Using the Linux host command to dig out DNS details
The host command on Linux systems can look up a variety of information available through the Domain Name System (DNS). It can find a host name if given an IP address or an IP address if given a host name plus a lot of other interesting details on systems and internet domains.
The first query below tells us that the system associated with the address 192.168.0.18 is named “dragonfly”. The second tells us that 192.168.0.1 is the default router.
$ host 192.168.0.18 18.0.168.192.in-addr.arpa domain name pointer dragonfly. $ host 192.168.0.1 1.0.168.192.in-addr.arpa domain name pointer router.
To do the reverse, you can use commands like these:
$ host dragonfly dragonfly has address 192.168.0.18 $ host router router has address 192.168.0.1
These commands were run on my home network, and they only show a small part of the information that the host command can retrieve.
Viewing the host command’s options
Any time you type “host” with no additional arguments, you will see the available command options with a brief explanation of each.
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time] [-R number] [-m flag] [-p port] hostname [server] -a is equivalent to -v -t ANY -A is like -a but omits RRSIG, NSEC, NSEC3 -c specifies query class for non-IN data -C compares SOA records on authoritative nameservers -d is equivalent to -v -l lists all hosts in a domain, using AXFR -m set memory debugging flag (trace|record|usage) -N changes the number of dots allowed before root lookup is done -p specifies the port on the server to query -r disables recursive processing -R specifies number of retries for UDP packets -s a SERVFAIL response should stop query -t specifies the query type -T enables TCP/IP mode -U enables UDP mode -v enables verbose output -V print version number and exit -w specifies to wait forever for a reply -W specifies how long to wait for a reply -4 use IPv4 query transport only -6 use IPv6 query transport only
For almost every option, you need to supply additional information—a host name, an IP address, a domain name, or maybe some additional data to describe what you are looking for. The only option that will NOT simply provide the list shown above when no argument is provided is the -V option which reports the version information for the command itself.
$ host -V host 9.16.24-RH
Now let’s look at some of the other useful information that the command can provide.
IP addresses
Some important details for a specific domain can be retrieved using just the domain name:
$ host networkworld.com networkworld.com has address 151.101.2.165 networkworld.com has address 151.101.66.165 networkworld.com has address 151.101.194.165 networkworld.com has address 151.101.130.165 networkworld.com mail is handled by 0 networkworld-com.mail.protection.outlook.com.
We can see that this domain employs multiple servers as is common among many commercial sites.
Verbose report
If you add the -v (verbose) option, you will see a lot of additional details. For networkworld.com, we would see 33 lines of output if the head command didn’t limit this to the top ten lines.
$ host -v comtech.com | wc -l 33 $ host -v networkworld.com | head -10 Trying “networkworld.com” ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2094 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;networkworld.com. IN A ;; ANSWER SECTION: networkworld.com. 300 IN A 151.101.66.165 networkworld.com. 300 IN A 151.101.2.165
You can, however, always pass the host command’s output to grep to pare it down to just what you want to see.
Mail exchange (MX)
To focus on the mail exchange (MX) records, you could use a command like this:
$ host -v comtech.com | grep MX ;comtech.com. IN MX comtech.com. 2189 IN MX 0 comtech-com.mail.protection.outlook.com.
Alternately, you can retrieve MX records using the host command’s -t (type) mx option:
$ host -t mx comtech.com comtech.com mail is handled by 0 comtech-com.mail.protection.outlook.com.
SOA records
To focus on SOA (start of authority) records, you can use a command like this one:
$ host -v comtech.com | grep SOA comtech.com. 342 IN SOA ns47.domaincontrol.com. dns.jomax.net. 2021092901 28800 7200 604800 600
Alternately, you can also use a command like this with the -t (type) SOA option:
$ host -t SOA networkworld.com networkworld.com has SOA record ns2.pcworld.com. webops.idgesg.net. 2022021100 1800 900 1209600 86400
CNAME
To see CNAME (canonical name) records, you can use a command like this one that tells you that mail.google.com is an alias for Google’s mail server:
$ host -t cname mail.google.com mail.google.com is an alias for googlemail.l.google.com.
Name server
In the command below, we are just looking for name servers using the ns type with the host command:
$ host -t ns networkworld.com networkworld.com name server ns-a.pnap.net. networkworld.com name server ns-c.pnap.net. networkworld.com name server ns3.pcworld.com. networkworld.com name server ns-d.pnap.net. networkworld.com name server ns-b.pnap.net. networkworld.com name server ns2.pcworld.com.
Wrap-Up
The host command has so many options that it may take a while to get used to them and decide which are the most useful. They can be very handy depending on what you are looking for from the vast DNS knowledge bank.
Copyright © 2022 IDG Communications, Inc.