This documentation reflects version DiG 9.3.4-P1 , a more current version is DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4
dig [gobal opts] hostname
[…]
|
| The completness of the response will vary from server to server and query to query!! To get the truth direct the query to the first NS(name server)
dig @`dig NS hostname +short|head -1` hostname -t ANY TTL is in seconds: 3600=1hour. 14400= 4hours; 86400 = 1day; For secondary servers this is the time REMAINING
|
> dig NS pppg.org # ask any server
;; ANSWER SECTION:
pppg.org. 3600† IN† NS ns64.domaincontrol.com.
pppg.org. 3600 IN NS ns63.domaincontrol.com.
|
dig @ns63.DOMAINCONTROL.COM ANY pppg.org # ask the domain's Name Server |
Batch mode of operation from a file or use multiple lookups from the command line.
By default uses the servers in /etc/resolv.conf (which may have come from DHCP server)
User defaults in ${HOME}/.digrc are applied before the command line arguments ( no way to disable .digrc).
Output is in a form suitable for use in named.conf
with commentary information prefixed with
; which will be treated as comments.
hostname | resource record(s) to be looked up. |
server |
-t typesome servers refuse multiple type codes | A AAAA MX NS SOA HINFO TXT SIG SSHFP PRT RRSIG OPT CAA SRV ANY AXF ANY does not include SRVTry querying the Name Server for more records.
Default:
Each domain may have multiple hosts and even multiple levels of host. Each having their own DNS records
@ server |
+) and an optional no.
Supressing some output is useful when comparing queries that are expected to be the same.
For example since ttl keeps changing and stats includes the current time,
including them will result in differences which are not significant.
Simularly outputting version identification can be supressed using +nocmd
+noall |
Some of these set or reset flag bits in the query header
keywords are preceded by a plus (+).
keywords which set or reset an option and may be preceded by no.
keywords which assign values to options (like the timeout interval), have the form keyword=value.
+nonssearch | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-f file, specifying multiple queries on the command line is permited, each can be supplied with its own set of flags, options and query options.
Each query argument represents an individual query in the command-line syntax, consisting of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options applied to that query.
Global query options, applied to all queries,
precede the first hostname, class, type, options, flags, and query options
can be overridden by a query-specific set of query options. For example:
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+qr is applied, so the initial query it made for each lookup. +noqr not output the initial query when it
looks up isc.org.IDN_DISABLE environment variable.
tip: The IN and CH class names overlap with the IN and CH top level domains names.
/etc/resolv.conf
${HOME}/.digrc
See host, named, dnssec-keygen, RFC1035.
dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} …
Where:
domain is in the Domain Name System
q-class one of: in, hs, ch,… default: in
q-type one of: any, a, mx, ns, soa, hinfo, axf, txt,… default:a
Use ixfr=version for type ixfr
q-opt :
-q name -t type -c class
-f filename batch mode
-x dot-notation shortcut for in-addr lookups
-i IP6.INT reverse IPv6 lookups
-b address#port bind to source address/port
-p port
-4 -6 use IPv4/IPv6 query transport only
d-opt is of the form +keyword=value, where keyword is:
vc tcp TCP mode aka Virtual Circuit
+time=### timeout 5 sec.
+tries=### UDP attempts 3 +retry=### UDP retries 2
+domain=### default domainname
+bufsize=### EDNS0 Max UDP packet size
+ndots=###
+edns=###
search Set whether to use searchlist
showsearch Search with intermediate results
defname
recurse
ignore Don't revert to TCP for TC responses
fail Don't try next server on SERVFAIL
besteffort Try to parse even illegal messages
all Set or clear all output flags
aaonly Set AA flag in query aaflag
adflag Set AD
cdflag Set CD
cmd output command line
qr output question before sending
cl output class
comments question answer
authority additional stats
short ttlid (ommits type=txt)
nssearch Search all authoritative nameservers
identify ID responders in short answers
trace Trace delegation down from root
multiline output records in an expanded format
dnssec Request DNSSEC records
-k keyfile specify tsig key file
-y [hmac:]name:key (specify named base64 tsig key)
global d-opts and servers (before host name) affect all queries.
local d-opts and servers (after host name) affect only that lookup.
