You need to check a DNS record. Maybe you’re verifying that a domain points to the right server, checking if DNS changes have propagated, or debugging why a hostname won’t resolve. macOS gives you several ways to do this, each with different strengths.

What DNS lookups tell you

DNS translates domain names to IP addresses. When you type “google.com” in a browser, your computer asks a DNS server what IP address that name corresponds to. The server responds, and your browser connects to that IP.

A DNS lookup lets you see this process directly. You can find out what IP a domain resolves to, what mail servers handle its email, what nameservers are authoritative for the domain, and various other records.

Common record types include A records (IPv4 addresses), AAAA records (IPv6 addresses), MX records (mail servers), CNAME records (aliases to other domains), TXT records (arbitrary text, often used for verification), and NS records (nameservers).

nslookup: the familiar option

If you’ve done DNS lookups before, you probably used nslookup. It’s been around forever and exists on basically every operating system.

Basic usage:

nslookup google.com

This returns the A record (IP address) for the domain. The output shows which DNS server answered and the result.

To query a specific record type:

nslookup -type=MX google.com

This shows the mail servers for google.com. Replace MX with any record type: A, AAAA, CNAME, TXT, NS, SOA, and so on.

To use a specific DNS server instead of your default:

nslookup google.com 8.8.8.8

This queries Google’s public DNS server directly. Useful for checking whether DNS changes have propagated to different servers.

nslookup also has an interactive mode. Just type nslookup without arguments, and you get a prompt where you can run multiple queries. Type exit to leave.

The main criticism of nslookup is that its output is verbose and sometimes confusing. It mixes informational messages with actual results, and the formatting varies depending on what you’re querying.

dig: the power tool

dig (Domain Information Groper) provides more detailed output and finer control. It’s the preferred tool for sysadmins and DNS professionals.

Basic usage:

dig google.com

The output is more structured than nslookup. It shows the question you asked, the answer you got, timing information, and details about the DNS server that responded.

Query specific record types with:

dig google.com MX

Or query all records at once:

dig google.com ANY

The +short flag gives you just the answer without all the extra information:

dig google.com +short

This outputs just the IP address, nothing else. Useful for scripting or when you just want the quick answer.

To query a specific DNS server:

dig @8.8.8.8 google.com

The @ symbol specifies the server. You can use any DNS server’s IP address.

dig can trace the full DNS resolution path:

dig google.com +trace

This shows every step of the lookup, starting from the root servers. You can see exactly how DNS resolution works and where any problems occur.

For checking DNS propagation across multiple servers, dig makes it easy to query them one after another and compare results.

host: the simple option

The host command is a simpler alternative to dig. It’s less powerful but easier to read:

host google.com

This shows A records, AAAA records, and mail servers in a straightforward format. For specific record types:

host -t MX google.com

host doesn’t have the extensive options that dig offers, but its output is immediately understandable. If you just want to know what IP a domain points to, host gives you the answer without noise.

Which tool to use

For quick lookups: Use host or dig +short. They give you the answer fastest with the least clutter.

For detailed analysis: Use dig. The extra information about timing, server responses, and flags helps when debugging DNS issues.

For familiarity: Use nslookup if that’s what you already know. It does the job, even if the output is a bit messy.

For scripting: Use dig +short for clean output that’s easy to parse, or nslookup if you need specific output formatting.

All three tools query DNS the same way. The differences are in output presentation and available options. You’re not getting different answers, just different views of the same data.

Checking DNS propagation

When you change DNS records, the changes don’t appear everywhere instantly. Different DNS servers cache records for different periods based on TTL (time to live) values. A change might show up on one server immediately while another still has the old record cached.

To check propagation, query multiple DNS servers and compare:

dig @8.8.8.8 yourdomain.com +short
dig @1.1.1.1 yourdomain.com +short
dig @9.9.9.9 yourdomain.com +short

These query Google’s DNS (8.8.8.8), Cloudflare’s DNS (1.1.1.1), and Quad9 (9.9.9.9). If they all return the same answer, your change has likely propagated widely. If they differ, some servers still have cached old data.

You can also check the TTL to see how long the record will be cached:

dig yourdomain.com

Look for the number in the answer section between the record name and the record type. That’s the TTL in seconds. A record with TTL 300 will be cached for 5 minutes before the server checks for updates.

Common DNS troubleshooting

Domain doesn’t resolve at all: Check if NS records exist and point to valid nameservers. If there are no nameservers, the domain isn’t properly configured.

Website shows wrong content: Check A/AAAA records. The domain might be pointing to the wrong server. Also check for CNAME records that might be redirecting to somewhere unexpected.

Email isn’t working: Check MX records. They should point to your mail server. Also verify that the mail server’s hostname resolves correctly.

SSL certificate errors: Sometimes caused by DNS issues if the domain resolves to the wrong IP. The certificate is for a specific domain, and if you’re hitting the wrong server, it won’t match.

Changes aren’t showing up: Check TTL and query multiple DNS servers. If some servers show new data and others show old, you’re in the propagation window. Wait for TTL to expire.

Web-based DNS tools

Various websites offer DNS lookup tools. You type in a domain, they show you the records. Some even query from multiple locations worldwide to check propagation.

These work fine, but they have privacy implications. The website knows what domains you’re looking up. For sensitive domains or internal infrastructure, you probably don’t want that information logged by a third party.

Web tools also can’t query your local DNS resolver. If you’re troubleshooting why a domain won’t resolve on your machine specifically, you need to use local tools.

GUI alternatives on Mac

Apple’s Network Utility had a Lookup tab that provided a graphical interface for DNS queries. You’d enter a domain, select a record type, and click the button. The results appeared in a text field. Simple and accessible.

Apple removed Network Utility in Big Sur. If you want a GUI for DNS lookups now, you need a third-party app.

NetUtil includes DNS lookup with a clean interface. Enter a domain, select record types, and see results formatted in a readable way. No syntax to remember, no parsing terminal output.

For people who run DNS lookups occasionally, a GUI tool removes friction. For power users who do this constantly, command line tools are faster once you know them.

Beyond basic lookups

DNS has gotten more complex over the years. DNSSEC adds cryptographic signatures to verify record authenticity. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt queries for privacy. CAA records specify which certificate authorities can issue certificates for a domain.

dig supports querying DNSSEC records with the +dnssec flag. For DoH and DoT, you need specialized tools or DNS resolvers that support these protocols.

For most troubleshooting, basic A, CNAME, MX, and TXT lookups cover what you need. But DNS keeps evolving, and the tools evolve with it.

Pick what works

There’s no wrong choice among nslookup, dig, and host. They all query DNS and return accurate results. Pick based on what output format you prefer and how much detail you need.

If Terminal isn’t your thing, GUI tools exist. The important thing is being able to check DNS when you need to. Whether that’s a quick IP lookup or a detailed propagation analysis, the tools are available.