DIG – Make that DNS talk !


dig, Domain Information Groper, is with nslookup and host one of the most commonly used tools to retrieve information from Domain Name Servers. The goal of this article is to give you all the knowledge you need to dig like a pro and enjoy the power of the command line even more.

Find the IP addresses behind a domain name, list the name servers / mail servers / canonical names and all the other types of DNS Resource Records linked to a domain, perform some reverse name resolution to find a domain name using an IP, query several domains in one go using the powerful batch mode…unleash the power of dig and become the Master of DNSes !

HEADER, QUESTION, ANSWER: Understand dig output

$ dig debian.org

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19471
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 4

;debian.org.                    IN      A

debian.org.             104     IN      A
debian.org.             104     IN      A
debian.org.             104     IN      A
debian.org.             104     IN      A
debian.org.             104     IN      A
debian.org.             104     IN      A

debian.org.             247     IN      NS      dns4.easydns.info.
debian.org.             247     IN      NS      sec2.rcode0.net.
debian.org.             247     IN      NS      sec1.rcode0.net.
debian.org.             247     IN      NS      dns1.easydns.com.
debian.org.             247     IN      NS      debian1.dnsnode.net.

dns1.easydns.com.       117     IN      A
dns1.easydns.com.       117     IN      AAAA    2001:1838:f001::10
dns4.easydns.info.      23025   IN      A
dns4.easydns.info.      23025   IN      AAAA    2001:678:5::13

;; Query time: 23 msec
;; WHEN: Fri Jan 29 17:05:16 2016
;; MSG SIZE  rcvd: 351
  • HEADER : Displays the dig command version, the global options used, the type of operation (opcode), the status of the operation (NOERROR) and the message id (necessary to match responses to queries). The flags give information about the parameters used for the answer, the QUERY field indicates the number of entries in the question section, ANSWER indicates the number of Resource Records in the answer section, AUTHORITY displays the number of name servers (NS) Resource Records in the authority records section and ADDITIONAL contains the number of Resource Records in the additional records section.

  • QUESTION : This is your input, the question that has been asked to the DNS.

  • ANSWER : This is the response received from the DNS. The first field is the domain name being returned, the second field is the TTL, i.e. the time in seconds that the record may be cached (a value of 0 indicates the record should not be cached), the third field is the class (Internet (IN), Chaos (CH), Hesiod (HS)...), the fourth is the type (A, NS, CNAME, MX...) and the fifth, the IP address.

  • AUTHORITY : This section contains the DNS name server that has the authority to answer your query (type: NS, Name Server).

  • ADDITIONAL : The additional section carries Resource Records related to the RRs from the other sections. For example, if you ask for the NS records for a domain, the A records belonging to those name servers might be returned as additions.

  • STATISTICS : Displays the time it took to get an answer, the IP of the DNS server used, the date and size of the message.

Flag Meaning Description
QR Query or response ? A one bit field that specifies whether this message is a query (0), or a response (1).
AA Authoritative Answer This bit specifies that the responding name server is an authority for the domain name in question section.
TC Truncated Response Specifies that this message was truncated due to length greater than that permitted on the transmission channel.
RD Recursion Desired This bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively.
RA Recursion Available This bit may be set or cleared in a response, and denotes whether recursive query support is available in the name server.
AD Authentic Data The name server side SHOULD set the AD bit if and only if the resolver side considers all RRsets in the Answer section and any relevant negative response RRs in the Authority section to be authentic.
CD Checking Disabled Allow a resolver to disable signature validation. If the CD bit is set, it indicates that the originating resolver is willing to perform whatever authentication its local policy requires.

Unless you specify a name server to query (with the @ parameter; dig @ foobar.com), dig will try each of the servers listed in /etc/resolv.conf and, as a last resort, localhost. If no command line arguments or options are given, dig will perform an NS query for "." (the root). You can set per-user defaults for dig via ${HOME}/.digrc (covered later in this article).

Display only the ANSWER section

For the sake of readability, you might want to minimize the output. Using the options noall and answer is a good way to save some screen estate.

dig opensuse.org +noall +answer
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> opensuse.org +noall +answer
;; global options: +cmd
opensuse.org.           600     IN      A
  • +noall : Clear all display flags,

  • +answer : Display the answer section of a reply. The default is to display it.

Activate the short output

$ dig perdu.com +short

List specific types of Resource Records

There are about 40 DNS Resources Records types, but you only have to know five of them (full list available here):

  • A : Address record (IPv4); AAAA for IPv6,

  • CNAME : Canonical name record. Basically, aliases pointing to A or AAAA records,

  • SOA : Start of [a zone of] authority record. Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone,

  • MX : Mail exchange record. Points to a mail server,

  • NS : Name server record. A name server is simply a DNS.

List mail servers:

dig -t MX distrowatch.com
dig distrowatch.com MX

List name servers:

dig -t NS distrowatch.com
dig distrowatch.com NS

List any type of Resource Record:

dig -t ANY distrowatch.com
dig distrowatch.com ANY

Reverse DNS (get name from IP)

You have an IP and no name ? This one is for you !

dig -x

Use a specific DNS server

dig @ redhat.com

Batch mode: multiple queries in one go

Batch mode takes a filename as input; the file must be plain text and contain one domain per line.

dig -f names.list



You can also pass several domains as arguments to dig:

dig centos.org MX +noall +answer suckless.org ANY +short
; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> centos.org MX +noall +answer suckless.org ANY
;; global options: +cmd
centos.org.		3576	IN	MX	20 mail2.centos.org.
centos.org.		3576	IN	MX	10 mail.centos.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30916
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;suckless.org.			IN	ANY

suckless.org.		1800	IN	MX	10 mx.suckless.org.
suckless.org.		1800	IN	A
suckless.org.		1800	IN	SOA	suckless.org. hostmaster.suckless.org. 2011102900 1800 300 2419200 300
suckless.org.		1800	IN	NS	ns6.gandi.net.
suckless.org.		1800	IN	NS	ns.garbe.us.

;; Query time: 1655 msec
;; WHEN: Tue Feb 02 22:12:16 AEDT 2016
;; MSG SIZE  rcvd: 175

The dig configuration file (${HOME}/.digrc)

Tired of always typing the same options ? Create a Run Control file for dig:

$ cat $HOME/.digrc
+noall +answer

Request a zone transfer

A zone transfer is a mechanism allowing an administrator to replicate DNS databases across a set of DNS servers. There are two methods: full (aka AXFR) and incremental (aka IXFR). Zone transfers were often used by people wanting to retrieve a list of all the Resource Records of a DNS server. Nowadays, most servers will refuse your request, mostly for security reasons.

dig microsoft.com AXFR

Display the name resolution path

Want to see the servers involved in the resolution of a domain name ? There you go :

dig google.com +trace


Cheat sheet

Fourre-tout Linux (bash, nano, grep, screen, ls, permissions, ...)