Dnsium443DnDnsium
Back to blog

Mastering the nslookup dig command for Effective DNS Troubleshooting

Learn to use the nslookup and dig commands for efficient DNS troubleshooting. Enhance your skills and resolve issues with confidence. Read the article now!

Nslookup & Dig Command: Practical DNS Lookup Guide (with Privacy Tips from Dnsium)

If you manage a website, run a server, or simply want to understand why a domain isn't loading, you need reliable command line tools for querying the domain name system. The nslookup dig command pair covers nearly every dns troubleshooting scenario you'll encounter-from a quick ip address check to a full delegation trace through authoritative name servers. This guide walks you through both tools with real commands, installation steps, and privacy considerations.

Quick Answer: When to Use nslookup vs dig

Both nslookup and dig are command-line tools for querying dns servers. They send dns queries to a recursive resolver (or directly to an authoritative server) and return dns records like A, MX, or NS. The difference comes down to detail, flexibility, and where you're working.

  • Use the nslookup tool for quick, basic dns lookup tasks-especially on Windows where it ships by default. It's ideal when you just need to verify that a domain resolves to the correct ip address.

  • Use dig when you need detailed information: authority sections, TTL values, DNSSEC validation, or a full trace of the resolution path.

nslookup example (in command prompt or terminal):

nslookup example.com

dig example (in a Unix-like terminal):

dig example.com ANY

Both tools query dns servers-usually recursive resolvers that then contact authoritative dns servers on your behalf-to resolve a domain name to ip addresses. For everyday browsing, you can protect your dns privacy by using an encrypted dns resolver like Dnsium instead of your ISP's default server.

DNS Lookup Basics You Need Before Using nslookup & dig

A dns lookup is the process of turning a human-readable domain name (like example.com) into machine-friendly ip addresses (IPv4 and IPv6). Your computer sends a request to a dns server (resolver), which talks to authoritative name servers to fetch the correct dns records for a given domain.

DNS has many record types serving distinct purposes. The core dns record types you'll query with nslookup and dig include:

Record TypePurpose
AMaps domain names to IPv4 addresses
AAAAMaps to IPv6 addresses
CNAMEAlias pointing to another domain name
MXSpecifies mail exchange servers for email delivery
NSIndicates authoritative name servers for a domain
SOAZone authority and admin parameters
TXTStores text information for various purposes (SPF, DKIM, DMARC)
PTRReverse dns lookup-maps ip to hostname
A domain registrar is the organization where a domain name is purchased. The registrar's settings determine which authoritative nameservers are responsible for that specific domain. Each domain can have multiple nameservers configured for redundancy.

DNS usually runs over UDP port 53, and responses are cached by recursive dns servers according to TTL values. One critical privacy issue: standard dns queries travel unencrypted, meaning your ISP and anyone on the network can see which domains you query. Encrypted dns resolvers like Dnsium support DoH and DoT, wrapping those queries in encryption and adding built-in ad and tracker blocking.

What Is nslookup? (And Where It's Still Useful)

The nslookup tool (short for "name server lookup") is a long-standing dns lookup utility first developed in 1986 as part of the BIND tools. Nslookup is available on Windows, macOS, and Linux, making it one of the most accessible command line tools for dns checks.

With nslookup you can:

  • Resolve a domain name to an ip address

  • Query specific dns records like A and MX using the -type= parameter

  • Use a chosen dns server instead of the system default

Nslookup can operate in interactive or non-interactive modes. In non-interactive mode, you run a single command like nslookup example.com and get your answer. In interactive mode, you type nslookup first, hit enter, then run multiple lookups without re-entering commands-efficient when testing several records against the same server.

Nslookup is considered a legacy tool for simple, quick queries. It produces simplified output easier for beginners to read. While some Unix systems mark it deprecated in favor of dig, it remains heavily used in Windows-based dns troubleshooting.

You can find nslookup online tools on the web, but running it locally from your command line avoids sharing queries with third-party websites. Pair local use with an encrypted resolver like Dnsium for real time results that stay private in transit.

What Is dig? (Domain Information Groper)

The name dig once stood for domain information groper, though that expansion was officially dropped in 2017. Dig is part of the BIND suite maintained by the Internet Systems Consortium and is available on most operating systems (pre-installed on many Linux and macOS distributions, installable on Windows).

