dig - DNS lookup utility

Domain Information Groper (gatherer)

Simple usage: dig hostname
Ask specific DNS server dig @DNSserver hostname

dig [gobal opts] hostname []
    [-x addr]
lookup this IP address
    [@server]
    [-b sourceAddress]
    [-c class]
    [-t type]
    [-k keyFile]
    [-p port#]
    [-q name]
    [-y [hmac:]tname:key]
    [-f digCommandFile]
    [-4] [-6]
    [type
]
    [class]
    [queryopt...]

dig [global-queryopt...] [query...]

domain information groper interrogates DNS name servers, performs DNS lookups and outputs the answers.

Batch mode of operation from a file or use multiple lookups from the command line.

By default uses servers in /etc/resolv.conf (which may have come from DHCP)

User defaults are in ${HOME}/.digrc and are applied before the command line arguments.

Output is in a form suitable for use in named.conf with commentary information prefixed with ; which will be treated as comments.

hostname resource record(s) to be looked up.
server name or IP address of the Name Server to query.
Defaults are taken from /etc/resolv.conf

Server hostname is permitted. IPv4 address in dotted-decimal notation or IPv6 in colon-delimited notation.

-t type ANY, A, AAAA, MX, NS, SOA, HINFO, AXF, TXT, SIG,… Default: A (not ALL).
TXT may contain information including Sender Policy Framework
      example: v=spf1 a mx ip4:67.228.235.89 ?all
AXFR requests a zone transfer.
code>IXFR incremental zone transfer
When an IXFR is required, type is set to IXFR=nnnnnnnn. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was nnnnnnnn.
Frequently the serial number used is in the form; yyyymmddNN where NN is incremented each time the conf is changed in a given day. see BIND .
-x iii.iii.iii.iii reverse lookup; maps addresses to names
like 216.40.47.26.in-addr.arpa and sets query type to PTR and class to IN .
By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
-i x.x.x.x.x.x.x.x.x use the older RFC1886 method using the IP6.INT domain
Bit string labels (RFC2874) are not attempted.

-f filename read requests from filename . Using the same format as a command.
-q namesets the query name to distingish the name from other arguments.
-c class Default IN for internet. HS for Hesiod records or CH for CHAOSNET records.
-4
-6
use IPv4 query transport.
use IPv6
-b address[#pp] sets the source IP address or "0.0.0.0" or "xx:xx:xx:xx". Port may be specified
-p portnon-standard port number. Default 53.
-k keyfile To sign the DNS queries and their responses using transaction signatures (TSIG)
-y hmac tname key Specify the TSIG key on the command
hmac the type of the TSIG, default HMAC-MD5
tname is the name of the TSIG key
key is a base-64 encoded string, typically generated by dnssec-keygen(8).
the key is visible in the output from ps or in the shell's history file.
When using TSIG authentication the name server needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf.
-hhelp

QUERY OPTIONS

Some of these set or reset flag bits in the query header
some determine which sections of the answer get output, and
others determine the timeout and retry strategies.

keywords are preceded by a plus (+).
keywords which set or reset an option and may be preceded by no.
keywords which assign values to options (like the timeout interval), have the form keyword=value.
tcp Use TCP when querying name servers.
Default UDP, except for AXFR or IXFR .
vc aka tcp "virtual circuit"
ignore Ignore truncation in UDP responses. Default: retry with TCP query
domain=somename Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if search were given.
search Use the search list in searchlist or domain directive in resolv.conf . not used by default.
showsearch showintermediate results.
defname Deprecated, treated as a synonym for search
recurse Toggle RD (recursion desired) . Initally set.
Recursion is disabled when nssearch or trace are used.
nssearchdetermines authoritative name servers for the zone and SOA
aaonly Sets aa
aaflag +noaaonly.
adflag AD (authentic data) meaningful in responses, not in queries
trace Toggle tracing of the delegation path from the root name servers . Initaly disabled.
time=s timeout min(1,s seconds. Default: 5 seconds.
tries=T for UDP queries. Default: 3.
retry=r retry UDP Default: 2. does not include the initial query.
fail Do not try the next server if SERVFAIL is received. Default: fail.
ndots=D the number of dots in name for it to be absolute.
Default: 1 or ndots statement in /etc/resolv.conf.
Names with fewer dots are relative and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
bufsize=bytes UDP message buffer size advertised using EDNS0 0-65535.
Values other than zero causes an EDNS query to be sent.
edns=# EDNS version to query with. 0 - 255.
Setting the EDNS version causes an EDNS query to be sent.
noedns clears the EDNS version.
besteffort output the contents of messages which are malformed. Default don't.
dnssecRequests DNSSEC records (DO)
cdflag Checking Disabled. requests the server not to perform DNSSEC validation of responses.
sigchase Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHSE.
trusted-key=#### Specifies a file containing trusted keys to be used with sigchase. Each DNSKEY record must be on its own line.
If not specified dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.
topdown When chasing DNSSEC signature chains perform a top down validation.
Requires dig be compiled with -DDIG_SIGCHASE.

