Month: September 2020

Viewing DNS record TTL with nslookup on Windows

johncireland Leave a comment

The Windows nslookup DNS tool can display both the time-to-live (TTL) of a cached DNS lookup and the server DNS record. However, it’s not necessarily clear how to acheive the latter.

Viewing DNS cache entry TTL

The -debug option instructs nslookup to display detailed results, including the TTL. By default this is the amount of time (in seconds) a cached DNS lookup result can be used before a new lookup is required. Run this command over and over to see the TTL going down until it hits zero, and then it’ll restart for the refreshed result.

C:\>nslookup -type=A -debug www.google.com
------------
Server:  dns.google
Address:  8.8.8.8
------------
Got answer:
    HEADER:
	opcode = QUERY, id = 6, rcode = NOERROR
	header flags:  response, want recursion, recursion avail.
	questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
	www.google.com, type = A, class = IN
    ANSWERS:
    ->  www.google.com
	internet address = 216.58.205.36
	ttl = 192 (3 mins 12 secs)

------------
Name:    www.google.com
Address:  216.58.205.36

It’s the ttl = 192 (3 mins 12 secs) entry that’s important – 192 seconds before the record needs to be refreshed.

Viewing DNS record TTL

To view the TTL assigned to the record on the DNS server you need to find and use the authoritative DNS server for the record you are inspecting. This is found in the Statement Of Authority (SOA) record:

C:\>nslookup -type=soa www.google.com
Server:  dns.google
Address:  8.8.8.8

google.com
        primary name server = ns1.google.com
        responsible mail addr = dns-admin.google.com
        serial  = 330255015
        refresh = 900 (15 mins)
        retry   = 900 (15 mins)
        expire  = 1800 (30 mins)
        default TTL = 60 (1 min)

The primary name server entry here is the name of the server that can tell us the original TTL, and we append this to the nslookup command.

C:\>nslookup -type=A -debug www.google.com ns1.google.com
------------
Server:  ns1.google.com
Address:  216.239.32.10
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        www.google.com, type = A, class = IN
    ANSWERS:
    ->  www.google.com
        internet address = 216.58.210.228
        ttl = 300 (5 mins)

Here it’s the ttl = 300 (5 mins) line that’s important – the server record tells us that this record should be cached for a maximum of 300 seconds. The fact that nslookup displays the server TTL rather than the cached record TTL is triggered (silently) by the fact that this query was sent to the primary nameserver.