Verify if the output of nslookup command is consistent with /etc/hosts
search cancel

Verify if the output of nslookup command is consistent with /etc/hosts

book

Article ID: 423200

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After modifying the /etc/hosts file on a Linux system to manually map a domain name to a specific IP address , users often attempt to verify the it using the nslookup command.

However, nslookup returns the IP address provided by the configured DNS server rather than the IP address defined in the local /etc/hosts file.

Example:

  1. An entry is added to /etc/hosts (e.g., 192.168.1.50 host1.example.com host1).

  2. Running ping host1.example.com correctly resolves to 192.168.1.50, this is an expected result

  3. But running nslookup host1.example.com resolves to a different IP address:  192.168.1.55

  4. Users may mistakenly believe the /etc/hosts configuration is not active or invalid.

Environment

vCenter Server

Esxi

 

Cause

This behavior is by design. It stems from the difference between the System Resolver and DNS Testing Tools.

  1. System Resolver (Standard Applications): Tools like ping, curl, wget, and standard applications connect to the network using standard system library calls (e.g., getaddrinfo or gethostbyname). These calls strictly follow the Name Service Switch configuration file (/etc/nsswitch.conf).

    • Default behavior: The system looks at local files (/etc/hosts) first. If no match is found, it queries dns.

  2. DNS Testing Tools (nslookup, dig, host): The nslookup, dig, and host utilities are designed specifically to debug DNS servers. They bypass the system's Name Service Switch (nsswitch.conf) and local host files entirely. Instead, they read /etc/resolv.conf to identify the DNS nameservers and query them directly via UDP/TCP.

Therefore, nslookup will never reflect changes made in /etc/hosts because it does not read that file.

Resolution

To verify if an entry in /etc/hosts is active and being used by the operating system, do not use nslookup. Instead, use ping or 'getent hosts' commands.

 

We can also use the check_dns.sh script in attachments. It is a shell script to compare System IP resolution vs. DNS IP resolution.

Example2:    The results of /etc/hosts and nslookup are consistent:

# ./check_dns.sh host2.example.com
Testing domain: host2.example.com
========================================
[System Resolver (ping/curl/hosts)]
   IP Address: 192.168.99.2
   (This is the IP applications will actually connect to)

[DNS Tool (nslookup)]
   IP Address: 192.168.99.2
   (This is the IP returned by the DNS server)
========================================
✅ MATCH: System and DNS IPs are identical.

 

Example3:    The results of /etc/hosts and nslookup are inconsistent:

 

# ./check_dns.sh host3.example.com
Testing domain: host3.example.com
========================================
[System Resolver (ping/curl/hosts)]
   IP Address: 192.168.99.123
   (This is the IP applications will actually connect to)

[DNS Tool (nslookup)]
   IP Address: 192.168.99.3
   (This is the IP returned by the DNS server)
========================================

🚨 MISMATCH DETECTED!
   The System IP differs from the DNS IP.
   Possible causes: An entry in /etc/hosts, or DNS Round Robin.

Attachments

check_dns.sh.txt get_app
Powered by Wolken Software