Tracking E-mail – Part 2

Using e-mail header information to track the sender

Tools Required

Ping (UNIX and Windows)

Ping sends an ICMP (Internet Control Message Protocol) Echo packet to a specified host, and waits for a response. It reports success or failure and statistics about its operation. Ping is useful for testing and debugging networks

It’s also useful for determining the IP (Internet Protocol) address from a domain name. To determine the domain name from an IP address you must use nslookup.

Ping (UNIX help file)

     /usr/etc/ping host [ timeout ]
     /usr/etc/ping [ -s ] [ -lrRv ] host [ packetsize ] [ count ]

     When the -s flag is specified, ping sends one  datagram  per
     second,   and   prints   one   line   of  output  for  every
     ECHO_RESPONSE that it receives.  No output  is  produced  if
     there  is  no  response.  In this second form, ping computes
     round trip times and packet loss statistics; it  displays  a
     summary  of  this  information  upon termination or timeout.

     The default datagram packet size is 64  bytes,  or  you  can
     specify  a  size  with the packetsize command-line argument.

     If an optional count is given, ping sends only  that  number
     of requests.

     When using ping for fault isolation, first `ping' the  local
     host to verify that the local network interface is running.

OPTIONS
     -l   Loose source route. Use this option in the IP header to
          send the packet to the given host and back again.  Usu-
          ally specified with the -R option.

     -r   Bypass the normal routing tables and send directly to a
          host  on  an attached network.  If the host is not on a
          directly-attached network, an error is returned.   This
          option  can  be  used  to  ping a local host through an
          interface that has been dropped by the  router  daemon,
          see routed(8C).

     -R   Record route.  Sets the IP record route  option,  which
          will  store  the  route  of  the  packet  inside the IP
          header.  The contents of the record route will only  be
          printed  if  the -v option is given, and only be set on
          return packets if the target host preserves the  record
          route option across echos, or the -l option is given.

     -v   Verbose output.  List  any  ICMP  packets,  other  than
          ECHO_RESPONSE, that are received.

Example UNIX ping

no2:/opt2/home3/expita>/usr/sbin/ping -s yahoo.com
PING yahoo.com: 56 data bytes
64 bytes from img5.yahoo.com (216.115.108.245): icmp_seq=0. time=63. ms
64 bytes from img5.yahoo.com (216.115.108.245): icmp_seq=1. time=63. ms
64 bytes from img5.yahoo.com (216.115.108.245): icmp_seq=2. time=63. ms
64 bytes from img5.yahoo.com (216.115.108.245): icmp_seq=3. time=63. ms
^C
----yahoo.com PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 63/63/63

Ping (Windows help file)

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] destination-list

Options:
    -t             Ping the specifed host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send. [count range is 1 to 4294967295]
    -l size        Send buffer size. [size range is from 0 to 65500]
    -f             Set Don't Fragment flag in packet.
    -i TTL         Time To Live. [TTL range is from 1 to 255]
    -v TOS         Type Of Service.
    -r count       Record route for count hops. [count range is 0 to 9]
    -s count       Timestamp for count hops. [count range is 1 to 4]
    -j host-list   Loose source route along host-list.
    -k host-list   Strict source route along host-list.
    -w timeout     Timeout in milliseconds to wait for each reply.

Example Windows ping

C:\WINDOWS> ping yahoo.com

Pinging yahoo.com [216.115.108.245] with 32 bytes of data:

Reply from 216.115.108.245: bytes=32 time=31ms TTL=242
Reply from 216.115.108.245: bytes=32 time=31ms TTL=242
Reply from 216.115.108.245: bytes=32 time=32ms TTL=242
Reply from 216.115.108.245: bytes=32 time=30ms TTL=242

Ping statistics for 216.115.108.245:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 30ms, Maximum = 32ms, Average = 31ms

Notice that the time is about half for Windows ping versus UNIX ping. The reason for this is that my Windows ping is traveling from Earthlink (my ISP located in Pasadena, CA) to Yahoo (located in Santa Clara, CA) whereas my UNIX ping is traveling from my domain hosting site at Superb.Net (located in Vancouver, Canada) to Yahoo which is about half the distance.

Ping gateways

[(Top of page)]

Traceroute (UNIX) or tracert (Windows)

Traceroute attempts to trace the route an IP packet would follow to some internet host by launching UDP (User Datagram Protocol) probe packets with a small TTL (time to live) then listening for an ICMP (Internet Control Message Protocol) “time exceeded” reply from a gateway.

