Chapter 10.3 DNS Diagnostics and Tools - dig

Return to tools chapter home

10.3 DIG

dig is the current diagnostic DNS diagostic tool of preference but as noted above is not always widely available. You may still need to use nslookup.

Command Format

dig has both a command line and a batch mode (no interactive mode like nslookup). In general the command line of dig is more powerful than nslookup (even allowing multiple queries in a single line) and the batchmode makes running check files a breeze. dig offers a daunting array of options but the following are simple examples:

# get the A record for any record without a label 
# but will always return the SOA record for the domain
# get the MX record for the domain 
dig mx
# get the A record for the host
# get all domain records if allowed
dig axfr
# get all records with no label for the domain 
dig any
# typically returns SOA, NS, MX and domain SPF if defined 

Generic Format

The following is the generic dig command format:

dig [@dns] domain [[-c ]q-type] [[-t ]q-class] [+q-opt] [-d-opt] [%comment]

Note: In general dig uses a mixture of positional/contextual arguments and identified options (i.e. identified with a option value @, -, +) to keep simple queries - simple! There are times when it necessary to disambiguate the q-type and q-class option and in this both can be specified in an identified option format (see examples).

Parameters in bone-chilling detail:

Parameter Value Description
dns - optional name or IP address (IPv4 or IPv6 format) of the DNS server to be used for the query. Default is defined in /etc/resolv.conf for *nix systems. If present must be preceded by commercial at (@) e.g.
dig @
domain - name or IP address (IPv4 or IPv6 format) of the target - may be a host or domain name depending on context (see examples).
Defines the type of record to return. May be optionally preceded with -t in the identified option format. Most values are self explanatory but to get a full listing of all the domain records use the axfr option. This feature may be disallowed by the allow-transfer BIND9 option in which case the command will fail with Connection refused.
in is the default option. May be optionally preceded with -c in the identified option format. NB any is a valid option for both q-type and q-class and to ensure the correct value is used (to disambiguate in the jargon) always specify both q-type and q-class when using this format e.g.:
# this will get any record for class IN only
dig any
# this will get any record for any class
dig any any
Alternatively you can use an identified option format with -c for q-class and -t for q- type. When the identified option format is used the parameter order not important e.g.
dig -c any -t any
See d-opt below for identified option format
q-opt All these options are preceded with a plus (+) and control how the resulting DNS query operates. Multiple values may appear in a single command. Many of the values are the same as nslookup. Many of the values have an abbreviation - its is shown in parenthesis after the command e.g. addit (ad). In this case ad is the abbreviation for addit.
domain=name Replaces the default domain name.
[no]aaonly Controls whether to use authoritative query only. Default = noaaonly.
[no]addit Controls whether to print additional information. Default = addit/ad.
[no]answer Controls whether to print answer section. Default = answer/an.
[no]author Controls whether to print authoritative section. Default = author/au.
[no]cl Controls whether to print class information. Default = nocl.
[no]cmd Controls whether to echo valid arguments. Default = cmd.
[no]d2 Controls the voluminous diagnostic level. Default = nod2.
[no]debug Controls the diagnostic level. Default = nodebug.
[no]defname Controls substitution of default domain if no periods in domain name. Default = defname.
[no]dnssec Controls whether to set the DNSSEC OK bit in the OPT pseudo header. Default = nodnssec/nodn.
[no]header Print header flags. Default = header/he.
[no]Header print basic header. Default = Header/H.
[no]ignore Controls whether to ignore truncation errors. Default = noignore.
[no]ko Controls whether the virtual connection is kept open or not. Only valid with vc. Default = noko.
[no]primary Controls where to use or not the primary dns. Default = noprimary.
[no]ques Controls whether to print question section. Default = ques/qu.
[no]qr Controls whether to print outgoing query. Default = noqr.
[no]recurse Controls recursive query behaviour. Default = recurse.
[no]reply Controls whether to print a reply. Default = reply/rep.
[no]search Controls use of the srchlist (see explanation of relationship between search and defname). Default = search.
[no]stats Controls whether to display stats. Default = stats/st.
[no]trunc Controls whether to truncate origin from names. Default = trunc/tr.
[no]ttlid Controls whether to print TTL. Default = ttlid/tt.
[no]vc Controls whether to use TCP (vc) or UDP (novc). Default = novc.
pfand=# Bitwise AND print flags with # (octal/hex/decimal).
pfdef Set default print flags.
pfmin Set to minimal default print flags.
pfor=# Bitwise OR print flags with # (octal/hex/decimal).
pfset=# Set print flags as # (octal/hex/decimal).
retry=num Controls the number of query retries.
time=secs Controls the query timeout period. Default = 4 secs.
time=secs Controls the query timeout period. Default = 4 secs.
d-opt These options control how dig operates and are preceded with a minus (-). Multiple options may appear in a single command line.
-c indicates a q-class argument follows (this is the identified option format) and can be used as a convenience or to disambiguate from the same q-type options.
-envsav save variables to the file defined by the environment variable LOCALDEF or DIG.env in the current working directory if LOCALDEF not set.
-f filename specifies a file containing batch commands. Any options specified on the command line will be in effect during the batch run i.e. they are global). Lines beginning with ';' or '#' or '\n' are ignored
-k dir:key Sign the key with TSIG key in dir.
-p port changes the port used for queries to port

(default is 53).
-P causes a ping to be issued to the dns being used.
-T secs time in seconds between executing lines in a batch file (using option -f above)
-t indicates a q-type argument follows (this is the identified argument format).
-x specifies that inverse notation is being used i.e.:
# this will fail NXDOMAIN (not found)
# instead use
dig -x
# OR if you are a masochist!
dig ptr

Dig examples

Host Query

# simple host lookup - defaults to an A RR
# or could have been written as - order important
dig a
# identified option format - order not important
dig -t a
# use the dns at for the query
dig @ a
# use the dns at for the query
dig a
# reverse map query - returns PTR RR
dig -x

Domain Query

# simple domain lookup - returns any A RR without a label
# even if none present will return the domain SOA RR
# quick domain lookup
# return all RR without labels - typically gets SOA, NS, MX 
# and domain SPF if present
dig any
# identified option format - order not important
dig -t any
# use the dns at for the query
dig @ any
# use the dns at for the query
dig a

Multiple Queries

You can issue multiple queries per command line - as long as each query is clearly identified (or disambiguated).

# multiple domain lookup - returns non-label RRs for both domains
dig any any
# multiple domain lookup - returns A RR for first and non-label RRs
# for second domains
dig any
# multiple domain lookup - returns non-label RRs for first domains
# and A RR for second
dig any
# if you start with one format you must be consistent 
# - this fails on the second query
dig -t any any
# but this works
dig -t any -t any
# and yes this works
dig any any any
# and so does this

Return to tools chapter home

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
44 dns types
5 install bind
6 samples
7 named.conf
8 dns records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfc's
change log