The Windows nslookup DNS tool can display both the time-to-live (TTL) of a cached DNS lookup and the server DNS record. However, it’s not necessarily clear how to acheive the latter.
Viewing DNS cache entry TTL
The -debug
option instructs nslookup to display detailed results, including the TTL. By default this is the amount of time (in seconds) a cached DNS lookup result can be used before a new lookup is required. Run this command over and over to see the TTL going down until it hits zero, and then it’ll restart for the refreshed result.
C:\>nslookup -type=A -debug www.google.com
------------
Server: dns.google
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
www.google.com, type = A, class = IN
ANSWERS:
-> www.google.com
internet address = 216.58.205.36
ttl = 192 (3 mins 12 secs)
------------
Name: www.google.com
Address: 216.58.205.36
It’s the ttl = 192 (3 mins 12 secs)
entry that’s important – 192 seconds before the record needs to be refreshed.
Viewing DNS record TTL
To view the TTL assigned to the record on the DNS server you need to find and use the authoritative DNS server for the record you are inspecting. This is found in the Statement Of Authority (SOA) record:
C:\>nslookup -type=soa www.google.com
Server: dns.google
Address: 8.8.8.8
google.com
primary name server = ns1.google.com
responsible mail addr = dns-admin.google.com
serial = 330255015
refresh = 900 (15 mins)
retry = 900 (15 mins)
expire = 1800 (30 mins)
default TTL = 60 (1 min)
The primary name server
entry here is the name of the server that can tell us the original TTL, and we append this to the nslookup
command.
C:\>nslookup -type=A -debug www.google.com ns1.google.com
------------
Server: ns1.google.com
Address: 216.239.32.10
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
www.google.com, type = A, class = IN
ANSWERS:
-> www.google.com
internet address = 216.58.210.228
ttl = 300 (5 mins)
Here it’s the ttl = 300 (5 mins)
line that’s important – the server record tells us that this record should be cached for a maximum of 300 seconds. The fact that nslookup
displays the server TTL rather than the cached record TTL is triggered (silently) by the fact that this query was sent to the primary nameserver.