This chapter defines tools that may be provided with BIND releases, are generally available or just jolly useful! The tools described either provide specific services or may help in diagnosing problems.
BIND provides a number of tools that are invaluable when testing or diagnosing problems. Of these named-checkzone (validates zone files for correctness) and named-checkconf (checks the named.conf file) are invaluable for finding those stupid problems that we can all introduce when editing files. They have the additional property that they may prolong life by removing the blind panic that ensues after making a trivial edit and reloading BIND only to find that the live system is no longer functional due a parameter error. Which always seems to take longer to find when we know that hundred of queries are being rejected because the name server is off-the-air.
rndc is the remote access tool that allows selective reload of zones and which many dns administrators are addicted to. It has serious security implications if not properly installed and configured.
nsupdate is a tool that allows dynamic updating (DDNS) of zone files. Extreme care must be taken when configuring BIND to enable DDNS since you may inadvertently open up your DNS zone files to the world - while this is an extremely friendly, neighborly, thing to do it may not always be wise.
Finally, the Really Big Issue™ is whether to use nslookup or dig. With the macho guys generally regarding nslookup users as wimps. There is no doubt that dig provides more useful information than nslookup for those that understand the detailed information that is displayed, however if you work with multiple platforms, especially windows, you have no choice but to be familiar with nslookup since this is the only tool provided with the standard release. One of the happy side-effects of installing BIND on Windows is that you get all its diagnostic tools including dig.
nslookup is officially deprecated in favour of dig (though we note that current versions no longer ouput that deprectated warning message which may indicate a change of heart). nslookup is however almost universally available - even when dig is not - this especially true on windows systems where dig is still pretty exotic. Old utilities do not die they just slowly fade away!
nslookup maintains a set of configuration parameters (that may be modified) to add power to the command line. These parameters can be displayed using the -all (or set all in interactive mode) argument.
The following are quick examples of common usage - all the options are explained below in mind numbing detail:
# lookup a specific host nslookup www.example.com # get MX and NS records for the domain nslookup -type=ANY example.com # get SOA record and display all nslookup default parameters nslookup -all -type=SOA example.com
The generic command format is:
# format 1 lookup target using default DNS server nslookup [-opt] target # format 2 lookup target using the specific dns nslookup [-opt] target dns # format 3 enter interactive mode using default DNS server nslookup [-opt] # format 4 enter interactive mode using the specific dns nslookup [-opt] - dns
nslookup www.example.com # will return Server: ns1.example.com Address: 192.168.2.53 Name: www.example.com Address: 192.168.2.80
Returns the A record for www.example.com using the default DNS server - in this case ns1.example.com (defined in Windows Network Properties or /etc/resolv.conf in *nix systems).
nslookup 192.168.2.80 # will return Server: ns1.example.com Address: 192.168.2.53 Name: www.example.com Address: 192.168.2.80
Returns the PTR record for 192.168.2.80 using the IN-ADDR.ARPA domain hierarchy.
nslookup www.example.com 192.168.255.53 # will return Server: another.domain.com Address: 192.168.255.53 Name: www.example.com Address: 192.168.2.80
Returns the A record for www.example.com using the DNS server at 192.168.255.53. The command format allows either an IP or a name so the above command could have been written as:
nslookup www.example.com another.domain.com
Interactive format (format 3 and 4 above) provides a single prompt (>) and allows any command line option to be entered. To terminate interactive mode you can use CTRL-C (Windows and *nix) or CTRL-D (*nix only) or exit (Windows and *nix).
nslookup provides a dizzy number of options that vary its processing. Some of these options are only available in interactive mode. The Windows version adds a couple of commands. In each case Mode defines B = Interactive and command line format, I = Interactive only, C = command line only, W = Windows only. Multiple options can be specified with a single command.
