Dig, the Domain Information Groper is one of the useful utility to lookup Domain Name System (DNS). The command helps administrators to query a domain to get its DNS information. For instance, Nameservers, IP address, Resource Records such as A, CNAME, MX, NS etc…It also helps to validate a domain by retrieving RRSIG record of a domain that is Domain Name System Security Extension (DNSSEC) signed. If you want to setup a DNS server, then you may want to try out few dig commands to ensure the setup is working properly. In this article, I’ll be showing 13 example commands of dig with sample outputs for your reference.
1. Basic command format
$dig kernel.org ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64302 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ;kernel.org. IN A ;; ANSWER SECTION: kernel.org. 339 IN A 149.20.4.69 kernel.org. 339 IN A 198.145.20.140 ;; AUTHORITY SECTION: kernel.org. 76838 IN NS ns1.kernel.org. kernel.org. 76838 IN NS ns0.kernel.org. kernel.org. 76838 IN NS ns2.kernel.org. ;; ADDITIONAL SECTION: ns1.kernel.org. 76838 IN A 149.20.20.144 ns1.kernel.org. 76838 IN AAAA 2001:4f8:8:10::1:1 ns2.kernel.org. 76838 IN A 149.20.4.80 ns2.kernel.org. 76838 IN AAAA 2001:4f8:1:10::1:1 ns0.kernel.org. 76838 IN A 198.145.19.196 ;; Query time: 70 msec ;; SERVER: 10.180.0.11#53(10.180.0.11) ;; WHEN: Thu Nov 14 18:15:32 2013 ;; MSG SIZE rcvd: 218
The dig output consists of: Headers, Question section, Answer section, Authority section, Additional section and Stats.
Headers: The headers consists of information about the version of dig you are using and the domain to which the query is made. If the query was asked to a specific DNS, then the DNS server information is also displayed under header.
Question Section: This shows the question that was asked to DNS. For example, the above command digs to domain ‘kernel.org’ and the default type used is ‘A’ record. It means, we queried to retrieve A record of kernel.org.
Answer Section: Here’s the answer for the asked question. You get the IP address of the domain kernel.org
Authority Section: The Name servers that responded to the query. It lists the nameservers of the domain kernel.org.
Additional Section: This section contains the IP address of name servers.
Stats: This section contains the size of the message received and the time taken to retrieve the records.
2. Disable specific sections in dig output
$dig kernel.org +nostats +noadditional +nocomments +noquestion +noauthority ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org +nostats +noadditional +nocomments +noquestion +noauthority ;; global options: +cmd kernel.org. 377 IN A 149.20.4.69 kernel.org. 377 IN A 198.145.20.140
+noadditional : Turn Off Additional section
+nocomments : Turn Off Comments
+nostats: Turn off query statistics
+noquestion: Turn Off Question section
+noauthority: Turn Off Authority section
3. Display only specific section
$ dig kernel.org +noall +answer
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org +noall +answer ;; global options: +cmd kernel.org. 275 IN A 198.145.20.140 kernel.org. 275 IN A 149.20.4.69
+noall : Disables all section
+answer: Displays only answer section
4. Query MX record of a domain
$dig kernel.org MX +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org MX +noall +answer ;; global options: +cmd kernel.org. 488 IN MX 10 mail.kernel.org. kernel.org. 488 IN MX 20 ns1.kernel.org. kernel.org. 488 IN MX 999 bl-ckh-le.kernel.org.
The same can be achieved using -t MX option as well.
$ dig -t MX kernel.org +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t MX kernel.org +noall +answer ;; global options: +cmd kernel.org. 399 IN MX 10 mail.kernel.org. kernel.org. 399 IN MX 20 ns1.kernel.org. kernel.org. 399 IN MX 999 bl-ckh-le.kernel.org.
5. Query NS records of a domain
$ dig -t NS kernel.org +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t NS kernel.org +noall +answer ;; global options: +cmd kernel.org. 21479 IN NS ns0.kernel.org. kernel.org. 21479 IN NS ns2.kernel.org. kernel.org. 21479 IN NS ns1.kernel.org.
or
$ dig kernel.org NS +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org NS +noall +answer ;; global options: +cmd kernel.org. 21442 IN NS ns0.kernel.org. kernel.org. 21442 IN NS ns2.kernel.org. kernel.org. 21442 IN NS ns1.kernel.org.
