DNS, Enumeration, Information Gathering, Reconnaissance

Retrieve MX records

nslookup is a command-line administrative tool for testing and troubleshooting DNS servers.

The syntax for noninteractive mode is:

nslookup [-option] [hostname] [server]

Commands:   (identifiers are shown in uppercase, [] means optional)

 NAME            – print info about the host/domain NAME using default
 NAME1 NAME2     – as above, but use NAME2 as server
 help or ?       – print info on common commands
 set OPTION      – set an option

    all                 – print options, current server and host
    [no]debug           – print debugging information
    [no]d2              – print exhaustive debugging information
    [no]defname         – append domain name to each query
    [no]recurse         – ask for recursive answer to query
    [no]search          – use domain search list
    [no]vc              – always use a virtual circuit
    domain=NAME         – set default domain name to NAME
    srchlist=N1[/N2/…/N6] – set domain to N1 and search list to N1, N2,
                          and so on
    root=NAME           – set root server to NAME
    retry=X             – set number of retries to X
    timeout=X           – set initial time-out interval to X seconds
    type=X              – set query type (for example, A, ANY, CNAME, MX,
                          NS, PTR, SOA, SRV)
    querytype=X         – same as type
                – set query class (for example, IN (Internet), ANY)
    [no]msxfr           – use MS fast zone transfer
    ixfrver=X           – current version to use in IXFR transfer request

 server NAME     – set default server to NAME, using current default server
 lserver NAME    – set default server to NAME, using initial server
 finger [USER]   – finger the optional NAME at the current default host
 root            – set current default server to the root
 ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to

    -a          –  list canonical names and aliases
    -d          –  list all records
    -t TYPE     –  list records of the given type (for example, A, CNAME,
                   MX, NS, PTR, and so on)

 view FILE       – sort an ‘ls’ output file and view it with pg
 exit            – exit the program

Query MX Records

nslookup -type=mx example.com