Dig provides more detailed DNS information than nslookup:

  • Structured output with QUESTION, ANSWER, AUTHORITY, and ADDITIONAL sections plus header flags

  • Flexible query options like +short, +trace, and +dnssec

  • Better scripting and automation capabilities

Dig supports advanced features like DNSSEC, unlike nslookup, and dig uses the operating system's resolver library to query dns servers. Using dig is recommended for deep diagnostics and understanding dns responses. Dig is preferred by experienced system administrators for its flexibility-especially for verifying dns propagation, checking DNSSEC chains, and testing authoritative dns servers directly.

Simple example: dig example.com A returns the A record. Advanced example: dig +trace example.com shows the query path through root servers, TLD servers, and the domain's authoritative nameservers.

Installing & Running nslookup and dig on Major Systems

Nslookup is usually pre-installed across operating systems, while dig may require a quick package install depending on your system.

  • Windows 10 / 11: nslookup is built into Windows-open command prompt or PowerShell and type the command. Dig is not installed by default; install it via WSL (Ubuntu) or a package manager like Chocolatey with bind-tools.

  • macOS (10.15 Catalina and later): nslookup and dig are included by default. Run them in Terminal.

  • Ubuntu / Debian: install both via sudo apt-get install dnsutils.

  • CentOS / RHEL / Fedora: install via sudo yum install bind-utils or sudo dnf install bind-utils.

You'll need administrative (sudo) rights to install packages on Linux. If your shell reports nslookup: command not found or dig: command not found, re-run the appropriate install command for your distribution.

Once installed, all examples in the sections below can be run directly from the command line.

Using nslookup: Common DNS Lookup Tasks

This section walks through real-world nslookup commands for dns troubleshooting and dns record inspection. Nslookup allows users to check domain mappings quickly with minimal syntax.

Forward dns lookup: Use nslookup [host] [server] for quick DNS checks. Running nslookup example.com shows the default server queried and the A/AAAA records (ip addresses) returned. The output typically shows a non authoritative answer, meaning the response came from a resolver's cache rather than directly from the authoritative server.

Query specific record types: Enter domain and query type together:

  • nslookup -type=A example.com - IPv4 address records

  • nslookup -type=MX example.com - mx records for email routing

  • nslookup -type=TXT example.com - txt records for SPF/DMARC verification

  • nslookup -type=NS example.com - ns records to find authoritative name servers

You can check nameserver records using online tools or command line. Nameserver records indicate authoritative DNS servers for a domain, and NS records help verify a domain's DNS configuration.

Reverse dns lookup: Run nslookup 8.8.8.8 or nslookup -type=PTR 8.8.8.8 to find the hostname associated with an ip address. This matters for email deliverability and IP reputation checks.

Query a specific dns server: Use nslookup example.com 1.1.1.1 or nslookup example.com 9.9.9.9 to compare what other dns servers respond with. Once you configure Dnsium, test with its resolver IPs to verify your private DNS setup.

Interactive mode: Run nslookup, hit enter, then type server 1.1.1.1, then enter domain names one at a time. Interactive mode allows multiple lookups without re-entering commands-efficient when testing several dns records against the same dns server.

Useful options: Nslookup can change the timeout interval for DNS responses with -timeout= (e.g., nslookup -timeout=15 example.com). Use -debug to show raw DNS message details for deeper troubleshooting.

Using dig: Detailed DNS Lookup & Troubleshooting

This section focuses on practical dig commands for common dns scenarios. Dig provides detailed, structured output suitable for in-depth troubleshooting.

Basic syntax: dig example.com defaults to querying the A record. The output is organized into QUESTION, ANSWER, AUTHORITY, and ADDITIONAL sections, plus header flags and query statistics.

Query specific dns record types:

  • dig example.com A - IPv4 address

  • dig example.com AAAA - IPv6 address

  • dig example.com MX - mail exchange servers

  • dig example.com NS - authoritative nameservers

  • dig example.com TXT - SPF, DKIM, DMARC, and other verification records

Concise output with +short: dig example.com A +short and dig example.com MX +short strip away metadata and return only the answer-ideal for scripts and quick checks.

Query a specific dns server: dig @8.8.8.8 example.com A sends the query to Google's resolver. Substitute @dnsium-resolver-ip after configuring Dnsium to verify that your private dns resolver is returning expected dns records.

Reverse DNS and PTR records: dig -x 8.8.8.8 fetches the PTR record-important for mail server verification and log analysis.

Advanced diagnostics: Dig supports advanced features like +trace to follow DNS request paths. Running dig +trace example.com follows delegation from root servers to TLD servers to the authoritative dns server. Dig queries can trace the resolution path and find authoritative name servers step by step. You can also run dig example.com ANY, though note that some authoritative dns servers limit ANY queries for security and performance reasons per RFC 8482.

