Command-Line DNS Tools — Complete Reference

Master every command-line DNS tool across Windows, macOS, and Linux. Query records, verify CleanBrowsing is active, and troubleshoot filtering issues from the terminal.

Step 1: nslookup (Windows)

nslookup is the built-in DNS query tool on Windows. It's available on every Windows version without installing anything.

Basic Lookup
nslookup example.com

This queries your default DNS server for the A record (IPv4 address) of example.com.

Query a Specific DNS Server
nslookup example.com 185.228.168.168

This sends the query directly to CleanBrowsing's Family Filter DNS server, bypassing your system's default DNS.

Query Different Record Types
:: A record (IPv4)
nslookup -type=A example.com

:: AAAA record (IPv6)
nslookup -type=AAAA example.com

:: MX record (mail servers)
nslookup -type=MX example.com

:: TXT record (SPF, DKIM, verification)
nslookup -type=TXT example.com

:: CNAME record (aliases)
nslookup -type=CNAME www.example.com

:: NS record (name servers)
nslookup -type=NS example.com
Interactive Mode

Type nslookup without arguments to enter interactive mode. This is useful for running multiple queries:

> server 185.228.168.168
Default Server:  family-filter-dns.cleanbrowsing.org
> set type=TXT
> debug.test.cleanbrowsing.org
> exit
Reading the Output

A typical nslookup response shows:

  • Server / Address: The DNS server that answered your query
  • Non-authoritative answer: The result came from cache, not directly from the domain's authoritative name server (this is normal)
  • Name / Address: The resolved IP address(es)

If a domain is blocked by CleanBrowsing, nslookup will return the IP of the block page or an NXDOMAIN (name does not exist) response.

Step 2: dig (macOS / Linux)

dig (Domain Information Groper) is the most powerful DNS query tool, available by default on macOS and most Linux distributions.

Basic Lookup
dig example.com
Short Output
dig +short example.com

Returns just the IP address without the full DNS response headers.

Query a Specific DNS Server
dig @185.228.168.168 example.com

The @ symbol specifies which DNS server to query. Use this to verify results through CleanBrowsing directly.

Query Different Record Types
# A record (default)
dig example.com A

# AAAA record (IPv6)
dig example.com AAAA

# MX record (mail servers)
dig example.com MX

# TXT record
dig example.com TXT

# CNAME record
dig www.example.com CNAME

# NS record (name servers)
dig example.com NS

# ANY (all available records)
dig example.com ANY
Trace Mode
dig +trace example.com

Traces the full DNS resolution path from the root servers down to the authoritative server. Useful for diagnosing where in the chain a query is being intercepted or failing.

Reading the ANSWER Section

The key section in dig output is the ANSWER SECTION:

;; ANSWER SECTION:
example.com.        3600    IN    A    93.184.216.34
  • 3600 — TTL (time-to-live) in seconds before the record expires from cache
  • IN — Internet class
  • A — Record type
  • 93.184.216.34 — The resolved address

If the ANSWER SECTION is empty and the status is NXDOMAIN, the domain was blocked or doesn't exist.

Step 3: Resolve-DnsName (PowerShell)

Resolve-DnsName is PowerShell's native DNS cmdlet, available on Windows 8.1+ and PowerShell 5+. It's particularly useful for Windows administrators and scripting.

Basic Lookup
Resolve-DnsName example.com
Specify Record Type
# A record
Resolve-DnsName -Name example.com -Type A

# AAAA record
Resolve-DnsName -Name example.com -Type AAAA

# MX record
Resolve-DnsName -Name example.com -Type MX

# TXT record
Resolve-DnsName -Name example.com -Type TXT

# NS record
Resolve-DnsName -Name example.com -Type NS
Query a Specific DNS Server
Resolve-DnsName -Name example.com -Server 185.228.168.168
Useful for Scripting

PowerShell returns structured objects, making it easy to process results programmatically:

# Get just the IP addresses
(Resolve-DnsName -Name example.com -Type A).IPAddress

# Check multiple domains
@("google.com", "facebook.com", "example.com") | ForEach-Object {
    $result = Resolve-DnsName -Name $_ -Server 185.228.168.168 -ErrorAction SilentlyContinue
    [PSCustomObject]@{ Domain = $_; IP = $result.IPAddress -join ", " }
}

Step 4: host (macOS / Linux)

host is a lightweight alternative to dig with simpler, more readable output. It's installed by default on most Unix systems.

Basic Lookup
host example.com

Returns the A, AAAA, and MX records in a human-readable format:

example.com has address 93.184.216.34
example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946
example.com mail is handled by 0 .
Query a Specific DNS Server
host example.com 185.228.168.168
Query Specific Record Types
# TXT records
host -t TXT example.com

# NS records
host -t NS example.com

# MX records
host -t MX example.com
Reverse DNS Lookup
host 185.228.168.168

Returns the hostname associated with an IP address (PTR record). For CleanBrowsing servers, this should return something like family-filter-dns.cleanbrowsing.org.

Step 5: Advanced Techniques

Reverse DNS (PTR Lookups)

Reverse DNS maps an IP address back to a hostname. Useful for verifying which DNS server is responding:

# Using dig
dig -x 185.228.168.168

# Using nslookup
nslookup 185.228.168.168

# Using host
host 185.228.168.168
Check DNSSEC

Verify whether a domain has DNSSEC signatures:

# Request DNSSEC data
dig +dnssec example.com

# Check DS record at parent zone
dig example.com DS

If the response includes RRSIG records, DNSSEC is active for that domain.