options effecting output

cmd
dig version and options.
Use as a global option.
; <<>> DiG 9.3.4-P1 <<>>
;; global options:  printcmd
all Set or clear all output flags.
qr query as it is reqeusted. Default: not
short Provide a terse answer. example: 192.168.1.1 default verbose .
identify IP address and port that supplied the answer when short is enabled.
Default: no
67.228.235.89 from server 10.0.80.11 in 1 ms.
cl output CLASS
ttlid output TimeToLive
comments Toggle . Initialy: yes
question Default: yes
answer section yes
authority section yes
additional section . Default: yes
stats
toggle outputting when the query was made, the size of the reply … . Initialy: yes
;; Query time: 2 msec
;; SERVER: 10.0.80.11#53(10.0.80.11)
;; WHEN: Fri Nov 13 22:42:39 2009
;; MSG SIZE  rcvd: 294
multiline records like the SOA records in verbose multi-line format with human-readable comments.
(noMultiline uses [tab] to seperate fields Multiline uses spaces.)
Default output each record on a single line, to facilitate parsing.

MULTIPLE QUERIES

In addition to supporting -f file, specifying multiple queries on the command line is permited, each can be supplied with its own set of flags, options and query options.

Each query argument represent an individual query in the command-line syntax . consisting of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.

Global query options, applied to all queries,
must precede the first tuple of name, class, type, options, flags, and query options on the command line and can be overridden by a query-specific set of query options. For example:

dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
  1. Global query option +qr is applied, so the initial query it made for each lookup.
  2. an ANY query for www.isc.org,
  3. a reverse lookup of 127.0.0.1 and
  4. a query for the NS records of isc.org.
  5. a local query option of +noqr not output the initial query when it looks up isc.org.

IDN SUPPORT

Built with IDN (Internationalized Domain Name) support, it can accept and output non-ASCII domain names. dig appropriately converts character encoding of domain name before sending a request to DNS server or outputing a reply from the server. To turn off the IDN support, define the IDN_DISABLE environment variable.

tip: The IN and CH class names overlap with the IN and CH top level domains names.

FILES

/etc/resolv.conf

${HOME}/.digrc

SEE host, named, dnssec-keygen, RFC1035.

Help

 dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
                         [ host [@local-server] {local-d-opt} …

Where:  
domain    is in the Domain Name System
q-class  one of: in, hs, ch,… default: in
q-type   one of: any, a, mx, ns, soa, hinfo, axf, txt,… default:a
                 Use ixfr=version for type ixfr
q-opt  :
-q name  -t type   -c class      
-f filename         batch mode
-x dot-notation     shortcut for in-addr lookups
-i                  IP6.INT reverse IPv6 lookups
-b address#port  bind to source address/port
-p port          
-4 -6         use IPv4/IPv6 query transport only

d-opt    is of the form +keyword=value, where keyword is:
vc    tcp            TCP mode aka Virtual Circuit