7/13/19
/usr/bin/dig @`/usr/bin/dig +short Real-World-Systems.com -t NS | head -1` Real-World-Systems.com -t A MX TXT NS SOA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41712
;; flags: †qr aa† rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4
Real-World-Systems.com. 14400 MX 20 spamalizer.midphase.com.
Real-World-Systems.com. 14400 TXT "v=spf1 +a +mx +ip4:209.236.71.20 +ip4:209.95.59.175 +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
Real-World-Systems.com. 86400 NS ns14.midphase.com.
Real-World-Systems.com. 86400 NS ns15.midphase.com.
Real-World-Systems.com. 14407 A 209.95.59.175
Real-World-Systems.com. 86400 NS ns16.midphase.com.
Real-World-Systems.com. 3600 MX 17 Real-World-Systems.com.
Real-World-Systems.com. 600 SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600
;; Query time: 61 msec
;; SERVER: 69.36.161.36#53(69.36.161.36)
;; WHEN: Sat Jul 13 08:12:34 EDT 2019
8/16/17 (notice OPT PSEDUOSECTION)
>usr/bin/dig $RWS -t any
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13645
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; ANSWER SECTION:
Real-World-Systems.com. 600 IN SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600
Real-World-Systems.com. 14400 IN TXT "v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
Real-World-Systems.com. 86400 IN NS ns16.midphase.com.
Real-World-Systems.com. 86400 IN NS ns14.midphase.com.
Real-World-Systems.com. 86400 IN NS ns15.midphase.com.
Real-World-Systems.com. 14400 IN MX 0 spamalizer.midphase.com.
Real-World-Systems.com. 14407 IN A 174.127.119.33
;; ADDITIONAL SECTION:
ns14.midphase.com. 886 IN A 69.36.163.232
ns15.midphase.com. 12625 IN A 69.36.161.36
ns16.midphase.com. 10893 IN A 69.36.161.37
;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Aug 16 15:28:16 EDT 2017
;; MSG SIZE rcvd: 336
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 14114 IN TXT "v=spf1 a mx ip4:67.228.235.89 ?all"
real-world-systems.com. 13835 IN A 67.228.235.89
real-world-systems.com. 13835 IN MX 0 real-world-systems.com.
real-world-systems.com. 53938 IN NS dns2.midphase.com.
real-world-systems.com. 53938 IN NS dns1.midphase.com.
+++ 2/15/12 from MI424WR router (repeated queries returns only A record or A,TXT,INx2,SOA and MX records go figure
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 600 IN TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 600 IN A 174.127.119.33
real-world-systems.com. 86400 IN NS dns2.midphase.com.
real-world-systems.com. 86400 IN NS dns1.midphase.com.
real-world-systems.com. 600 IN SOA dns1.midphase.com. cpanel-admin.midphase.com. 2012021503 14400 7200 3600000 86400
real-world-systems.com. 600 IN MX 0 real-world-systems.com.
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 2981 IN TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 76534 IN NS dns1.midphase.com.
real-world-systems.com. 76534 IN NS dns2.midphase.com.
compare gardenStateAudubonCouncil
cccu.us. 86367 IN RRSIG NSEC 5 2 86400 20110219155930 20110120152137 4787 US. FVbkawbzpPd5cKbvj24QSZJ1hDVawkohCA3+65kIVhZBp5EVqa6U0hjl +oP3ZMTYCM0v38ezLOKuKBZR0+rRS6UUaN+TWC77EoGY85LGe+o9Sz4x BXULGzhPzobdw1Rk1FrDLdo/MYNMjAe5946JXozyxVXJiqZJt+VGa9KC LpU= cccu.us. 86367 IN NSEC CCCUN.us. NS RRSIG NSEC
/etc/resolve.confdomain Germans nameserver 192.168.1.1 nameserver 71.250.0.12
cPanel creates autodiscovery. and autoconfiguration records records enable the Microsoft Outlook and Mozilla Thunderbird e-mail clients to automatically discover and configure access to e-mail accounts.
SERVFAIL if SOA's says NS is xxx, but xxx does not know about it!
