Professional Documents
Culture Documents
basic
commands
nslookup
dig
traceroute
tracepath
mtr
tcpdump
nslookup is a network administration tool for
querying the Domain Name System (DNS) to
obtain domain name or IP address mapping or
any other specific DNS record.
It is also used to troubleshoot DNS related
problems.nslookup can operate on both
“Interactive mode” and “Non-Interactive mode”.
Interactive mode allows the user to query the
DNS-Server about various host, and domains.
Non-Interactive mode allows the user to query
the information for a host or domain.
nslookup, which stands for "name server lookup",
finds information about a named domain.
nslookup is a program used to query Internet
domain name servers for information.
nslookup has two modes: interactive and non-
interactive. ...
nslookup makes use of the configuration file
/etc/nsresolv.
When troubleshooting DNS issues, it is useful
to have access to Domain Name System
(DNS) records of a website. All mainstream
operating systems have tools that enable
users to query a web server and receive
important information such as IP addresses
and other pieces of domain-related
information.
nslookup Options
nslookup Option Description
-domain=[domain-name] Change the default DNS name.
-debug Show debugging information.
-port=[port-number] Specify the port for queries. The default
port number is 53.
-timeout=[seconds] Specify the time allowed for the server to
respond.
-type=a View information about the DNS A address records.
-type=anyView all available records.
-type=hinfo View hardware-related information about the host.
-type=mx View Mail Exchange server information.
-type=ns View Name Server records.
-type=ptr View Pointer records. Used in reverse DNS lookups.
-type=soaView Start of Authority records.
nslookup – Simple Example
nslookup followed by the domain name will
display the “A Record” ( IP Address ) of the
domain.
$ nslookup redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
Name: redhat.com
Address: 209.132.183.181
In the above output, server refers to the IP
address of the DNS server. Then the below
section provides the “A Record” ( IP Address ) of
the domain “redhat.com”.
The default output of nslookup command is less
cluttered than the default output of dig command.
Query the MX Record using -query=mx
MX ( Mail Exchange ) record maps a domain
name to a list of mail exchange servers for
that domain. The MX record tells that all the
mails sent to “@redhat.com” should be routed
to the Mail server in that domain.
$ nslookup -query=mx redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
redhat.com mail exchanger = 10 mx2.redhat.com.
redhat.com mail exchanger = 5 mx1.redhat.com.
Authoritative answers can be found from:
mx2.redhat.com internet address = 66.187.233.33
mx1.redhat.com internet address = 209.132.183.28
In the above example, we have 2 MX records
for the domain “redhat.com”. The number ( 5,
10 ), associated with the MX records tells the
preference of mail server. Lower the number,
higher the preference. So when a mail is sent
to “@redhat.com”, first preference will be
“mx1.redhat.com”, then “mx2.redhat.com”.
Authoritative Answer vs Non-Authoritative
Answer
You may also noticed the keyword
“Authoritative Answer” and “Non-
Authoritative Answer” in the above output.
Any answer that originates from the DNS
Server which has the complete zone file
information available for the domain is
said to be authoritative answer.
In many cases, DNS servers will not have the
complete zone file information available for a
given domain. Instead, it maintains a cache
file which has the results of all queries
performed in the past for which it has gotten
authoritative response. When a DNS query is
given, it searches the cache file, and return
the information available as “Non-Authoritative
Answer”.
Query the NS Record using -query=ns
NS ( Name Server ) record maps a domain
name to a list of DNS servers authoritative
for that domain. It will output the name
serves which are associated with the given
domain.
nslookup -type=ns redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
redhat.com nameserver = ns4.redhat.com.
redhat.com nameserver = ns2.redhat.com.
redhat.com nameserver = ns1.redhat.com.
redhat.com nameserver = ns3.redhat.com.
