How to see the actual nameservers of a domain instead of the "nsrecords"

Question

A domain has nameservers and ns records. These should not, but can theoretically be different. There are multiple ways to see the ns records of a domain:

dig:

➜  ~  dig +short NS stackoverflow.com
cf-dns01.stackoverflow.com.
cf-dns02.stackoverflow.com.

nslookup:

➜  ~  nslookup -type=any stackoverflow.com
Server:     195.186.1.111
Address:    195.186.1.111#53

Non-authoritative answer:
stackoverflow.com   nameserver = cf-dns01.stackoverflow.com.
stackoverflow.com   nameserver = cf-dns02.stackoverflow.com.

Both these commands give the nsrecords of a domain. Via whois, you can see the real nameservers (which in this case are the same). But since most whois outputs are formatted different for almost every tld, it would be difficult to parse them out of the whois.

Is there any way to see the nameservers of a domain (not the nsrecords) without exeucting a whois?

Answer 1

If you want to see the nameservers listed by the registrar, those are available in the DNS system via the root servers.

For example:

 dig @a.gtld-servers.net ns stackoverflow.com

; <<>> DiG 9.10.2-P4 <<>> @a.gtld-servers.net ns stackoverflow.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55658
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stackoverflow.com.     IN  NS

;; AUTHORITY SECTION:
stackoverflow.com.  172800  IN  NS  cf-dns02.stackoverflow.com.
stackoverflow.com.  172800  IN  NS  cf-dns01.stackoverflow.com.

;; ADDITIONAL SECTION:
cf-dns02.stackoverflow.com. 172800 IN   A   173.245.59.4
cf-dns01.stackoverflow.com. 172800 IN   A   173.245.58.53

;; Query time: 65 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Sep 21 15:53:29 GMT 2015
;; MSG SIZE  rcvd: 124

If you modify the name servers listed in your registrar account, those servers will be reflected in the root / gtld servers. When you modify your DNS zones that your nameservers serve, they have no effect on the results returned by the root servers. Additionally, the only records the root servers will return are NS and A/AAAA defined by the registrar for the listed NS records. These are just pointers to find the authoritative (per the registrar) name servers for a domain to send your queries to.

Answer 2

I don't know of a command, but I use this at work. Its a function I have in my .bashrc

namesvrs() { whois $1|grep -i "^Name Server"; }

After you add this to your .bashr when you open up a new terminal, you can run

$ namesrvrs stackoverflow.com Name Server: cf-dns02.stackoverflow.com. Name Server: cf-dns01.stackoverflow.com.

Your mileage may vary and you may need to play with the grep regex if you are looking at domains registered with some of the smaller registrars.

Answer 3

Your question is kind of weird. Or at least uses terms oddly.

A domain in DNS has name servers, and those name servers are specified via NS records. What is in the NS records is, as far as DNS is concerned, the truth, the whole truth and nothing but the truth. What's in the NS records is by definition the domain's name servers. There is no "better" truth somewhere else.

What you call "name servers" in your question sound like what's in a domain's registrar's database(s). That information exists outside DNS. From the perspective of looking up things in DNS, that data is totally irrelevant (except that it will likely be used to generate NS records). Since this data is internal to each registrar, there is no global standard for how to access it. Why do you want that data anyway? Some sort of statistics project?