Batch Testing Multiple Domains

Test whether multiple domains are being filtered correctly:

# Bash (macOS / Linux)
for domain in google.com facebook.com badexample.com; do
  echo "--- $domain ---"
  dig +short @185.228.168.168 $domain
done

# PowerShell (Windows)
"google.com", "facebook.com", "badexample.com" | ForEach-Object {
  Write-Host "--- $_ ---"
  Resolve-DnsName -Name $_ -Server 185.228.168.168 -ErrorAction SilentlyContinue | Select-Object -ExpandProperty IPAddress
}

# Windows Command Prompt
for %d in (google.com facebook.com badexample.com) do @nslookup %d 185.228.168.168
Test DNS-over-HTTPS with curl

Query CleanBrowsing's DoH endpoint directly:

curl -s "https://doh.cleanbrowsing.org/doh/family-filter?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" | od -A x -t x1z

Or use the JSON API format (where supported):

curl -s -H "accept: application/dns-json" "https://doh.cleanbrowsing.org/doh/family-filter?name=example.com&type=A"
Traceroute for Path Debugging

If DNS queries are slow or timing out, trace the network path to the DNS server:

# Windows
tracert 185.228.168.168

# macOS / Linux
traceroute 185.228.168.168

Look for high latency hops or timeouts that could indicate network issues between your device and CleanBrowsing's servers.

Step 6: CleanBrowsing-Specific Queries

CleanBrowsing provides special DNS records you can query to verify your configuration.

Debug Test Record

Query the debug.test.cleanbrowsing.org TXT record to confirm your traffic is reaching CleanBrowsing:

# dig
dig TXT debug.test.cleanbrowsing.org @185.228.168.168

# nslookup
nslookup -type=TXT debug.test.cleanbrowsing.org 185.228.168.168

# PowerShell
Resolve-DnsName -Name debug.test.cleanbrowsing.org -Type TXT -Server 185.228.168.168
Location Check

Identify which CleanBrowsing server is handling your queries:

dig TXT mylocation.whois.dnscontest.cleanbrowsing.org @185.228.168.168

The response shows the server location and your detected IP, useful for diagnosing routing issues.

Filter Identification

Verify which filter level is active by testing a known blocked domain:

# Test against Family Filter (blocks adult + mixed content)
dig +short @185.228.168.168 pornhub.com

# Test against Adult Filter (blocks adult only)
dig +short @185.228.168.10 pornhub.com

# Test against Security Filter (blocks malware/phishing only)
dig +short @185.228.168.9 pornhub.com

If the Family or Adult filter returns a block page IP (or NXDOMAIN), the filter is working. The Security filter should resolve the domain normally since it only blocks threats.

Paid Account Verification

If you have a paid CleanBrowsing account, verify your IP is recognized:

dig TXT debug.test.cleanbrowsing.org @185.228.168.168 +short

The TXT response will include your account status, assigned filter profile, and registered IP. If it shows "free" when you expect "paid," check that your current public IP matches the one registered in your CleanBrowsing dashboard.

Step 7: Quick Reference Cheat Sheet

Use this table to quickly find the right command for your platform and task.

Task nslookup (Windows) dig (Mac/Linux) PowerShell host (Mac/Linux)
Basic A lookup nslookup example.com dig example.com Resolve-DnsName example.com host example.com
Query via CleanBrowsing nslookup example.com 185.228.168.168 dig @185.228.168.168 example.com Resolve-DnsName example.com -Server 185.228.168.168 host example.com 185.228.168.168
TXT record nslookup -type=TXT example.com dig example.com TXT Resolve-DnsName example.com -Type TXT host -t TXT example.com
MX record nslookup -type=MX example.com dig example.com MX Resolve-DnsName example.com -Type MX host -t MX example.com
Reverse DNS nslookup 185.228.168.168 dig -x 185.228.168.168 Resolve-DnsName 185.228.168.168 host 185.228.168.168
Short output only N/A dig +short example.com (Resolve-DnsName example.com).IPAddress Default is short
Trace resolution path N/A dig +trace example.com N/A N/A
Verify CleanBrowsing nslookup -type=TXT debug.test.cleanbrowsing.org 185.228.168.168 dig TXT debug.test.cleanbrowsing.org @185.228.168.168 Resolve-DnsName debug.test.cleanbrowsing.org -Type TXT -Server 185.228.168.168 host -t TXT debug.test.cleanbrowsing.org 185.228.168.168
CleanBrowsing DNS Server Addresses
FilterPrimary (IPv4)Secondary (IPv4)Primary (IPv6)Secondary (IPv6)
Family185.228.168.168185.228.169.1682a0d:2a00:1::2a0d:2a00:2::
Adult185.228.168.10185.228.169.112a0d:2a00:1::12a0d:2a00:2::1
Security185.228.168.9185.228.169.92a0d:2a00:1::22a0d:2a00:2::2

Related Guides

Verify Your DNS Configuration
Common Questions & Troubleshooting
Debug DNS on ChromeBook
Clear DNS Cache (Desktop)
Debug with Browser DevTools

Need more help?

Contact our support team for assistance.

Contact Support