Using the Linux host command to extract DNS details


the host The command on Linux systems can look up a variety of information available through the Domain Name System (DNS). It can find a hostname if given an IP address or an IP address if given a hostname along with many other interesting details about Internet systems and domains.

The first request below tells us that the system associated with the address 192.168.0.18 is called “dragonfly”. The second tells us that 192.168.0.1 is the default router.

$ host 192.168.0.18
18.0.168.192.in-addr.arpa domain name pointer dragonfly.
$ host 192.168.0.1
1.0.168.192.in-addr.arpa domain name pointer router.

To do the opposite, you can use commands like these:

$ host dragonfly
dragonfly has address 192.168.0.18
$ host router
router has address 192.168.0.1

These commands were run on my home network, and they only show a small portion of the information that the host command can recover.

Viewing Host Command Options

Whenever you type “host” with no additional arguments, you will see the command options available with a brief explanation of each.

Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] [-p port] hostname [server]
       -a is equivalent to -v -t ANY
       -A is like -a but omits RRSIG, NSEC, NSEC3
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -l lists all hosts in a domain, using AXFR
       -m set memory debugging flag (trace|record|usage)
       -N changes the number of dots allowed before root lookup is done
       -p specifies the port on the server to query
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -U enables UDP mode
       -v enables verbose output
       -V print version number and exit
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only

For almost all options, you need to provide some additional information: a hostname, IP address, domain name, or maybe some additional data to describe what you’re looking for. The only option that will NOT simply supply the above list when no arguments are supplied is the -V option that reports version information for the command itself.

$ host -V
host 9.16.24-RH

Now let’s look at some of the other useful information the command can provide.

IP addresses

Some important details for a specific domain can be retrieved using only the domain name:

$ host networkworld.com
networkworld.com has address 151.101.2.165
networkworld.com has address 151.101.66.165
networkworld.com has address 151.101.194.165
networkworld.com has address 151.101.130.165
networkworld.com mail is handled by 0 networkworld-com.mail.protection.outlook.com.

We can see that this domain uses multiple servers, as is often the case with many commercial sites.

Detailed report

If you add the -v (verbose), you’ll see a lot of extra detail. For networkworld.com, we would see 33 lines of output if the head command did not limit it to the first ten lines.

$ host -v comtech.com | wc -l
33
$ host -v networkworld.com | head -10
Trying “networkworld.com”
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2094
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;networkworld.com.              IN      A

;; ANSWER SECTION:
networkworld.com.       300     IN      A       151.101.66.165
networkworld.com.       300     IN      A       151.101.2.165

However, you can still pass the host command output to grep to narrow it down to what you want to see.

Mail exchange (MX)

To focus on the mail exchange (MX) records, you can use a command like this:

$ host -v comtech.com | grep MX
;comtech.com.                   IN      MX
comtech.com.            2189    IN      MX      0 comtech-com.mail.protection.outlook.com.

Alternatively, you can recover MX records using the host ordered -t (type) MX option:

$ host -t mx comtech.com
comtech.com mail is handled by 0 comtech-com.mail.protection.outlook.com.

SOA Records

To focus on SOA (start of authority), you can use a command like this:

$ host -v comtech.com | grep SOA
comtech.com.            342     IN      SOA     ns47.domaincontrol.com. dns.jomax.net. 2021092901 28800 7200 604800 600

Alternatively, you can also use a command like this with the -t (type) SOA option:

$ host -t SOA networkworld.com
networkworld.com has SOA record ns2.pcworld.com. webops.idgesg.net. 2022021100 1800 900 1209600 86400

CNAME

To have CNAME (canonical name), you can use a command like this which tells you that mail.google.com is an alias for Google’s mail server:

$ host -t cname mail.google.com
mail.google.com is an alias for googlemail.l.google.com.

Server name

In the command below, we are simply looking for nameservers using the ns tap with the host order:

$ host -t ns networkworld.com
networkworld.com name server ns-a.pnap.net.
networkworld.com name server ns-c.pnap.net.
networkworld.com name server ns3.pcworld.com.
networkworld.com name server ns-d.pnap.net.
networkworld.com name server ns-b.pnap.net.
networkworld.com name server ns2.pcworld.com.

Wrap

the host The command has so many options that it may take some getting used to and deciding which are the most useful. They can be very handy depending on what you are looking for in the vast DNS knowledge bank.

Join the Network World communities on Facebook and LinkedIn to comment on topics that matter to you.

Copyright © 2022 IDG Communications, Inc.

Previous How to setup and configure custom DNS using NextDNS
Next NIA arrests IPS officer for 'leaking' secret documents to terrorist group LeT - Jammu Kashmir Latest News | Tourism