nslookup tutorial — DNS queries on Windows, macOS, and Linux
Learn how to use nslookup for DNS queries across Windows, macOS, and Linux, plus when to switch to dig or PowerShell's Resolve-DnsName for richer output and scripting.
TL;DR
nslookup is the universally-available DNS lookup tool — built into Windows, macOS, and Linux without extra packages. Less powerful than dig (no DNSSEC inspection, sparser output, awkward batch usage), but the right pick when you need a quick lookup on a machine where you can't install anything. On Windows, PowerShell's `Resolve-DnsName` is a strict upgrade and worth knowing alongside.
What you'll learn
- Run basic and record-type-specific DNS queries with nslookup on any platform
- Switch nameservers, set query options, and use interactive mode
- Recognise nslookup's limitations and know when to switch to dig or PowerShell
- Use Windows PowerShell's Resolve-DnsName as a richer alternative
nslookup is the universally-available DNS lookup tool — pre-installed on Windows, macOS, and Linux without extra packages. It's less powerful than dig, but it's the right pick when you need a quick check on a system where you can't install anything. This guide covers nslookup itself plus the modern PowerShell equivalent on Windows.
When to reach for nslookup
- You're on a fresh Windows machine without dig installed, and you need a quick lookup.
- You're on a stripped-down container and only
nslookupis on the path. - You just need a one-off "is this name resolving?" check — nslookup is fine.
For anything more — DNSSEC validation, batch queries, scripting, parsing output — switch to dig or PowerShell.
Basic syntax
nslookup <name> [resolver]The [resolver] is optional; without it, nslookup uses your system's default resolver.
Example 1 — Simple lookup
nslookup www.example.comOutput:
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.example.com
Address: 93.184.216.34The Server: and Address: lines tell you which resolver answered. Non-authoritative answer: means the response came from a cache, not directly from the authoritative server.
Example 2 — Query a specific resolver
nslookup www.example.com 1.1.1.1
nslookup www.example.com ns1.dnscale.euPass the resolver as the second argument. Querying the authoritative nameserver directly gives you the ground truth — what the zone actually serves, bypassing any caches.
Example 3 — Specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
nslookup -type=AAAA www.example.com
nslookup -type=NS example.com
nslookup -type=SOA example.com-type= (or shorter, -q=) selects the record type. Without it, nslookup defaults to A.
Example 4 — Reverse DNS
nslookup 192.0.2.1
nslookup 2001:db8::1Pass an IP address; nslookup recognises it and queries the PTR record automatically.
Interactive mode
nslookup has an interactive mode you enter by running it with no arguments:
nslookup
> www.example.com
> set type=MX
> example.com
> server 1.1.1.1
> www.example.com
> exitUseful for running a sequence of queries without re-typing options. Mostly a Windows convention; less common on Linux/macOS where shell history is more flexible.
Common options
| Option | Effect |
|---|---|
-type=<type> | Set query type (A, MX, TXT, NS, etc.) |
-port=<port> | Use non-default port (rarely needed) |
-timeout=<sec> | Set per-query timeout |
-retry=<n> | Retry count |
-debug | Verbose protocol-level output (varies by platform) |
Example with multiple options:
nslookup -type=MX -timeout=2 example.com 1.1.1.1Worked examples
Example 5 — Verify a record was published
nslookup www.example.com ns1.dnscale.euQuerying authoritative directly. If this returns the expected IP, the record is correctly published; any failure to resolve elsewhere is a caching or local-resolver issue.
Example 6 — Compare two resolvers
nslookup www.example.com 8.8.8.8
nslookup www.example.com 1.1.1.1If they disagree, propagation is in progress (or one resolver is misbehaving). See DNS propagation.
Example 7 — MX records and email troubleshooting
nslookup -type=MX example.comOutput lists each MX record with priority. Lower priority = preferred mail server. Use this to confirm mail-routing configuration.