|d||-||C||Lists information for the domain. Gives SOA record and NS record details.|
|ls||[opt] domain||I||list all the information for the target domain. Takes the optional extensions > or >> filename to output to a file for subsequent processing. The options supported are:
|lserver||dns||I||sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the original default dns (before any server or lserver commands were issued).|
|root||root-dns||B||changes to root server used in various commands.|
|server||dns||I||sets the dns for subsequent commands. May be either a name or an IP. The name or IP is looked up using the current default dns. The default server is defined in /etc/resolv.conf for *nix systems and network properties for Windows systems.|
|options which work with 'set' in interactive mode|
|In interactive mode these options are preceded with set and operate until changed with another set directive. In command line mode they are preceded with - and operate on a single command. In a number of cases a short form is also provided.|
|all||-||B||displays a list of the default values used by nslookup, including the DNS server. Typical ouput
Set options: nodebug defname search recurse nod2 novc noignoretc port=53 type=A class=IN timeout=2 retry=1 root=A.ROOT-SERVERS.NET. domain=example.com MSxfr [note: Windows only MS fast zone xfer] IXFRversion=1 [note: Windows only incremental zone xfer] srchlist=example.com Default Server: ns1.example.com Address: 192.168.2.53
|B||allows the class value to be set for all subsequent commands|
|domain=||domain-name||B||allows a base to be set for all subsequent searches e.g.
# assume default domain = example.com > set domain=example.org > www # returns results for www.example.org # but will handle full format > mail.example.org # returns correct result for mail.example.org
The default domain is defined in /etc/resolv.conf for *nix systems and network properties for Windows systems. Setting domain= will reset any previously defined srchlist.
|-||I||allows control over the debugging information - debug (short form deb) turns it on, nodebug (or nodeb) turns it off. The default is nodebug|
|[no]d2||-||I||enables/disable voluminous debugging information - d2 turns it on, nod2 turns it off. Default is nod2|
|-||I||controls whether a domain name (in either domain or srchlist) is added to a target which does not end with a dot i.e. is NOT a FQDN. See also search below for full behaviour description.|
|[no]ignoretc||-||I||controls if packet truncation errors are ignored (ignoretc) or whether they cause termination (noignoretc - default).|
|[no]msxfer||-||W||Controls use of MS Fast zone transfer. msxfer turns it on, nomsxfer (default) turns it off.|
|-||B||Controls recursive behaviour. recurse (default) turns it on norecurse turns it off.|
|[no]vc||-||I||controls whether to use TCP (vc) or UDP (novc) - default is novc.|
|-||I||This parameter controls how the srchlist= value is used. search and defname are interrelated based on the following matrix for targets which are not FQDNs:
|port=||port no.||B||changes the default port from the normal (53) to that specified by port no..|
|B||When using type= anything except A the following commands will only work on the domain root e.g.:
# enter interactive mode nslookup > set type=MX > www.example.com # fails with 'domain non-existent' > example.com # provides correct answersANY with a domain root name will return any DNS RR with a blank name (label) entry - these include NS and MX records and thus it provides a quick way to get useful domain info.
|retry=||number||B||controls the number of retries that will be attempted. Default is 4.|
|root=||dns||B||controls the dns used in the root command. Default is typically f.root-server.net. (on *nix) and a.root-servers.net.) on windows.|
|srchlist=||dom1/dom2||I||allows setting of a searchlist (up to six names are allowed separated by forward slash).|
# get mail records for a domain nslookup -type=MX example.com # list all the options being used and get host address nslookup -all mail.example.com # get SOA record using a specific DNS nslookup -type=SOA example.com 192.168.23.53
# enter interactive mode and list default options nslookup -all > # list all records in the domain > ls example.com # list all text records in domain > ls -t TXT example.com # set the base domain to be used for subsequent commands > set domain=example.org # find host > mail # returns mail.example.org # exit interactive mode > exit
3 reverse map
4 dns types
5 install bind
8 dns records
12 bind api's
13 dns security
bits & bytes
notes & tips