6. Display ALL DNS records
All the DNS records for a domain can be retrieved using “ANY” option.
$ dig kernel.org ANY +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> kernel.org ANY +noall +answer ;; global options: +cmd kernel.org. 600 IN SOA ns1.kernel.org. hostmaster.ns1.kernel.org. 2013081404 600 150 604800 600 kernel.org. 21600 IN NS ns1.kernel.org. kernel.org. 21600 IN NS ns2.kernel.org. kernel.org. 21600 IN NS ns0.kernel.org. kernel.org. 600 IN A 149.20.4.69 kernel.org. 600 IN A 198.145.20.140 kernel.org. 600 IN MX 10 mail.kernel.org. kernel.org. 600 IN MX 20 ns1.kernel.org. kernel.org. 600 IN MX 999 bl-ckh-le.kernel.org.
OR
$ dig -t ANY kernel.org +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t ANY kernel.org +noall +answer ;; global options: +cmd kernel.org. 568 IN SOA ns1.kernel.org. hostmaster.ns1.kernel.org. 2013081404 600 150 604800 600 kernel.org. 21568 IN NS ns1.kernel.org. kernel.org. 21568 IN NS ns2.kernel.org. kernel.org. 21568 IN NS ns0.kernel.org. kernel.org. 568 IN A 149.20.4.69 kernel.org. 568 IN A 198.145.20.140 kernel.org. 568 IN MX 10 mail.kernel.org. kernel.org. 568 IN MX 20 ns1.kernel.org. kernel.org. 568 IN MX 999 bl-ckh-le.kernel.org.
7. Use +short to display short outputs
If you want to view only the IP address of a domain, then use +short option. The dig will pull only ‘A’ record of the queried domain.
$ dig kernel.org +short 149.20.4.69 198.145.20.140
8. Get DNSSEC records
To get DNSSEC records of a domain that is DNSSEC signed, use ‘+dnssec’ option as below,
$ dig dnssectest.sidn.nl +dnssec +short www.sidn.nl. CNAME 8 3 86400 20131214071501 20131114071501 42033 sidn.nl. oN/P1jg9Zcx4+2XK+dZXw4OhlsGJAEK14kcIv4VQsxM0CZoyvwGsd23C pfY3k1tPXBDOy/oE+gjO0FDq+5eXXERtlTA+5Mu9tjnM5TDW66IFgOgt RN5Hw79BjAHpIR06igjXO+hk9ZqKOWCMVjyJvDgRB3PbkRIe6PNmjmgA 5Y8= 213.136.31.220 A 8 3 86400 20131214071501 20131114071501 42033 sidn.nl. pM0FWWo+U7CKIG91LHq66ZIXvphBtFhuxguB+GELlOeHXkJYSon2DwB2 ayV+TdCp9YxqdnkzbPXIGs8xZCw+KuNGIxmWGRXNp9xCC4TVkgDLpHw7 VFzTgMjyoSOjQ01rBC3vXVsWZVjYkMnjARxg/eS97QKwUYeiRHfTemUQ 9qA=
Learn more about DNSSEC and how to validate DNS response.
9. Perform reverse lookup (IP to domain)
Use ‘-x’ option to perform reverse lookup.
$ dig -x 198.145.20.140 +short tiz-korg-pub.kernel.org
10. Multiple DNS query using -f option
$ more domains.txt kernel.org centos.org
Query using -f option,
$ dig -f domains.txt +noall +answer kernel.org. 166 IN A 149.20.4.69 kernel.org. 166 IN A 198.145.20.140 centos.org. 46 IN A 85.12.30.227
11. How to use specific DNS Server to respond the queries
Format goes like this,
$dig @<dns_server> <domainname>
$dig @8.8.8.8 kernel.org
The command will send a query to Google DNS 8.8.8.8.
12. Create .digrc to store the default options
If you are using set of options more frequently, then add them to $HOME/.digrc file.
$ cat $HOME/.digrc +noall +answer
13. Use ‘+multi’ option to display multi-line output
‘+multi’ option comes handy to display the output in multiple lines. It is useful to display DNSKEY.
$ dig dnssectest.sidn.nl +dnssec +multi
DiG GUI – dig command web interface
https://www.diggui.com/