Authoritative answers can be found from:
ns4.redhat.com internet address = 209.132.188.218
ns2.redhat.com internet address = 209.132.183.2
ns1.redhat.com internet address = 209.132.186.218
ns3.redhat.com internet address = 209.132.176.100
Query the SOA Record using -query=soa
SOA record ( start of authority ), provides the
authoritative information about the domain, the
e-mail address of the domain admin, the
domain serial number, etc…
$ nslookup -type=soa redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
redhat.com
origin = ns1.redhat.com
mail addr = noc.redhat.com
serial = 2012071601
refresh = 300
retry = 180
expire = 604800
minimum = 14400
Authoritative answers can be found from:
ns1.redhat.com internet address = 209.132.186.218
mail addr – specifies the mail address of the domain admin
( noc@redhat.com )
serial – sort of revision numbering system. The standard
convention is to use “YYYYMMYYNN” format. ( 2012-07-16. 01
will be incremented, if more than one edit has taken place on a
same day )
refresh – specifies ( in seconds ), when the secondary DNS will
poll the primary to see if the serial number has been increased.
If increased, secondary will make a new request to copy the
new zone file.
retry – specifies the interval to re-connect with the Primary DNS
expire – specifies the time that the secondary DNS will keep
the cached zone file as valid
minimum – specifies the time that the secondary DNS should
cache the zone file
View available DNS records using -query=any
We can also view all the available DNS
records using -query=any option.
$ nslookup -type=any google.com
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
Name: google.com
Address: 173.194.35.7
Name: google.com
Address: 173.194.35.8
google.com nameserver = ns1.google.com.
google.com nameserver = ns2.google.com.
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 2012071701
refresh = 7200
retry = 1800
expire = 1209600
minimum = 300
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com.
Authoritative answers can be found from:
ns4.google.com internet address = 216.239.38.10
ns3.google.com internet address = 216.239.36.10
Reverse DNS lookup
You can also do the reverse DNS look-up by
providing the IP Address as argument to
nslookup.
$ nslookup 209.132.183.181
Server: 192.168.19.2
Address: 192.168.19.2#53
Non-authoritative answer:
181.183.132.209.in-addr.arpa name = origin-
www2.redhat.com.
Using Specific DNS server
Instead of using default DNS server’s for querying, you can
also specify a particular name server to resolve the domain
name.
$ nslookup redhat.com ns1.redhat.com
Server: 209.132.186.218
Address: 209.132.186.218#53
Name: redhat.com
Address: 209.132.183.181
In the above command, we have used the ns1.redhat.com
as the DNS server. Here you may notice that, we don’t get
any “Non-authoritative answer:” header, since
ns1.redhat.com has all the zone information of redhat.com
Change the port number to connect with
By default DNS servers uses the port number 53.
If for any reasons, the port number got changed,
then we can specify the port number using -port
option
$ nslookup -port 56 redhat.com
Change timeout interval to wait for a reply
You can change the default timeout to wait for a
reply using -timeout option.
$ nslookup -timeout=10 redhat.com
Enabling debug mode using -debug
You can turn on/off the debugging using -debug option in the
command line
$ nslookup -debug redhat.com
Server: 192.168.19.2
Address: 192.168.19.2#53
------------
QUESTIONS:
redhat.com, type = A, class = IN
ANSWERS:
-> redhat.com
internet address = 209.132.183.181
ttl = 5
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
dig
Dig (Domain Information Groper) is a
command-line utility that performs DNS lookup
by querying name servers and displaying the
result to you. The Dig command is another
powerful tool similar to nslookup for diagnosing
DNS-related problems.
dig command stands for Domain Information
Groper. It is used for retrieving information
about DNS name servers. It is basically used
by network administrators. It is used for
verifying and troubleshooting DNS problems
and to perform DNS lookups.
The dig command in Linux is used to gather DNS
information. It stands for Domain Information
Groper, and it collects data about Domain Name
Servers. The dig command is helpful for
troubleshooting DNS problems, but is also used
to display DNS information.
The dig command, allows you to query information
about various DNS records, including host
addresses, mail exchanges, and name servers. It
is the most commonly used tool among system
administrators for troubleshooting DNS problems
because of its flexibility and ease of use.
Dig is a DNS lookup utility. If it’s not installed on
your system, you can find it as part of dnsutils on
Debian-based package managers and bind-utils
on Fedora, CentOS, and Arch.
The dig command is used to query DNS servers;
it is more flexible than the deprecated nslookup
command. When invoked with just the -h option, it
displays a list of options for the command. If you
use it without any options or arguments, it will
search for the root server.
Dig is part of the BIND domain name server
software suite. dig command replaces older
tools such as nslookup and the host. dig tool is
available in major Linux distributions.