Traceroute is used to get a list of sites handling e-mail between you and each of the host domains that MTA’s use to route e-mail. Ideally traceroute should be from your e-mail host to the site that sent you e-mail. The last entry in the results list should be the host domain you’re querying. The next-to-last should be the ISP (Internet Service Provider) for the queried host domain. The second-to-last entry should be the ISP for the next-to-last ISP and so forth.

The format of the output (UNIX version) is:

hop count - gateway name - (gateway IP address) - round trip time for each packet (usually three are sent)

We start our probes with a time-to-live (TTL) of one and increase by one until we get an ICMP “port unreachable” (which means we got to the “host”) or hit a maximum number of “hops” (which defaults to 30). Three probes (the default value) are sent at each TTL setting and a line is printed showing the TTL, address of the gateway and round trip time of each probe. If the probe answers come from different gateways, the address of each responding system will be printed. If there is no response within a 3 second time out interval (the default value), an asterisk (“*”) is printed for that probe.

When traceroute fails to get packets through to the remote end system, the trace trails off, displaying a series of three asterisks (* * *) at each hop count until the count reaches 30.

Some of the individual packets in each hop may also fail to be sent in which case a (*) will appear in the packet arrival times.

Example traceroute

no2:/opt2/home3/expita>traceroute newcomm.net
traceroute to newcomm.net (204.101.95.1), 30 hops max, 40 byte packets
1 vlan20-gw.acc.dca1.hopone.net (207.228.228.1) 1 ms 1 ms 1 ms
2 ge1-0.core2.dca1.hopone.net (207.228.224.5) 1 ms 1 ms 0 ms
3 s10-1-0.ar1.WDC2.gblx.net (204.246.205.49) 2 ms 6 ms 2 ms
4 206.132.113.133 (206.132.113.133) 2 ms 2 ms 2 ms
5 pos1-0-622M.cr1.NYC2.gblx.net (206.132.249.166) 6 ms 6 ms 6 ms
6 pos0-0-2488M.br2.NYC2.gblx.net (208.48.234.190) 5 ms 10 ms 6 ms
7 bellcanada.pos12-0-0-155M.br1.nyc2.gblx.net (208.51.134.10) 6 ms 8 ms 7 ms
8 core1-newyork83-srp6-0.in.bellnexxia.net (206.108.103.225) 11 ms 5 ms 6 ms
9 core2-toronto63-pos1-0.in.bellnexxia.net (206.108.103.217) 47 ms 47 ms 48 ms
10 torcorr02-pos1-1-0.in.bellnexxia.net (206.108.98.138) 49 ms 48 ms 48 ms
11 tordisr04-fe0-0-0.in.bellnexxia.net (206.108.100.187) 49 ms 52 ms 52 ms
12 207.164.30.5 (207.164.30.5) 108 ms 109 ms 109 ms
13 209.128.0.254 (209.128.0.254) 62 ms 62 ms 63 ms
14 voyager.newcomm.net (204.101.95.1) 67 ms 64 ms 73 ms

We travel from my hosting domain at Superb.Net located in Vancouver, Canada to HopOne.Net (also located in Vancouver) to Global Crossing (gblx.net located in Rochester, NY) via Bell Canada (bellnexxia.net located in Montreal, Quebec, Canada) to Newcomm.Net (located in St. John’s, Newfoundland, Canada).

Notice the slight delay of 36 milliseconds between hop 8 (New York) and hop 9 (Toronto). There is also another delay of 59 milliseconds between hop 11 and hop 12.

Alternatively, if you’re running Windows, run tracert in an MS-DOS window. The format for the MS version is:

hop count - round trip time for each packet (usually three are sent) - gateway name (if one) - [gateway IP address]
E:\Expita> tracert newcomm.net

Tracing route to newcomm.net [204.101.95.1]
over a maximum of 30 hops:

