As I continue down the path of trying to transition into InfoSec and continuing to study for my OSCP exam, I thought I’d take advantage of what I’m doing here to make this a study habit for myself. I thought about starting with a deep dive in and cover nc, but that seems to be really diving in the deep-end. Let’s start with host and see where this takes me.


The host command is a simple DNS lookup utility. Similar to dig and nslookup, each of which I’ve used a few times, but have yet to untap their full potential. host is normally used to convert names to IP addresses and vice versa. It is maintained by the Internet Systems Consortium, originally released in 2000. Sadly, I couldn’t find the source code anywhere.


The default execution prints a brief description of how it operates.

Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] hostname [server]
       -a is equivalent to -v -t ANY
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -i IP6.INT reverse lookups
       -l lists all hosts in a domain, using AXFR
       -m set memory debugging flag (trace|record|usage)
       -N changes the number of dots allowed before root lookup is done
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -U enables UDP mode
       -v enables verbose output
       -V print version number and exit
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only
I wont go over every flag here, but rather some basic examples that you can build off of.


As the man page states, its commonly used to convert names to IP addresses. Let’s give that a go.

host has address mail is handled by 20 mail is handled by 10

Using as an example, it returned the A record and the MX records. If we wanted only the MX records, we could use the -t flag to narrow it down. It can also be used to display records that are not shown by a default lookup. The NS records can be found using this option.

host -t mx mail is handled by 10 mail is handled by 20
host -t ns name server name server name server

Let’s try a reverse lookup, the other part to this utility. To give an idea of what output can look like, here’s a few domains and their IP addresses that will be test against.

IP Address Domain Name Hostname none (local server IP) tanuki

This site results in a not found; the IP address used for is…not… (although the URL points to a 404 webpage owned by Google); and my local server seems to work just fine (๑•̀ㅂ•́)و

Host not found: 3(NXDOMAIN)
host domain name pointer
host domain name pointer tanuki.

If you wanted to try and see a list of all the hosts in a domain, you can pass the -l option. The host command uses the AXFR protocol in attempts to get the information. I wont go into it here as that out of scope, but I recommend looking into zone transfers, why they’re so important, and how they can be abused.

host -l
Using domain server:

Host not found: 4(NOTIMP)
; Transfer failed.
No dice, 残念. Not surprising though as most domains will have this blocked, rendering the -l option not usable. For an example of what it can look like, I found a domain with a working example.
host -l
Using domain server:
Aliases: has address name server name server domain name pointer has address has address has address has IPv6 address dead:beaf:: has address has address name server name server has address has address has address has IPv6 address 2001:67c:2e8:11::c100:1332 has address has address has address has address

For the last example, we can have host return oodles of information. Returning data for an ANY query. To do this, pass in the -a option. It is equivalent to using -v -t ANY, but that’s a lot of keystrokes, eh?

host -a
Trying ""
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7817
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 6

;                                IN      ANY

;; ANSWER SECTION:                 3600    IN      TXT     "v=spf1 mx ~all"                 3600    IN      TXT     "protonmail-verification=512fcc96d3a38984dd285faa82dcf62b7743db18"                 14400   IN      MX      20                 14400   IN      MX      10                 1800    IN      SOA 1575061248 10800 3600 604800 1800                 3600    IN      A                 1800    IN      NS                 1800    IN      NS                 1800    IN      NS

;; ADDITIONAL SECTION:   873     IN      A   161926  IN      A   81895   IN      A   81895   IN      AAAA    2400:cb00:2049:1::adf5:3a33   81895   IN      AAAA    2400:cb00:2049:1::adf5:3b29   81895   IN      AAAA    2400:cb00:2049:1::c629:dead

Received 478 bytes from in 191 ms

This is my first time really diving into the world of networking utilities. I apologize if there are some misconceptions or flat out wrong information out there. I will do my best to update this post as I dive deeper into networking tools. Keep an eye out as I stray a bit from the GNU coreutils and jump into some not-so-every-day-use utilities. Cheers!