Install Dig on system
Ubuntu/Debian
apt-get install dnsutils
RHEL/Centos
yum install bind-utils
Verify Install
dig -v
The standard arguments are:
server: The server to query. If no server is supplied, dig
will check the name servers listed in /etc/resolv.conf. The
address may be an IPv4 dotted address or an IPv6
colon-delimited address. It may also be a hostname,
which dig will resolve (through the name servers in
/etc/resolv.conf).
name: The domain name to look up.
type: The type of query to perform, such as A, ANY, MX,
SIG, and so forth. The default is A, but you may use any
valid BIND9 query type.
seshadri@seshadri:~$ dig
; <<>> DiG 9.16.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6208
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86291 IN NS a.root-servers.net.
. 86291 IN NS b.root-servers.net.
. 86291 IN NS c.root-servers.net.
. 86291 IN NS d.root-servers.net.
;; Query time: 103 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 27 05:41:41 IST 2022
;; MSG SIZE rcvd: 239
dig www.google.com
The above command causes dig to look up the "A"
record for the domain name google.com. Dig
command reads the /etc/resolv.conf file and
querying the DNS servers listed there. The
response from the DNS server is what dig
displays.
Let us understand the output of the commands
Lines beginning with ; are comments not part of the
information.
The first line tells us the version of the dig (9.16.1) command.
Next, dig shows the header of the response it received from
the DNS server.
Next comes the question section, which simply tells us the
query, which in this case is a query for the "A" record of
google.com. The IN means this is an Internet lookup (in the
Internet class).
The answer section tells us that google.com has the IP
address 172.217.166.78.
Lastly, there are some stats about the query. You can turn off
these stats using the +nostats option.
dig www.google.com +short
Query Domain “A” Record with +short
By default, dig is quite verbose. One way to cut
down the output is to use the +short option. which
will drastically cut the output as shown below.
seshadri@seshadri:~$ dig www.google.com +short
142.250.183.4
seshadri@seshadri:~$
By default, dig looks for the "A" record of the
domain specified, but you can specify other
records also. The MX or Mail eXchange record
tells mail servers how to route the email for the
domain. Likewise TTL, SOA, etc.
Querying MX Record for Domain
dig www.google.com MX
dig www.google.com SOA
Only answer section
dig google.com +nocomments +noquestion
+noauthority +noadditional +nostats
Querying ALL DNS Records Types
dig google.com ANY +noall +answer
DNS Reverse Look-up
dig -x 72.30.38.140 +short
traceroute
traceroute command in Linux prints the
route that a packet takes to reach the host.
This command is useful when you want to
know about the route and about all the hops
that a packet takes.
Traceroute is a crucial tool in network
diagnostics. Together with other Linux
commands such as ping, ip, and netstat (or
the newer alternative ss), Traceroute
identifies the path packets take from source
to destination. The tool is universally
available for Linux, Windows, and macOS.
traceroute is a command used in network
troubleshooting for mapping the path packets
travel through the network. The tool aids in the
discovery of possible routes of information from
source to destination. Additionally, the command
also helps calculate the transfer times between
points. When applied to network troubleshooting,
traceroute helps locate where traffic slows down
between the source and destination.
How Does Traceroute Work?
The protocol sends ICMP (Internet Control Message
Protocol) packets to every router transferring between
the source and destination. When you run a traceroute,
the output displays:
The IP address of the router that successfully received
the packet.
The travel latency, or the amount of time it took to get a
response for each of the three probes.
Traceroute acts as a series of ping commands. While
ping requests a response from the destination,
traceroute gathers the intermediate information as well.
To gather the information available between the source and
destination, a traceroute lowers the packet's TTL (time to live) to
a minimum (1). When a router receives the information, it
decrements the TTL value to 0, indicating it should send
information back to the source. The source gathers the
intermediate router information, resets the TTL value to 1, and
increments it.
Diagram of the traceroute iterations path
This way, the packet reaches the next router in the network. The
iterative process repeats until the final package reaches the
destination IP. Then, traceroute recognizes the destination IP
and outputs all the intermediate information gathered.
The command sends out three probes by default for each TTL
value and prints out the round-trip time for each packet.
command with the following options
Option Description
–help Information about the command.