1 26 ms 32 ms  32 ms hsa001.pool012.at101.earthlink.net [216.249.83.1]
2 20 ms 18 ms  18 ms 207.217.50.101
3 17 ms 19 ms  18 ms f5-1-0-cr02-pas.neteng.itd.earthlink.net [207.217.2.34]
4 16 ms 16 ms  19 ms ge-1-0-0-br03-pas.neteng.itd.earthlink.net [207.217.1.94]
5 49 ms 45 ms  41 ms 500.POS3-2.GW4.LAX4.ALTER.NET [157.130.224.85]
6 35 ms 40 ms  42 ms 166.ATM2-0.XR2.LAX4.ALTER.NET [152.63.113.94]
7 41 ms 41 ms  41 ms 192.at-1-1-0.TR2.LAX9.ALTER.NET [152.63.112.190]
8 71 ms 72 ms  74 ms 131.at-6-0-0.TR2.CHI4.ALTER.NET [146.188.141.245]
9 67 ms 70 ms  67 ms 298.ATM7-0.XR2.CHI6.ALTER.NET [146.188.209.13]
10  69 ms  75 ms  78 ms 190.ATM10-0-0.GW3.CHI6.ALTER.NET [146.188.208.85]
11 475 ms 493 ms 494 ms belladvanced1-gw.customer.ALTER.NET [157.130.97.2]
12 619 ms 616 ms 599 ms core1-chicago23-pos10-0.in.bellnexxia.net [206.108.103.141]
13 671 ms 655 ms 666 ms core2-toronto63-pos3-0.in.bellnexxia.net [206.108.103.129]
14 564 ms 567 ms 627 ms torcorr01-pos1-1-0.in.bellnexxia.net [206.108.98.134]
15 634 ms 597 ms 596 ms tordisr04-fe0-0-0.in.bellnexxia.net [206.108.100.187]
16 618 ms 638 ms 635 ms 207.164.30.5
17 631 ms 610 ms 593 ms 209.128.0.254
18 600 ms 591 ms 596 ms newcomm.net [204.101.95.1]

Trace complete.

In this case, we travel from Earthlink (my ISP located in Pasadena, CA) to Alter.Net (located in Falls Church, VA) then to Bell Canada (bellnexxia.net located in Montreal, Quebec, Canada) to Newcomm.Net (located in St. John’s, Newfoundland, Canada).

Note the long delay (406 milliseconds) between hop 10 and hop 11. This is where e-mail would be delayed. So my path from Earthlink (Pasadena, CA) is much much slower (more than should be for the difference in distance) than from my domain in Vancouver, Canada.

Ping and traceroute work together to determine how e-mail flows from point to point. These two commands can also be used to determine where “bottlenecks” are occurring that may delay e-mail.

Traceroute Gateways

[(Top of page)]

Nslookup (UNIX)

Nslookup is used to map a FQDN (Fully Qualified Domain Name) to an IP address (or vice versa) via asking a DNS (Domain Name System or Server) to supply the answer.

Example nslookup by domain name

no2:/opt2/home3/expita>nslookup yahoo.com
Server: ns1.superb.net
Address: 207.228.225.5

Non-authoritative answer:
Name: yahoo.com
Addresses: 216.115.108.245, 216.115.108.243

NOTE: The “Non-authoritative” answer means my local server (ns1.superb.net with IP address 207.228.225.5) is answering using previously cached data. It will cache the results in case someone else who shares the same server with me wants to look at the same resource. Since this information is a subset of the available information, and since it is cached and can go out of date, it is marked as non-authoritative.

If it doesn’t say “Non-authoritative”, then either the server is actually authoritative for the domain in question, or it just looked up the answer from some other server that is. The name servers that provide the lookup between names and IP addresses (and vice versa) don’t want you bothering them all the time so they cache the data. Hence, the non-authoritative answer. If the DNS has to actually go to a name server to do the lookup you will see:

Example nslookup by IP address

no2:/opt2/home3/expita>nslookup 207.217.121.203
Server:  ns1.superb.net
Address:  207.228.225.5

Name:    pop03.earthlink.net
Address:  207.217.121.203

Notice in this case the authoriative answer. Superb.Net will retain this information in the cache for a period of up to several days. Much of this information called the TTL (Time To Live) data can be found by looking at the SOA (Start Of Authority) record for the host DNS.

Example nslookup query SOA by domain

no2:/opt2/home3/expita>nslookup -q=soa world.std.com
Server:  localhost
Address:  127.0.0.1

std.com
        origin = world.std.com
        mail addr = netadmin.world.std.com
        serial = 2001032400
        refresh = 43200 (12H)
        retry   = 3600 (1H)
        expire  = 1728000 (2w6d)
        minimum ttl = 86400 (1D)

The important parts here are the serial number, which shows that the information for domain world.std.com.com was last revised on 2001/03/24 at midnight (00) (DNS admins don’t have to follow such a convention for serial numbers, but most do, and it’s helpful for this sort of thing) the expire time and minimum TTL.