Dig is preferred for detailed diagnostics on Linux and macOS systems, and it remains the go-to tool for network engineers and security professionals.

nslookup vs dig vs Other Tools (Ping, WHOIS)

Nslookup and dig are both dns lookup tools, but they differ significantly in detail level and workflow. Nslookup is simpler and focuses on basic DNS queries. Dig provides richer, more structured output better suited for complex dns troubleshooting, DNSSEC analysis, and scripting.

ToolPurposeBest For
nslookupDNS resolution queriesQuick checks, Windows, beginners
digDNS resolution + diagnosticsDetailed analysis, scripting, DNSSEC
pingNetwork connectivity (ICMP)Latency, reachability-does not inspect dns records
whoisDomain registration lookupOwnership, contact info, expiry at domain registrar
Professional workflows often combine all of these: use nslookup or dig for dns troubleshooting, use ping to confirm network reachability after DNS resolution, and use whois to verify domain ownership and registrar details.

DNS Troubleshooting Scenarios with nslookup & dig

Here are realistic dns troubleshooting scenarios showing which commands to run. Each scenario assumes you have access to a computer with nslookup and dig installed.

Domain not resolving but server is reachable by IP:

  1. Ping the ip to confirm connectivity

  2. Run nslookup yourdomain.com or dig yourdomain.com to check if the dns lookup fails

  3. Check A and AAAA dns records at the authoritative server: dig @auth-ns.example.net yourdomain.com A

Changed DNS at domain registrar, but website still shows old host:

  • Check ns records: nslookup -type=NS yourdomain.com or dig yourdomain.com NS to confirm the domain's authoritative nameservers

  • Verify that new dns records are present on the authoritative name servers

  • Changing nameserver records can take minutes to hours to propagate. Other dns servers may still have cached records until their ttl expires-this is normal dns propagation behavior

Email not delivered after mail migration:

  • Check mx records: nslookup -type=MX yourdomain.com or dig yourdomain.com MX

  • Verify SPF and DMARC txt records using nslookup -type=TXT yourdomain.com or dig yourdomain.com TXT

Suspicious DNS behavior or potential hijacking:

  • Query multiple independent public dns servers (1.1.1.1, 8.8.8.8, Quad9, and your private resolver like Dnsium)

  • Inconsistent answers across dns servers may indicate cache poisoning, an error in configuration, or routing manipulation

While debugging, remember that traditional dns queries are visible in clear text on the internet. Use an encrypted dns resolver like Dnsium for routine browsing to reduce exposure.

Improving DNS Privacy & Security with a Private Resolver (Dnsium)

Tools like nslookup and dig show what dns servers return, but they do not themselves secure or encrypt dns traffic. That's where a private dns resolver comes in.

A private dns resolver like Dnsium is a recursive dns service that handles all dns queries for your device or network. It's designed to minimize logging and prevent dns data from being harvested or sold by your ISP.

How encrypted dns works: Protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt the connection between your device and the recursive dns server. The benefit: ISPs and local network operators cannot easily inspect which domains you query.

Dnsium's features:

  • No free tier, but a 30-day money-back guarantee on all plans

  • Built-in ad blocking and tracker filtering at the dns layer

  • Malware and phishing domain filtering for improved security

  • Support for DoH/DoT encrypted transports

After configuring your OS or router to use Dnsium's dns servers, run nslookup example.com or dig @dnsium-resolver-ip example.com to confirm queries reach Dnsium instead of your ISP. Dnsium is a stronger long-term choice than default ISP dns servers for privacy-conscious users who want ad blocking without installing extra software on every device.

Summary: Choosing the Right DNS Tool and Resolver

  • Use nslookup for quick checks from the command prompt or terminal-it's fast, simple, and available everywhere.

  • Use dig when you need richer dns data, advanced troubleshooting options, DNSSEC inspection, or scriptable output.

  • Both tools query dns servers for dns records, but they rely on whatever dns resolver is configured-ISP, corporate, or a private service like Dnsium.

  • Understanding dns record types (A, AAAA, MX, NS, TXT, SOA, PTR) is essential for effective dns troubleshooting and managing any specific domain.

  • Combining strong dns tooling (nslookup and dig) with an encrypted, ad-blocking dns resolver like Dnsium gives you both visibility into dns behavior and protection against tracking and unwanted content.