Getting DNS record types by the host command

The Linux Host Command

This Tutorial is about DNS tips and tricks.

By Fahad Usman

DNS or Domain Name Servers help you translate the URL to their IP addresses. For humans, it is easy to remember as compared to which is the IP address of
So this means that when you type in your Internet Browser such as IE, Chrome or Firefox the ISP looks up the DNS server to find the ip address and redirects you to the correct address of

host is a command line linux utility for performing DNS lookups. It can be used to convert names to IP addresses to domain names and vice versa. You can get its command line arguments by typing host in the terminal.


“Class aptent taciti sociosqu ad litora per conubia nostra, per inceptos himenaeos .Aenean non turpis vitae ligula tristique sagitt isras varius erat pulvinar eros pretium”

You can specify a name of the domain name that you want to pull information from. You can also specify an IPv4 address or an IPv6 address (colon delimited). It will perform a reverse lookup for that IP address.

The server is an optional argument that is either the name or IP address of the name server that host should query instead of the server or servers listed in /etc/resolv.conf.

Here is the normal syntax:

Find Nameserver: A nameserver maintains a directory of domain names that match certain IP addresses. In other words, it’s where the DNS server records for your domain are stored, allowing you to decide which hosting providers controls your webspace and email.
host -t ns name server name server

Here -t specifies the type of record. ns means nameserver and then the domain name. So I asked for nameservers for my website and it returned that.

Find IPv4 address: if you want to look for IP address you can:

host -t a has address has address

Find IPv6 address of a host:

We can find out AAAA record, also known as “IPv6 address record“, maps a hostname to a 128-bit IPv6 address in the Domain Name System (DNS)
host -t aaaa has IPv6 address 2a00:1450:4009:805::2003

Mail Server:

Find MX records, a mail server responsible for accepting email messages on behalf of a recipient’s domain, and a preference value used to prioritize mail delivery if multiple mail servers are available.
host -t mx mail is handled by 5 mail is handled by 5

Find SOA (Start of Authority) records: Every domain must have a Start of Authority record at the cutover point where the domain is delegated from its parent domain. For example if the domain is delegated to DNSimple name servers, we must include an SOA record for the name in our authoritative DNS records. We add this record automatically for every domain that is added to DNSimple.
host -t soa has SOA record 2005139024 28800 3600 604800 3600

The SOA record includes the following details:

  • The primary name server for the domain, which is or the first name server in the vanity name server list for vanity name servers.
  • The responsible party for the domain, which is
  • A timestamp that changes whenever you update your domain. 2005139024
  • The number of seconds before the zone should be refreshed. 3600
  • The number of seconds before a failed refresh should be retried. 28800
  • The upper limit in seconds before a zone is considered no longer authoritative. i.e. expiry = 604800
  • The negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying). 3600

FTP and SSH address: some times targets do have ftp or ssh addresses as well. you can enumerate by:
host -t a has address

Get sub domains of primary domain by Sublist3r: A tool already available in Kali
sublist3r -d -p 80 -e Bing,Google

Here we are trying to get a list of microsoft’s sub-domains i.e. port 80 via Bing and Google search

Using A handy tool to see what’s the site is running among other info.

Leave a Reply

Close Menu