What those expire time and minimum time-to-live numbers say is that once another DNS server has obtained any piece of information from the world.std.com domain — say, the IP address of www.world.std.com — it may keep it as valid data for up to 20 days, and should keep it at least 1 day(s).

refresh = 43200 seconds (12 hours)
Means that any secondary DNS’s for this zone should check with the primary server once every 12 hours to see if there is a new zone file.
retry = 3600 seconds (1 hour)
When they check, if they can’t contact the primary server, they should try again every hour until they succeed.
expire = 1728000 seconds (20 days or 2 weeks and 6 days)
If they go 20 days without contacting the primary, they should throw away the old information that they’ve been maintaining, and consider themselves no longer authoritative for the domain in question.
minimum ttl = 86400 seconds (1 day)
Names within this zone have a minimum (and default) TTL of 1 day(s), meaning that when other DNS servers get information about a name within this zone, it should be held for 20 days (longer if the TTL for that specific name is configured to be longer than 20 days).

Example nslookup query SOA by domain

no2:/opt2/home3/expita>nslookup -q=earthlink.net
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
earthlink.net
        origin = ns1.earthlink.net
        mail addr = dns-admin.earthlink.net
        serial = 2001032101
        refresh = 86400 (1D)
        retry   = 300 (5M)
        expire  = 2592000 (4w2d)
        minimum ttl = 1800 (30M)

Authoritative answers can be found from:
earthlink.net   nameserver = ns1.earthlink.net
earthlink.net   nameserver = ns2.earthlink.net
earthlink.net   nameserver = ns3.earthlink.net
earthlink.net   nameserver = ns4.earthlink.net
ns1.earthlink.net       internet address = 207.217.126.41
ns2.earthlink.net       internet address = 207.217.77.42
ns3.earthlink.net       internet address = 207.217.120.43
ns4.earthlink.net       internet address = 209.179.179.19

NOTE: The “Non-authoritative” answer means my local server (localhost with IP address 127.0.0.1) is answering using previously cached data. It will cache the results in case someone else who shares the same server with me wants to look at the same resource. Since this information is a subset of the available information, and since it is cached and can go out of date, it is marked as non-authoritative.

Nslookup Gateways

[(Top of page)]

Whois (UNIX)

Whois is used to look up domain records at one of the Registrar databases. These organizations are in charge of keeping track of internet addresses and who they belong to.

Use whois to find the owner, administrative and technical contacts for the hosts/domains/IP address ranges that you are interested in. You can search by:

The UNIX version of the whois command is:

usage: whois [ -h host ] name
where host is any whois server and name is the domain name

Example whois search using a specific whois server

no2:/opt2/home3/expita>whois -h 'whois.networksolutions.com' psinet.net | more
[snip]

Registrant:
PSINet Inc. (PSINET10-DOM)
   210 Huntmar Park Drive
   Herndon, VA 22070 US

   Domain Name: PSINET.NET

   Administrative Contact, Technical Contact:
      Administration, PSINet Domain (PDA4) psinet-domain-admin@PSI.COM
      PSINet, Inc.
      510 Huntmar Park Drive
      Herndon, VA 22070
      (703) 904-4100 (FAX) (703) 904-4200
   Billing Contact:
      Bursar, PSINet Domain (KA16) domain-fee-contact@PSI.COM
      PSINet, Inc.
      44983 Knoll Square
      Ashburn, VA 20147
      (703) 904-4100

   Record last updated on 07-Dec-2000.
   Record expires on 09-Dec-2002.
   Record created on 09-Dec-1998.
   Database last updated on 26-Feb-2001 08:31:31 EST.

   Domain servers in listed order:

   NS.PSI.NET 38.8.48.2
   NS2.PSI.NET 38.8.50.2

The web-based versions of whois allow more options like:

  • NIC handle (or contact), type “handle WA3509″
  • name, type “name lastname, firstname”
  • company name, type “name The Sample Corporation”
  • domain.name, type “example.com”
  • IP address, type “host 121.23.2.7″
  • host or name server name, type “host ns1.worldnic.com”

 

This will give more contact information including e-mail addresses. If there is more than one whois entry for the domain you have entered, you will get a list of abbreviated entries (e.g. NSI yields NSI.ORG, NSI.COM, NSI.NET and NSI.EDU). To get full information, use the full domain name (e.g. NSI.ORG). You may need to strip off one more left elements of each domain before you get a domain that whois knows about (e.g. eng.rtfm.mit.edu -> rtfm.mit.edu -> mit.edu). Similarly, you may need to strip off one or more right elements of each IP address range before you get an IP address range that whois knows about (e.g. 207.228.225.56 -> 207.228.225 -> 207.228 -> 207).

