How to use nslookup command for network diagnostics and security analytics

Name server lookup (nslookup) is a valuable command line tool used to query the Domain Name System (DNS). It provides details on the domain names and IP addresses thus helping in effective network administration and ensuring security. The nslookup command helps in DNS troubleshooting, security analytics, especially in detecting phishing and spoofing attacks, and network configuration verification.

The nslookup command is available in several operating systems including, Windows, Linux, and macOS.

This article explains the functionalities of nslookup and explores how it can be used in various modes to troubleshoot network issues and detect phishing attempts.

Nslookup explained

Your internet connection uses DNS servers to convert hostnames into IP addresses. When you type www.manageengine.com in your browser to connect to the site, a DNS service will query its database and get the IP address of this website. Afterward, you connect via this IP to the host server.

When you have problems with your DNS lookup service, it impacts the ability to access websites and online services. The nslookup command is used to diagnose these DNS lookup issues. This command requests information from the DNS server for you to debug and troubleshoot the network issues. In this command, you provide the IP address or domain name as input to the nslookup and the output of the nslookup typically includes:

• A DNS server used to perform the lookup.
• The IP address associated with the domain name.
• Other relevant DNS records such as MX records for email or NS records for the name servers.
• Error messages, if any, on why the lookup failed.

The nslookup operates in two modes: non-interactive and interactive.

• Non-interactive nslookup: In this mode, you provide the domain name or IP address of the computer and the DNS name server as an argument to the nslookup command. The tool performs the query and displays the results directly, without prompting for further input. If you're looking for specific information or using this tool in scripts, then prefer this mode.
• Interactive nslookup: To invoke this mode, just enter nslookup in the command line without any argument. This will open a prompt where you can enter domain names or IP addresses to query in the interactive command line. This mode is preferred to issue multiple DNS queries within a single nslookup session.

In both of the above modes, if DNS server is not specified, then the default DNS server, provided by your ISP, is used. This is usually your ISP's DNS server.

How to use nslookup for diagnosing DNS server issues

Nslookup command is a valuable tool to diagnose network and DNS server issues, including slow response times and incorrect configurations. Here's how it works:

Measuring slow response times:

Analyzing the response times can help you pinpoint network bottlenecks or overloaded DNS server. Nslookup records the time it takes to receive a response for the DNS server. By comparing the response times of different DNS servers, you can identify the ones that are significantly slower.

Checking for incorrect DNS records:

Nslookup displays the IP addresses associated with the domain name. If the IP address is incorrect, it indicates a misconfiguration in the DNS records. Further, if nslookup fails to resolve a domain name or returns an unexpected result, it might also be due to missing or invalid DNS records.

Detecting DNS server errors:

The error messages provided by nslookup command can help identify specific issues, such as Server failed or Timeout waiting for server. Analyzing these error codes can help you determine the root cause of the problem, whether it's a network issue, a DNS server configuration error, or a temporary outage.

Identifying DNS server configuration issues:

With nslookup command, you can indirectly estimate the time-to-live (TTL) values of DNS records. To do that, query the same DNS records multiple times and observe the time taken for the response to change. If the response remains the same for a certain period, it suggests that the local DNS resolver is using a cached value with a TTL equal to or greater than that period. If the TTL values inferred are incorrect, it can impact the DNS propagation and caching.

Identifying recursive resolver issues:

Further, if the nslookup fails to resolve a domain name, it might indicate a problem with recursive resolver, which is the DNS server that handles DNS queries on behalf of the clients.

What role does nslookup play in cybersecurity?

Nslookup command is often used to investigate potential security breaches like phishing attacks and DDoS. Though it doesn't directly provide information on the security threats, it gives information on how data is being routed and the whereabouts of IP addresses, thus helping in tracking the source of attacks.

For example, if you are being targeted by a DDoS attack, nslookup can help identify the IP address' location helping you to track down the origin of the attack. Here are some use cases on how nslookup command is used for threat investigation:

• Phishing detection
• Malicious IP detection

How to use nslookup for detecting phishing

Legitimate websites typically have stable IP addresses associated with reputable hosting providers. Phishing websites, on the other hand, have dynamic IP addresses or are hosted on compromised servers. The nslookup command can help you quickly check the IP address associated with a domain and compare it with the known IP address of the legitimate website.

Further, cyberattackers often create domains that are very similar to legitimate ones, with a slight misspelling or typos. The nslookup command can help you verify the exact domain name and identify any discrepancies.

How to use nslookup to identify malicious IP address

A reverse DNS lookup often returns the domain name associated with the IP address to identify the source of malicious activity. The syntax that can be used to perform a reverse DNS lookup is:

nslookup -ptr <IP_address>

This returns the domain name associated with the IP address. If the domain name doesn't match the expected source of the traffic, it could indicate a spoofed or compromised system. Further, investigate the domain's reputation and malicious activity using threat intelligence feeds.

ManageEngine Log360's role in detecting malicious IP addresses:

Though the reverse nslookup command helps you with domain names, many malicious actors use dynamic IP addresses, making it difficult to track them down. Adversaries can also spoof their IP addresses to hide their true identity. Further, not all IP addresses have associated domain names, especially those used by private networks or malicious actors.

An efficient way to track down malicious IP addresses is to use a SIEM solution with built-in threat intelligence feeds that are up-to-date to identify emerging threats and tactics.

ManageEngine Log360, a unified SIEM solution comes with built-in threat intelligence database that dynamically gets updated. The solution instantly detects malicious IP interactions in your network and automatically blocks them.

Next steps