nslookup is a badly flawed tool. Don't use it.

You've come to this page because you've used nslookup.

This is the Frequently Given Answer to such usage.

(You can find a different approach to this answer on Will Yardley's nslookup flaws page.)

You are using nslookup. Don't.

nslookup is badly designed. It's a very poor tool for several reasons. It has been widely acknowledged for several years that it is a bad tool. Even the company that writes BIND states that nslookup is deprecated and may be removed from future releases of BIND. (Even though your particular operating system vendor may have packaged it separately, nslookup is in fact a diagnostic tool that is a part of the BIND package.)

Stop using nslookup right now. Start using better, less flawed, tools instead. Almost every DNS server software package comes bundled with tools to manually query the DNS for diagnostic purposes. Use the tools that came with the package that you have.

Even BIND itself comes with better tools. The company that writes BIND has in fact rewritten nslookup for BIND version 9.x . It no longer contains one of the daft design flaws. But it also no longer contains some of the functionality of the original tool, and prints a prominent warning message every time that it is invoked stating a BIND-centric version of what this page recommends — i.e. that one should stop using nslookup in favour of host and dig.

The flaws in nslookup

Here are several of the more major flaws in nslookup.

nslookup performs hidden queries and prints a daft error message.

This daft design flaw in nslookup is threefold:

nslookup uses its own internal DNS client.

nslookup doesn't use the system-wide DNS client libraries that everything else uses for name and address lookups (usually the BIND DNS client library). It has its own internal DNS client, allowing it to explicitly control things such as the search path, target server, recursion desired flag, and so forth. However, several of the aspects of nslookup's internal DNS client are different to the system-wide DNS client libraries:

nslookup doesn't show the actual response.

By default, nslookup prints its interpretation of the responses that it receives, rather than the raw response. This interpretation is often misleading. For example: nslookup interprets a partial answer ending in a referral as "no answer".

Even with all of its debugging options turned on, nslookup doesn't display all of the content of the responses that it receives.

nslookup is sometimes modified by the reseller to do non-DNS things.

BIND and its tools, including nslookup, are often bundled with the operating system by the vendor. Several vendors supply versions of BIND and its tools that the vendor has made modifications to. These vendors supply their own modified versions of nslookup that "for convenience" bypass the DNS and use extraneous sources of information such as /etc/hosts and NIS.

Such modifications make nslookup unsuitable as a tool for DNS problem diagnosis, since one cannot determine whether a problem that (such a modified version of) nslookup reports is a DNS problem or a problem with performing lookups using one of the other sources of information.


© Copyright 2001–2004 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.