Whois Gateways

[(Top of page)]

Finger (UNIX)

By default, finger displays information about each logged-in user, including his or her: login name, full name, terminal name (prepended with a ‘*’ if write-permission is denied), idle time, login time, and location (comment field in /etc/ttytab for users logged in locally, hostname for users logged in remotely) if known.

Idle time is minutes if it is a single integer, hours and minutes if a ‘:’ is present, or days and hours if a d is present.

Example default finger

no2:/opt2/home3/expita>finger
Login       Name               TTY         Idle    When    Where
root     Super-User            console      37d Sat 15:48
gboyd           ???            pts/5            Tue 17:34  hsa086.pool012.at101
tbennick Trevor Bennicke       pts/1       3:02 Tue 11:06  6532169hfc155.tampab
gbaratto Gustavo Baratto       pts/6          6 Sat 15:06  fw.yvr1.superb.net
lvo      Lu Vo                 pts/3       1:06 Fri 15:11  fw.yvr1.superb.net
tbennick Trevor Bennicke       pts/7       3:03 Tue 11:11  6532169hfc155.tampab
tbennick Trevor Bennicke       pts/10      2:59 Tue 11:39  6532169hfc155.tampab
tbennick Trevor Bennicke       pts/11      2:59 Tue 11:48  6532169hfc155.tampab

When one or more name arguments are given, more detailed information is given for each name specified, whether they are logged in or not. A name may be a first or last name, or an account name. Information is presented in a multi-line format, and includes, in addition to the information mentioned above:

  • the user’s home directory and login shell
  • the time they logged in if they are currently logged in, or the time they last logged in if they are not, as well as the terminal or host from which they logged in and, if a terminal, the comment field in /etc/ttytab for that terminal
  • the last time they received mail, and the last time they read their mail
  • any plan contained in the file .plan in the user’s home directory an any project on which they are working described in the file .project (also in that directory)

Example finger a particular user

no2:/opt2/home3/expita>finger lvo
Login name: lvo                         In real life: Lu Vo
Directory: /home2/lvo                   Shell: /bin/bash
On since Mar  2 15:11:24 on pts/3 from fw.yvr1.superb.net
1 hour 10 minutes Idle Time
New mail received Fri Mar 23 08:22:07 2001;
  unread since Sat Feb 10 17:33:51 2001
  Plan:
  --
  Lu Vo <lvo@superb.net>
  Superb Internet - "Ahead of the Rest."
  http://www.superb.net

"I am easily satisfied by the very best"
- Winston Churchill
</lvo@superb.net>

If a name argument contains an at-sign(“@”) then a connection is attempted to the machine named after the at-sign, and the remote finger daemon is queried. The data returned by that daemon is printed.

Finger will display a greater detail of information for users than have a UNIX .plan or .project file on their ISPs server.

Example finger user at another site

no2:/opt2/home3/expita>finger scs@mit.edu
[mit.edu]
Student data loaded as of Mar 27, Staff data loaded as of Mar 27.
URL data loaded once a month.

Notify Personnel or use WebSIS as appropriate to change your information.

Our on-line help system describes
  How to change data, how the directory works, where to get more info.
  For a listing of help topics, enter finger help@mit.edu. Try finger
  help_about@mit.edu to read about how the directory works. Please see
  help_url@mit.edu for questions about the new URL field.


There was 1 match to your request.

      name: SPECIAL COMMUNITY SERVICES, OFFICE OF
     phone: (617) 253-7914
       Fax: (617) 253-8006
   address: 50-005
department: Office of Special Community Services
       url: http://mit.edu/campus-activities/www/scs/index.html
phone book: http://mit.edu/communications/bp/s/F15060.html
     alias: O-specialcommunityservices

NOTE: Most ISPs have diasabled the finger dameon and usually all you will see is:

no2:/opt2/home3/expita>finger jash@newcomm.net
[newcomm.net] connect: Connection refused

Finger Gateways

[(Top of page)]

Dig (UNIX)

DiG (Domain Internet Groper) queries domain name servers for information about the host/domain names. It gives a lot of information, most of which you can safely ignore. You’re not normally interested in addresses associated with the site where DiG was run and you’re also not interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is in the ;; ANSWER SECTION: and is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records. If they don’t exist then the ;; ANSWER SECTION: will be empty or non-existent. The ;; AUTHORITY SECTION: and ;; ADDITIONAL SECTION: tell you what domain name server[s] are responsible for the part of the domain name system (DNS) you have queried.

