PowerShell's Resolve-DnsName for?
- Resolve-DnsName is a Windows PowerShell cmdlet that's effectively dig for the Windows ecosystem. Returns rich, structured object output that integrates with PowerShell pipelines: `Resolve-DnsName www.example.com -Type MX | Format-Table`. Strictly better than nslookup for scripting on Windows — and built in, so no installation needed.
Related guides
Fundamentals
FQDN Explained - Fully Qualified Domain Names in DNS
What an FQDN is, how it differs from a hostname or relative DNS name, why the trailing dot matters, and how FQDNs behave in zone files, terminals, and Kubernetes.
Fundamentals
127.0.0.1 and Localhost Explained
What 127.0.0.1 and localhost mean, how loopback networking works, why localhost is not public DNS, and how to debug local resolver issues.
Fundamentals
ARP Explained - How IP Addresses Reach Local Devices
What ARP does, how IPv4 devices map IP addresses to MAC addresses on a local network, and how ARP differs from DNS.
Fundamentals
Managed DNS vs Self-Hosted DNS — Pros, Cons, and When to Choose Each
Compare managed DNS services with self-hosted DNS servers. Understand the trade-offs in cost, complexity, security, and reliability to decide which approach fits your infrastructure.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free