-d This command enables debugging on Linux.
-F Forbid fragmentation.
-e Show ICMP extensions.
-A AS lookups enable for each hop.
-V Show version.
-U Use a particular UDP port. The default value is 53.
-UL Use the UDPLITE for the query.
-P protocol Send packets of a specified IP protocol.
-I Use the ICMP echo for the requests.
-T Use the TCP SYN for the requests.
-4 Use only IPv4 addresses
-6 Use only IPv6 addresses
By default, a traceroute is 30 hops for a packet size of
60 bytes for IPv4 and 80 bytes for IPv6.
On Ubuntu, the traceroute command is not available by
default. Install the tool using the apt package manager.
sudo apt install traceroute
sudo yum install traceroute -y & sudo dnf install
traceroute -y
$ traceroute --version
In the terminal, run a traceroute with
traceroute [options] <hostname or IP>
[packet length]
$ traceroute google.com
By default, a traceroute sends UDP packets. Add the
option -I for ICMP probe packets:
traceroute -I <hostname or IP>
Include the -n option to hide the device names for a
cleaner output:
traceroute -In <hostname or IP>
seshadri@seshadri:~$ traceroute google.com
traceroute to google.com (172.217.160.174), 30 hops max, 60 byte packets
1 _gateway (192.168.0.1) 12.630 ms 12.894 ms 12.840 ms
2 ***
3 116.119.72.70 (116.119.72.70) 33.668 ms 36.311 ms 39.184 ms
4 182.79.177.69 (182.79.177.69) 52.479 ms 116.119.94.32 (116.119.94.32) 61.268 ms *
5 ***
6 ***
7 ***
8 ***
9 * 209.85.251.242 (209.85.251.242) 72.647 ms 142.250.212.2 (142.250.212.2) 72.593
ms
10 172.253.68.121 (172.253.68.121) 72.537 ms * *
11 * * *
12 * bom05s12-in-f14.1e100.net (172.217.160.174) 77.259 ms *
seshadri@seshadri:~$
tracepath
The tracepath and traceroute terminal programs are
crucial in network diagnostics. Both commands map
the network and display possible packet routes and
transit delays from a source to a destination. However,
there is a difference between the available options and
which users can use each command.
Differences between Tracepath vs. Traceroute
The main difference between tracepath and
traceroute is in the available options and user
privileges. With default options, the two
commands are similar.
Tracepath traces the path to a specified destination
using UDP packets. Without any options, the command
outputs:
TTL (Time To Live) round-trip time for a packet.
MTU (Maximum Transmission Units) or the largest
packet that tracepath can send over the network.
The resolved domain name when possible.
Traceroute maps the network path to a designated
destination. Without any options, the command sends
UDP packets and prints:
The TTL round-trip time for three packets.
Maximum hop number and packet size in bytes.
IP address and resolved domain name when possible.
However, traceroute offers many advanced options to
select from, such as choosing between ICMP and TCP
transfer protocols and more. Some options require
superuser (sudo) privileges because the command
works directly with raw packets.
traceroute command and tracepath command are similar.
But it doesn’t require root privileges. System of traceroute
installed by default in Ubuntu but you may have to
download traceroute on Ubuntu system.
The network path of the specified destination by traces
and reports each hop along the path. When you have a
slow network then tracepath will show you where your
network is weak.
Options Descriptions
No option When tracepath command is given with no option in the
parameter, then it will simply display the syntax of tracepath.
Option with destination We can trace a path to the destination
using tracepath
Option -n When tracepath is given by option n, it prints the IP
addresses in the output.
Option -b The option b, will print hostname and IP Addresses in
the output.
Option -l this option for tracepath will allow to set the packet
length initially to pktlen.
Option -mOption m will allow to set the number of maximum hops
or TTLs to maximum instead of 30.
Option -p:Option p with tracepath command will allow to set
destination port to be used.
tracepath <options> <destination IP or domain name>
seshadri@seshadri:~$ tracepath www.google.com
1?: [LOCALHOST] pmtu 1500
1: _gateway 2.325ms asymm 35
1: _gateway 2.245ms asymm 35
2: no reply
3: 116.119.72.70 67.616ms asymm 4
4: 116.119.57.199 100.881ms asymm 6
5: no reply
6: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
mtr