Dig has two modes: simple interactive mode which makes a single query, and batch which executes a query for each in a list of several query lines. All query options are accessible from the command line.

DIG provides a lot information, most of which you can ignore. You’re not normally interested in addresses associated with the site where DIG was run and you’re also not interested in the NS and other records of the name servers that supplied the information, just the info related to the host/domain you queried. This is in the ;; ANSWERS: section and is the A internet IP address records, the MX mail exchanger records and the PTR pointer to host name records. If they don’t exist then the ;; ANSWERS: section will be empty or
non-existent. The ;; AUTHORITY RECORDS: and ;; ADDITIONAL RECORDS: sections tell you what domain name server[s] are responsible for the part of the domain name system (DNS) you have queried.

dig host-name causes dig to return the IP addresses (if any) for the given host or domain name. If problems occur, the status field in the first line of dig’s output will be something other than ‘NOERROR’. For example:

Example dig on domain

no2:/opt2/home3/expita>dig earthlink.net | more

; <<>> DiG 8.3 <<>> earthlink.net
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 4, ADDITIONAL: 4
;; QUERY SECTION:
;; earthlink.net, type = A, class = IN

;; ANSWER SECTION:
earthlink.net. 21m44s IN A 207.217.121.203
earthlink.net. 21m44s IN A 207.217.120.204
earthlink.net. 21m44s IN A 207.217.121.205
earthlink.net. 21m44s IN A 207.217.120.206
earthlink.net. 21m44s IN A 207.217.120.207
earthlink.net. 21m44s IN A 207.217.120.208
earthlink.net. 21m44s IN A 207.217.120.200
earthlink.net. 21m44s IN A 207.217.121.201
earthlink.net. 21m44s IN A 207.217.120.202

;; AUTHORITY SECTION:
earthlink.net. 21m44s IN NS ns1.earthlink.net.
earthlink.net. 21m44s IN NS ns2.earthlink.net.
earthlink.net. 21m44s IN NS ns3.earthlink.net.
earthlink.net. 21m44s IN NS ns4.earthlink.net.

;; ADDITIONAL SECTION:
ns1.earthlink.net. 22h18m27s IN A 207.217.126.41
ns2.earthlink.net. 22h18m27s IN A 207.217.77.42
ns3.earthlink.net. 1d8h6m6s IN A 207.217.120.43
ns4.earthlink.net. 22h18m27s IN A 209.179.179.19

;; Total query time: 2 msec
;; FROM: no2 to SERVER: default -- 207.228.225.5
;; WHEN: Mon Feb 26 18:07:44 2001
;; MSG SIZE sent: 31 rcvd: 311

Dig Gateways

[(Top of page)]

Host (UNIX)

Host command prints information about specified hosts in DNS. Hosts may be IP addresses of hostnames; host converts IP addresses to hostnames by default, and appends the local domain to hosts without a trailing dot. Default servers are determined in /etc/resolv.conf.

Host (UNIX help file)

Usage: host [-adlrwv] [-t querytype] [-c class] host [server]
        -a is equivalent to '-v -t *'
        -c class to look for non-Internet data
        -d to turn on debugging output
        -l to turn on 'list mode'
        -r to disable recursive processing
        -s recursively chase signature found in answers
        -t querytype to look for a specific type of information
        -v for verbose output
        -w to wait forever until reply

Example host on domain

no2:/opt2/home3/expita>host earthlink.net
earthlink.net has address 207.217.120.204
earthlink.net has address 207.217.121.205
earthlink.net has address 207.217.120.206
earthlink.net has address 207.217.120.207
earthlink.net has address 207.217.120.208
earthlink.net has address 207.217.120.209
earthlink.net has address 207.217.120.220
earthlink.net has address 207.217.120.200
earthlink.net has address 207.217.121.201
earthlink.net has address 207.217.120.202
earthlink.net has address 207.217.121.203
earthlink.net mail is handled (pri=5) by mx01.earthlink.net
earthlink.net mail is handled (pri=5) by mx02.earthlink.net
earthlink.net mail is handled (pri=5) by mx00.earthlink.net

[(Top of page)]