9 Useful Host Command Examples for Querying DNS Details
The HOST command is a simple Command-line interface utility for performing DNS enumeration.
In security research and ethical hacking, DNS enumeration is the first phase in the information gathering of a target. It’s the process of querying all potential DNS records from a domain name server like name server details, IP addresses, Mail exchanger details, TTLs, and more.
Attackers may utilize this DNS-enumerated information to examine internal network records.
There are numerous DNS recon and online enumeration tools available on the internet. However, the DNS enumeration can be accomplished easily with a single command-line utility. That is “HOST”.
In this article, we’ll look at some useful host Command Examples for Querying DNS Details.
Let’s get started!
Installation
The “HOST” command sometimes may not be available by default on a newly installed machine. As a result, You’ll have to install it manually on the system. The process of installation is rather simple.
All the DNS-related commands like nslookup, dig and host are contained in the “bind-utils” library. For that, just type the following command in the terminal.
sudo apt-get install dnsutils -yThis HOST command works on both MAC and Linux.
Usage
General syntax: The general “host” command prints the command’s overall syntax and its arguments that can be used with it, as well as a brief description of each argument.
Sample Output:
┌──(geekflare㉿kali)-[~]
└─$ host
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] [-p port] hostname [server]
-a is equivalent to -v -t ANY
-A is like -a but omits RRSIG, NSEC, NSEC3
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-m set memory debugging flag (trace|record|usage)
-N changes the number of dots allowed before root lookup is done
-p specifies the port on the server to query
-r disables recursive processing
-R specifies number of retries for UDP packets
-s a SERVFAIL response should stop query
-t specifies the query type
-T enables TCP/IP mode
-U enables UDP mode
-v enables verbose output
-V print version number and exit
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply
-4 use IPv4 query transport only
-6 use IPv6 query transport only
To find the domain IP address
To find the IP address of a particular domain, simply pass the target domain name as an argument after the host command.
host Target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host geekflare.com
geekflare.com has address 104.27.118.115
geekflare.com has address 104.27.119.115
geekflare.com has IPv6 address 2606:4700:20::681b:7673
geekflare.com has IPv6 address 2606:4700:20::681b:7773
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.
For a comprehensive lookup using the verbose mode, use -a or -v flag option.
Sample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -a geekflare.com
Trying "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24690
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;geekflare.com. IN ANY
;; ANSWER SECTION:
geekflare.com. 3789 IN HINFO "RFC8482" ""
geekflare.com. 3789 IN RRSIG HINFO 13 2 3789 20220307065004 20220305045004 34505 geekflare.com. HW0Lfr5HazPMaACSBHmFqs94usKUljX+kONW/8Q2jwQ1QoAO9DEMjwDX rIQKODGtGnEizj2SzBF98mC2uQr7hQ==
Received 161 bytes from 192.168.1.1#53 in 64 msThis (-a) option is used to Find All Domain Records and Zones Information. You can also notice the local DNS server address utilized for the lookup.
To perform Reverse Lookup
This command performs a reverse lookup on the IP address and displays the hostname or domain name.
As an example, the syntax would be as follows:
host target-ip-addressSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host dnsleaktest.com
dnsleaktest.com has address 23.239.16.110
┌──(geekflare㉿kali)-[~]
└─$ host 23.239.16.110
110.16.239.23.in-addr.arpa domain name pointer li685-110.members.linode.com.
If you copy-paste the pointer address ( li685-110.members.linode.com.) in the web browser, you will be redirected to the website.
To find Domain Name servers
Use the -t option to get the domain name servers. It’s used to specify the query type.
Here I am passing -t argument to find name servers of a specific domain name.
NS record specifies the authoritative nameservers.
host -t ns target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -t ns geekflare.com
geekflare.com name server olga.ns.cloudflare.com.
geekflare.com name server todd.ns.cloudflare.com.To query certain domain nameserver
To query details about a specific authoritative domain name server, use the below command.
host target-domain [name-server]Sample Output:
┌──(root💀kali)-[/home/geekflare]
└─# host geekflare.com olga.ns.cloudflare.com. 1 ⨯
Using domain server:
Name: olga.ns.cloudflare.com.
Address: 173.245.58.137#53
Aliases:
geekflare.com has address 104.27.118.115
geekflare.com has address 104.27.119.115
geekflare.com has IPv6 address 2606:4700:20::681b:7773
geekflare.com has IPv6 address 2606:4700:20::681b:7673
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.
To find domain MX records
To get a list of a domain’s MX ( Mail Exchanger ) records.
host -t MX target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -t mx geekflare.com
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.This MX record is responsible for directing an email to a mail server.
To find domain TXT records
To get a list of a domain’s TXT ( human-readable information about a domain server ) record.
host -t txt target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -t txt geekflare.com
geekflare.com descriptive text "google-site-verification=MRSwa454qay1S6pwwixzoiZl08kfJfkhiQIslhok3-A"
geekflare.com descriptive text "google-site-verification=7QXbgb492Y5NVyWzSAgAScfUV3XIAGTKKZfdpCvcaGM"
geekflare.com descriptive text "yandex-verification: 42f25bad396e79f5"
geekflare.com descriptive text "v=spf1 include:_spf.google.com include:mailgun.org include:zcsend.net ~all"
geekflare.com descriptive text "ahrefs-site-verification_8eefbd2fe43a8728b6fd14a393e2aff77b671e41615d2c1c6fc365ec33a4d6d0"
geekflare.com descriptive text "ca3-7fbfaa573ba248ddb17a618e5b46ca01"
To find domain SOA record
To get a list of a domain’s SOA ( start of authority ) record
host -t soa target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -t soa geekflare.com
geekflare.com has SOA record olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600
Use the command below to compare the SOA records from all authoritative nameservers for a particular zone ( the specific portion of the DNS namespace ).
host -C target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -C geekflare.com 2 ⨯
Nameserver 173.245.58.137:
geekflare.com has SOA record olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600
To find domain CNAME records
CNAME stands for canonical name record. This DNS record is responsible for redirecting one domain to another, which means it maps the original domain name to an alias.
To find out the domain CNAME DNS records, use the below command.
host -t cname target-domainSample Output:
┌──(geekflare㉿kali)-[~]
└─$ host -t cname geekflare.com
geekflare.com has no CNAME recordIf the target domain name has any CNAME records, they will be displayed after running the command.
To find domain TTL information
TTL Stands for Time to live. It is a part of the Domain Name Server. It is automatically set by an authoritative nameserver for each DNS record.
In simple words, TTL refers to how long a DNS server caches a record before refreshing the data. Use the below command to see the TTL information of a domain name.
host -v -t a target-domainSample Output:
┌──(root💀kali)-[/home/geekflare]
└─# host -v -t a geekflare.com 1 ⨯
Trying "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;geekflare.com. IN A
;; ANSWER SECTION:
geekflare.com. 30 IN A 104.27.119.115
geekflare.com. 30 IN A 104.27.118.115
Received 63 bytes from 192.168.1.1#53 in 60 ms
Conclusion
I hope you found this article helpful in learning some useful host Command Examples for Querying DNS Details.
You may also be interested in learning about free online tools to check DNS records of a domain name.
-
Ashlin JenifaAuthorHey there, my name is Ashlin, and I’m a senior technical writer. I’ve been in the game for a while now, and I specialize in writing about all sorts of cool technology topics like Linux, Networking, Security, Dev Tools, Data Analytics, and Cloud… read more
