Dig cheat sheet
Summary
Learn how to use the dig command for querying DNS records. This guide explains dig syntax, options, query methods, a list of DNS record types, real-world dig command examples, and explanations to output sections.
Introduction #
The dig (Domain Information Groper) command is a powerful tool used for querying the Domain Name System (DNS). It is commonly used to troubleshoot domain resolution issues and obtain detailed information about DNS records.
The dig utility is part of the Berkeley Internet Name Domain (BIND) suite, a widely used DNS software package maintained by the Internet Systems Consortium (ISC).
Basic usage #
The basic syntax of dig allows you to specify a domain name, record type, and optional DNS server, along with additional options to customize the output. Below, you will find a breakdown of the basic usage, common options, and examples to help you get started with dig.
Synopsis #
The basic syntax for dig is as follows:
dig [@server] [name] [type] [options]
@server(optional): Specifies a DNS server to query (e.g.,@8.8.8.8for Google Public DNS).name: The domain name or IP address to query.type(optional): Specifies the type of DNS record to retrieve (e.g.,A,MX,NS).options(optional): Additional flags to modify the output.
Options #
Here are the most commonly used dig options:
| Option | Description |
|---|---|
-f <filename> | Reads queries from a file. |
-t <type> | Specifies the query type (e.g., A, MX, CNAME, NS, TXT, SOA, etc.). |
-x <IP> | Performs a reverse DNS lookup for the specified IP address. |
-y <hmac-sha256:keyname:secret> | Uses a TSIG key for authenticated requests (e.g., -y hmac-sha256:keyname:secret example.com). |
-4 | Forces queries over IPv4. |
-6 | Forces queries over IPv6. |
@<server> | