Updated about 16 hours ago | GitHub

Domain Name System

The Domain Name System (DNS) is a set of servers which acts as an Internet phone book. They contain a directory of domain names and can translate a domain name into an IP address. People prefer to use easy-to-remember domain names, while computers rely exclusively on IP addresses for communication.

When a domain name is registered, DNS info is provided to the registrar to specify a DNS server which will be the domain’s authority on translating domains (and subdomains) into IP addresses.

When a user types “great-site.com” into their browser, their browser sends a request to the DNS server with the domain name. The DNS server looks up the domain, and returns the IP address to the browser. Then the browser sends an HTTP request to the server at that IP address.


DNS Tools

There are several useful tools for working with domains and DNS. These tools are handy for system administrators but are also used by attackers for Footprinting.

whois

whois is a tool for looking up a domain’s registration information (registered owner, registrar, name servers, and dates). This can be done online or from the command line — for example, whois ebay.com queries the appropriate registry or registrar server for that domain’s record.

WHOIS is being phased out for generic top-level domains (.com, .net, .org, etc.). On January 28, 2025 ICANN removed the contractual obligation for most gTLD registry operators and all gTLD registrars to provide a whois service, and the Registration Data Access Protocol (RDAP) — an HTTPS/JSON successor with structured records and access controls — is now the standard for gTLDs. Many whois servers still respond during the transition, but for gTLDs the authoritative modern lookup is RDAP. Country-code TLDs (ccTLDs) largely still use WHOIS.

nslookup and dig

nslookup and dig are both command-line tools for querying DNS servers. The difference between them is in the format and details of the information they return and which DNS settings they use (dig uses the computer’s DNS settings, nslookup uses its own).

  • By domain name: nslookup ebay.com

  • By IP address (reverse lookup): nslookup 66.211.160.86

  • By domain name: dig ebay.com

  • By IP address (reverse lookup): dig -x 66.211.160.86 — the -x flag is required so that dig rewrites the IP into the in-addr.arpa PTR query format. Without it, dig treats the argument as a domain name and the lookup will return nothing useful.