+time=###       timeout 5 sec.
+tries=###      UDP attempts 3        +retry=### UDP retries 2
+domain=###     default domainname
+bufsize=###    EDNS0 Max UDP packet size
+ndots=###         
+edns=###         
search         Set whether to use searchlist
showsearch     Search with intermediate results
defname  
recurse   
ignore         Don't revert to TCP for TC responses
fail           Don't try next server on SERVFAIL
besteffort     Try to parse even illegal messages

all            Set or clear all output flags
aaonly         Set AA flag in query aaflag
adflag         Set AD       cdflag Set CD 

cmd            output command line
qr             output question before sending

cl             output class 

comments       question     answer       
authority      additional   stats      

short          ttlid  (ommits type=txt)
nssearch       Search all authoritative nameservers
identify       ID responders in short answers
trace          Trace delegation down from root
multiline      output records in an expanded format

dnssec         Request DNSSEC records
-k keyfile          specify tsig key file
-y [hmac:]name:key  (specify named base64 tsig key)

global d-opts and servers (before host name) affect all queries.
local  d-opts and servers (after host name)  affect only that lookup.

 

dig +noall +answer -t any real-world-systems.com real-world-systems.com. 14114 IN TXT "v=spf1 a mx ip4:67.228.235.89 ?all" real-world-systems.com. 13835 IN A 67.228.235.89 real-world-systems.com. 13835 IN MX 0 real-world-systems.com. real-world-systems.com. 53938 IN NS dns2.midphase.com. real-world-systems.com. 53938 IN NS dns1.midphase.com.
 dig @ns1.hover.com pppg.org

; << DiG 9.3.4-P1 << @ns1.hover.com pppg.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<< opcode: QUERY, status: NOERROR, id: 10336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pppg.org.                      IN      A

;; ANSWER SECTION:
pppg.org.               900     IN      A       67.220.194.133









;; Query time: 132 msec
;; SERVER: 216.40.47.26#53(216.40.47.26)
;; WHEN: Thu Oct 29 12:39:23 2009
;; MSG SIZE  rcvd: 42

 dig @ns1.midphase.com pppg.org

; <<>> DiG 9.3.4-P1 <<>> @ns1.midphase.com pppg.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7373
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;pppg.org.                      IN      A

;; ANSWER SECTION:
pppg.org.               14400   IN      A       67.228.235.89

;; AUTHORITY SECTION:
pppg.org.               86400   IN      NS      dns1.midphase.com.
pppg.org.               86400   IN      NS      dns2.midphase.com.

;; ADDITIONAL SECTION:
dns1.midphase.com.      86400   IN      A       67.213.216.225
dns2.midphase.com.      86400   IN      A       69.4.235.113

;; Query time: 69 msec
;; SERVER: 67.213.216.227#53(67.213.216.227)
;; WHEN: Thu Oct 29 12:42:56 2009
;; MSG SIZE  rcvd: 124


 dig @ns1.hover.com gardenstateauduboncouncil.org

; <<>> DiG 9.3.4-P1 <<>> @ns1.hover.com gardenstateauduboncouncil.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16402
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gardenstateauduboncouncil.org. IN      A

;; ANSWER SECTION:
gardenstateauduboncouncil.org. 900 IN   A       173.54.41.69









;; Query time: 66 msec
;; SERVER: 216.40.47.26#53(216.40.47.26)
;; WHEN: Thu Oct 29 17:31:39 2009
;; MSG SIZE  rcvd: 63

 dig @ns1.midphase.com gardenstateauduboncouncil.org

; <<>> DiG 9.3.4-P1 <<>> @ns1.midphase.com gardenstateauduboncouncil.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4838
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;gardenstateauduboncouncil.org. IN      A

;; ANSWER SECTION:
gardenstateauduboncouncil.org. 14400 IN A       67.228.235.89

;; AUTHORITY SECTION:
gardenstateauduboncouncil.org. 86400 IN NS      dns2.midphase.com.
gardenstateauduboncouncil.org. 86400 IN NS      dns1.midphase.com.

;; ADDITIONAL SECTION:
dns1.midphase.com.      86400   IN      A       67.213.216.225
dns2.midphase.com.      86400   IN      A       69.4.235.113

;; Query time: 69 msec
;; SERVER: 67.213.216.227#53(67.213.216.227)
;; WHEN: Thu Oct 29 17:31:33 2009
;; MSG SIZE  rcvd: 145