Chapter 10.3 DNS Diagnostics and Tools - dig

Return to tools chapter home

10.3 DIG

dig is the current diagnostic DNS diagostic tool of preference but as noted above is not always widely available. You may still need to use nslookup.

Command Format

dig has both a command line and a batch mode (no interactive mode like nslookup). In general the command line of dig is more powerful than nslookup (even allowing multiple queries in a single line) and the batchmode makes running check files a breeze. dig offers a daunting array of options but the following are simple examples:

# get the A record for any record without a label 
# but will always return the SOA record for the domain
dig example.com
# get the MX record for the domain 
dig example.com mx
# get the A record for the host
dig www.example.com
# get all domain records if allowed
dig example.com axfr
# get all records with no label for the domain 
dig example.com any
# typically returns SOA, NS, MX and domain SPF if defined 

Generic Format

The following is the generic dig command format:

dig [@dns] domain [[-c ]q-type] [[-t ]q-class] [+q-opt] [-d-opt] [%comment]

Note: In general dig uses a mixture of positional/contextual arguments and identified options (i.e. identified with a option value @, -, +) to keep simple queries - simple! There are times when it necessary to disambiguate the q-type and q-class option and in this both can be specified in an identified option format (see examples).

Parameters in bone-chilling detail:

Parameter Value Description
dns - optional name or IP address (IPv4 or IPv6 format) of the DNS server to be used for the query. Default is defined in /etc/resolv.conf for *nix systems. If present must be preceded by commercial at (@) e.g.
dig @192.168.2.53 www.example.com
domain - name or IP address (IPv4 or IPv6 format) of the target - may be a host or domain name depending on context (see examples).
q-type  
a
any
axfr
hinfo
mx
ns
soa
srv
wks
Defines the type of record to return. May be optionally preceded with -t in the identified option format. Most values are self explanatory but to get a full listing of all the domain records use the axfr option. This feature may be disallowed by the allow-transfer BIND9 option in which case the command will fail with Connection refused.
q-class  
in
any
hesiod
chaos
in is the default option. May be optionally preceded with -c in the identified option format. NB any is a valid option for both q-type and q-class and to ensure the correct value is used (to disambiguate in the jargon) always specify both q-type and q-class when using this format e.g.:
# this will get any record for class IN only
dig example.com any
# this will get any record for any class
dig example.com any any
Alternatively you can use an identified option format with -c for q-class and -t for q- type. When the identified option format is used the parameter order not important e.g.
dig -c any -t any example.com
See d-opt below for identified option format
q-opt All these options are preceded with a plus (+) and control how the resulting DNS query operates. Multiple values may appear in a single command. Many of the values are the same as nslookup. Many of the values have an abbreviation - its is shown in parenthesis after the command e.g. addit (ad). In this case ad is the abbreviation for addit.
domain=name Replaces the default domain name.
[no]aaonly Controls whether to use authoritative query only. Default = noaaonly.
[no]addit Controls whether to print additional information. Default = addit/ad.
[no]answer Controls whether to print answer section. Default = answer/an.
[no]author Controls whether to print authoritative section. Default = author/au.
[no]cl Controls whether to print class information. Default = nocl.
[no]cmd Controls whether to echo valid arguments. Default = cmd.
[no]d2 Controls the voluminous diagnostic level. Default = nod2.
[no]debug Controls the diagnostic level. Default = nodebug.
[no]defname Controls substitution of default domain if no periods in domain name. Default = defname.
[no]dnssec Controls whether to set the DNSSEC OK bit in the OPT pseudo header. Default = nodnssec/nodn.
[no]header Print header flags. Default = header/he.
[no]Header print basic header. Default = Header/H.
[no]ignore Controls whether to ignore truncation errors. Default = noignore.
[no]ko Controls whether the virtual connection is kept open or not. Only valid with vc. Default = noko.
[no]primary Controls where to use or not the primary dns. Default = noprimary.
[no]ques Controls whether to print question section. Default = ques/qu.
[no]qr Controls whether to print outgoing query. Default = noqr.
[no]recurse Controls recursive query behaviour. Default = recurse.
[no]reply Controls whether to print a reply. Default = reply/rep.
[no]search Controls use of the srchlist (see explanation of relationship between search and defname). Default = search.
[no]stats Controls whether to display stats. Default = stats/st.
[no]trunc Controls whether to truncate origin from names. Default = trunc/tr.
[no]ttlid Controls whether to print TTL. Default = ttlid/tt.
[no]vc Controls whether to use TCP (vc) or UDP (novc). Default = novc.
pfand=# Bitwise AND print flags with # (octal/hex/decimal).
pfdef Set default print flags.
pfmin Set to minimal default print flags.
pfor=# Bitwise OR print flags with # (octal/hex/decimal).
pfset=# Set print flags as # (octal/hex/decimal).
retry=num Controls the number of query retries.
time=secs Controls the query timeout period. Default = 4 secs.
time=secs Controls the query timeout period. Default = 4 secs.
d-opt These options control how dig operates and are preceded with a minus (-). Multiple options may appear in a single command line.
-c indicates a q-class argument follows (this is the identified option format) and can be used as a convenience or to disambiguate from the same q-type options.
-envsav save variables to the file defined by the environment variable LOCALDEF or DIG.env in the current working directory if LOCALDEF not set.
-f filename specifies a file containing batch commands. Any options specified on the command line will be in effect during the batch run i.e. they are global). Lines beginning with ';' or '#' or '\n' are ignored
-k dir:key Sign the key with TSIG key in dir.
-p port changes the port used for queries to port

(default is 53).
-P causes a ping to be issued to the dns being used.
-T secs time in seconds between executing lines in a batch file (using option -f above)
-t indicates a q-type argument follows (this is the identified argument format).
-x specifies that inverse notation is being used i.e.:
# this will fail NXDOMAIN (not found)
dig 192.168.2.53
# instead use
dig -x 192.168.2.53
# OR if you are a masochist!
dig 53.2.168.192.in-addr.arpa ptr

Dig examples

Host Query

# simple host lookup - defaults to an A RR
dig www.example.com
# or could have been written as - order important
dig www.example.com a
# identified option format - order not important
dig -t a www.example.com
# use the dns at 192.168.2.224 for the query
dig @192.168.2.224 www.example.com a
# use the dns at ns1.example.com for the query
dig @ns1.example.com www.example.com a
# reverse map query - returns PTR RR
dig -x 192.168.2.224

Domain Query

# simple domain lookup - returns any A RR without a label
# even if none present will return the domain SOA RR
dig www.example.com
# quick domain lookup
# return all RR without labels - typically gets SOA, NS, MX 
# and domain SPF if present
dig example.com any
# identified option format - order not important
dig -t any example.com
# use the dns at 192.168.2.224 for the query
dig @192.168.2.224 example.com any
# use the dns at ns1.another.com for the query
dig @ns1.another.com example.com a

Multiple Queries

You can issue multiple queries per command line - as long as each query is clearly identified (or disambiguated).

# multiple domain lookup - returns non-label RRs for both domains
dig example.com any another.com any
# multiple domain lookup - returns A RR for first and non-label RRs
# for second domains
dig example.com another.com any
# multiple domain lookup - returns non-label RRs for first domains
# and A RR for second
dig example.com any another.com
# if you start with one format you must be consistent 
# - this fails on the second query
dig example.com -t any another.com any
# but this works
dig example.com -t any another.com -t any
# and yes this works
dig example.com any another.com any yetanother.com any
# and so does this
dig www.example.com www.another.com fred.yetanother.com

Return to tools chapter home

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
44 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log