Much of the time you'll use nslookup to make queries in the same way the resolver makes them. Sometimes, though, you'll use nslookup to query other name servers as a name server would. Which one you emulate will depend on the problem you're trying to debug. You might wonder, "How accurately does nslookup emulate a resolver or a name server? Does nslookup actually use the Windows resolver library routines?" No, nslookup uses its own routines for querying name servers, but those routines are based on the resolver routines. Consequently, nslookup's behavior is very similar to the resolver's behavior, but it does differ slightly. We'll point out some of those differences. As for emulating name server behavior, nslookup allows you to query another server with the same query message that a name server would use, but the retransmission scheme is quite different. Like a name server, though, nslookup can perform a zone transfer to pull a copy of a zone's data. So nslookup does not exactly emulate either the resolver or the name server, but it does emulate them well enough to make a good troubleshooting tool. Let's delve into those differences we've alluded to.
12.1.1 Multiple Servers
nslookup talks to only one name server at a time. This is the major difference between nslookup's behavior and the resolver's behavior. The resolver makes use of all the name servers listed in the Windows resolver configuration window. If two name servers are listed, the resolver tries the first name server, then the second, then the first, then the second, until it receives a response or gives up. The resolver does this for every query. On the other hand, nslookup tries only the first name server listed. But you want your troubleshooting tool to talk with only one name server so you can reduce the number of variables when analyzing a problem. If nslookup used more than one name server, you wouldn't have as much control over your troubleshooting session.
The nslookup timeouts are similar to the resolver timeouts when the resolver is querying only one name server. A name server's timeouts, however, are based on how quickly the remote server answered the last query, a dynamic measure. nslookup will never match name server timeouts, but that's not a problem either. When you're querying remote name servers with nslookup, you probably care only what the response was, not how long it took.
12.1.3 The Search List
nslookup implements the search list just as the resolver code does. Name servers don't implement search lists, so, to act like a name server, the nslookup search function must be turned off more on that later.
12.1.4 Zone Transfers
nslookup will do zone transfers just like a name server. Unlike the name server, though, nslookup does not check SOA serial numbers before pulling the zone data; you'll have to do that manually, if you want to.
12.1.5 Using NetBIOS Names
This last point doesn't compare nslookup to the resolver or name server but rather to ways of looking up names in general. nslookup, as distributed by Microsoft, uses only DNS; you can't use it to look up NetBIOS names via broadcast, LMHOSTS, or WINS. Before using nslookup to diagnose your problem, you need to determine if your problem is really with DNS. For example, if an application is using a different IP address than you expect, perhaps it's treating a value as a NetBIOS name and not a DNS name. To diagnose this kind of problem, you need to understand how the Windows resolver, which we discussed in Chapter 6, works. Just remember that nslookup talks only to name servers.