Example 8 — TXT records (SPF, DKIM, DMARC)
nslookup -type=TXT example.com
nslookup -type=TXT default._domainkey.example.com # DKIM with selector "default"
nslookup -type=TXT _dmarc.example.com # DMARCExample 9 — NS delegation
nslookup -type=NS example.comLists the authoritative nameservers. Match against the registrar's NS configuration; mismatches signal delegation problems.
Example 10 — Diagnose NXDOMAIN
nslookup wwww.example.com
# *** Can't find wwww.example.com: Non-existent domainThe "Non-existent domain" error is nslookup's NXDOMAIN message. Causes: typo, deleted record, propagation lag, DNSSEC failure. See NXDOMAIN explained.
Where nslookup falls short
Compared to dig:
- No DNSSEC inspection. No equivalent of
dig +cdto bypass validation, no easy way to inspect RRSIG or DNSKEY records. - No
+traceequivalent. Can't walk the delegation hierarchy from root. - No AXFR. nslookup doesn't support zone transfers cleanly.
- Output is harder to script against. No equivalent of
dig +shortfor clean machine-parseable output. - Inconsistent across platforms. Windows nslookup and Linux nslookup have small but annoying differences in flags and output format.
For production diagnostic work, prefer dig.
Windows: Resolve-DnsName (PowerShell)
If you're on Windows and don't want to install dig, PowerShell ships Resolve-DnsName — a native cmdlet that's strictly better than nslookup. Returns structured PowerShell objects.
Example 11 — Basic Resolve-DnsName
Resolve-DnsName www.example.comOutput is a table with Name, Type, TTL, Section, IPAddress.
Example 12 — Specific record type
Resolve-DnsName www.example.com -Type AAAA
Resolve-DnsName example.com -Type MX
Resolve-DnsName example.com -Type TXTExample 13 — Specific resolver
Resolve-DnsName www.example.com -Server ns1.dnscale.eu
Resolve-DnsName www.example.com -Server 1.1.1.1Example 14 — Use in pipelines
Resolve-DnsName example.com -Type MX | Sort-Object Preference | Format-Table
Resolve-DnsName example.com -Type TXT | Where-Object { $_.Strings -match "v=spf1" }PowerShell's structured output makes filtering and sorting trivial — much harder with text-only nslookup.
Example 15 — DNSSEC validation
Resolve-DnsName www.example.com -DnssecOk -DnssecCd-DnssecOk requests DNSSEC records; -DnssecCd is the equivalent of dig's +cd. Useful for diagnosing DNSSEC-related failures on Windows.
Example 16 — Reverse DNS
Resolve-DnsName 192.0.2.1PowerShell automatically detects IP-format input and runs reverse DNS. Same for IPv6.
Example 17 — Batch queries
"www.example.com", "mail.example.com", "api.example.com" | ForEach-Object {
Resolve-DnsName $_ | Select-Object Name, IPAddress
}Pipeline-friendly batch lookup — much cleaner than nslookup's interactive mode.
Comparison: nslookup vs dig vs Resolve-DnsName
| Capability | nslookup | dig | Resolve-DnsName |
|---|---|---|---|
| Pre-installed on Windows | ✓ | — | ✓ |
| Pre-installed on macOS | ✓ | ✓ | — |
| Pre-installed on most Linux | ✓ | ✓ | — |
| Specific record type | ✓ | ✓ | ✓ |
| Specific resolver | ✓ | ✓ | ✓ |
+short-style clean output | — | ✓ | ✓ (via pipeline) |
+trace from root | — | ✓ | partial |
| DNSSEC inspection | — | ✓ | ✓ |
| Reverse DNS | ✓ | ✓ | ✓ |
| AXFR zone transfer | — | ✓ | — |
| Pipeline-friendly output | — | ✓ (with flags) | ✓ (native) |
| Batch queries from file | — | ✓ | ✓ (via pipeline) |
Recommendation: dig if available; Resolve-DnsName on Windows; nslookup as the universal fallback.