Return codes:
0 Even if a NXDOMAIN or SERVFAIL returns!
So you should :
> dig -x 142.176.85.230|tee /tmp/$$ ;grep NOERROR /tmp/$$ > echo $? # rep will output 1 if that IP address reports an error
1 Invalid option, Usage Error10 is not a legal name (empty label); for example is address specified has training dot ex:142.12.13.13. 8 Couldn't open batch file 9 No reply from server, ;; connection timed out; no servers could be reacheddig @8.8.8.8 … ( google-public-dns-a.google.com )
The DMARC relies on the established DKIM and SPF for email authentication.
. When the email owner publishes the DMARC policy, it bound the receiving email server how to handle the email if it fails DMARC validation.
. When the receiving email server receives the email, it performs the DNS lookup for the DMARC policy for the domain included in the message's "From" header. The server then checks and evaluates the email on three determinants.
. . Does the email DKIM signature validate?
. . Did the email come from IP addresses allowed to send emails on the domain's behalf (SPF records)?
. . Do the headers in the email show proper "domain alignment"?
With this information, the receiving server is ready to apply the sender domain's DMARC policy to determine either to accept, reject, or otherwise flag the email.
After using the DMARC policy to determine the email's proper disposition, the receiving mail server will report to sending domain owner about the outcome.
Available DMARC policies for the email that fails DMARC authentication.
. .
None: Treat the email as the same, as it would be without any DMARC validation. That policy is adopted when your motive is to collect data and monitor your current email channel(s).
. . Quarantine: Accept the email but placed it somewhere else other than the recipient's inbox. Usually, such emails are placed in the spam folder.
. . Reject: Reject the email that fails DMARC validation.
DMARC domain alignment :
When an email is sent, the "From" contains the domain name after @ within the email address. The DKIM should also have the same domain name embedded into the key string.
DMARC tries to tie the SPF and DKIM results to the email content, particularly to the domain found in the "From" header of an email.
Having the SPF and DKIM align means that email passes the DMARC validation.
DMARC setup is complicated and risky to implement.
When you implement the DMARC policy without knowing your sending email sources like mailboxes, email marketing, CRM, transactional email, server alerts, etc., you could potentially reject all your legitimate emails.
First, set DMARC policy p=none to receive the report of all sending email sources. Then slowly align all outgoing emails with DKIM and SPF for the domain.
Monitor the aggregate reports daily.
Then deploy the quarantine, then reject the policy.
Example of a DMARC record
A DMARC record's name "_dmarc" which forms a TXT record such as _dmarc.mydomain.com.
Example: v=DMARC1\; p=none\; rua=mailto:CUSTOMERID@mydomain.com\; ruf=mailto:CUSTOMERID@mydomain.com\; pct=100
Aggregate reports: sent daily. These reports are XML documents that show the statistics about the received message, claimed to be from a particular domain. These reports are designed to be machine-readable and show the authentication results and message disposition.
Forensic reports: real-time reports that are sent on failure. copies of the emails that failed authentication. help troubleshoot authentication issues and identifying malicious domains and websites.
DMARC policy is a request, not an obligation for the recipient email server.
The receiving email server may apply its local policy when it thinks that the email is legitimate. The email can still land in the receiver inbox, even it fails DMARC validation. Usually, email receivers will override DMARC policy with local policy. To validate the DMARC record.
DMARC helps the recipient email server evaluate the emails claiming to be coming from your domain. That is one of the essential steps you can take to improve your deliverability.
scutil --dns
DNS configuration
resolver #1 search domain[0]: germans nameserver[0]: 192.168.1.1 if_index: 4 (en0)
flags: Request A records reach: Reachable, Directly Reachable Address
resolver #2 domain: local options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 300000
resolver #3 domain: 254.169.in-addr.arpa options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 300200
resolver #4 domain: 8.e.f.ip6.arpa options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 300400
resolver #5 domain: 9.e.f.ip6.arpa options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 300600
resolver #6 domain: a.e.f.ip6.arpa options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 300800
resolver #7 domain: b.e.f.ip6.arpa options: mdns timeout: 5 flags: Request A records reach: Not Reachable order: 301000
DNS configuration (for scoped queries)
resolver #1 search domain[0]: germans nameserver[0]: 192.168.1.1 if_index: 4 (en0)
flags: Request A records reach: Reachable, Directly Reachable Address
Extension mechanisms for DNS