dig and nslookup give different answers

MelvynDrag

Comparing behavior dig vs nslookup

watch -n1 dig www.google.com I see that the ip address for google changes virtually every second.

If I run the command

watch -n1 nslookup www.google.com I see that the ipaddress for google stays fixed.

Can anyone explain why these two tools behave differently?

See this video: https://youtu.be/heK442CxyH4

k0dard

I've tried on my laptop and I don't have a changing address with dig...

Have you tried any other site except Google ?

Google has "special" position on the internet because it's servers are directly linked with a lot of local ISPs (so it makes Google "closer"). Maybe for your geographical location it's not the case and since the package takes arbitrary route every time it goes from one place from another, maybe your result is the consequence of you being approximately at the same "distance" between couple of Google servers. Or maybe some temporary network traffic condition.

As for the difference between dig and nslookup, I've found this article https://unix.stackexchange.com/questions/93808/dig-vs-nslookup. Doesn't help a lot but says the command don't use the same resolver libraries.

Some expert help would be appreciated

luisviveropena

Hi @MelvynDrag, while Lee provides a more complete answer, I did a test on Ubuntu 20.04 and I found that I got the same results (4 "A" records) if I use:

dig google.com
and
nslookup google.com

So, please try the commands without "watch" and see what you got. You will probably get more than one A record for the same FQDN (for Google at least), because their systems are designed for redundancy (depending on your location, you could get a different set of IPs), as @k0dard mentioned

Regards,
Luis.