Common pitfalls
- Treating "Non-authoritative answer" as a problem. It just means the response came from a cache. That's normal. To get an authoritative answer, query the authoritative server directly.
- Trusting nslookup's default resolver in VPN setups. VPNs often inject their own DNS. Specify the resolver explicitly when troubleshooting:
nslookup www.example.com 1.1.1.1. - Forgetting
-type=. Without it, nslookup queries A only. If you wanted MX, you got nothing useful. - Confusing nslookup output formats across OSes. Windows and macOS / Linux nslookup print slightly different sections. If a tutorial's output doesn't match yours, the difference is usually cosmetic.
- Not checking for the " server can't find " message. That's nslookup's way of saying NXDOMAIN, SERVFAIL, or generic failure — you need to look at the surrounding context to tell which.
Related guides
- dig command tutorial
- NXDOMAIN errors
- SERVFAIL errors
- DNS propagation explained
- How to flush DNS cache
References
- Microsoft documentation: Resolve-DnsName cmdlet reference
- IETF RFC 1035 — DNS basic specification
Frequently asked questions
- Should I use nslookup or dig?
- dig is more powerful and produces parseable output suitable for scripting; use it for anything beyond a quick lookup. nslookup is fine for ad-hoc 'is this name resolving?' checks, especially on Windows where dig isn't installed by default. Real diagnostic work — DNSSEC validation, batch queries, propagation checks — should use dig (or PowerShell's Resolve-DnsName on Windows).
- Is nslookup installed by default everywhere?
- Yes — Windows, macOS, and most Linux distributions ship it as part of the OS or basic networking utilities. On stripped-down container images you may need to install it (`apk add bind-tools` on Alpine, `apt install dnsutils` on Debian-derived). It's also available in cloud shells like AWS CloudShell and Google Cloud Shell.
- Why does nslookup show two answers — non-authoritative and authoritative?
- nslookup's output prefixes the answer with 'Server:' (which resolver you queried) and 'Address:' (the IP of that resolver). Then 'Non-authoritative answer:' means the response came from a recursive resolver's cache, not directly from the authoritative server. To force authoritative, query the authoritative nameserver directly: `nslookup www.example.com ns1.dnscale.eu`.
- Can nslookup do reverse DNS?
- Yes. Run `nslookup 192.0.2.1` — nslookup automatically does the in-addr.arpa expansion and queries the PTR record. Same for IPv6: `nslookup 2001:db8::1`. dig's `-x` flag does the same with cleaner output.
- How do I query a specific record type with nslookup?
- Use `-type=` (or `-q=`). Example: `nslookup -type=MX example.com`. Record types: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, PTR, ANY. Compare to dig's syntax: `dig MX example.com` — slightly cleaner.
- What's PowerShell's Resolve-DnsName for?
- Resolve-DnsName is a Windows PowerShell cmdlet that's effectively dig for the Windows ecosystem. Returns rich, structured object output that integrates with PowerShell pipelines: `Resolve-DnsName www.example.com -Type MX | Format-Table`. Strictly better than nslookup for scripting on Windows — and built in, so no installation needed.
Related guides
DNS A Record Explained — What It Is and How to Use It
Learn what a DNS A record is, how it maps domain names to IPv4 addresses, and how to create, query, and troubleshoot A records with practical dig command examples.
DNS AAAA Record Explained — IPv6 Address Mapping
Learn what a DNS AAAA record is, how it maps domain names to IPv6 addresses, and how to set up dual-stack DNS with practical dig command examples.
DNS CNAME Record Explained — Aliases and Canonical Names
Learn how DNS CNAME records create domain aliases, when to use them over A records, and how to avoid common pitfalls like apex restrictions and CNAME chains.
DNS MX Record Explained — Mail Exchange Configuration
Learn how DNS MX records route email to mail servers, configure priority-based failover, and set up MX records for Google Workspace, Microsoft 365, and self-hosted mail.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free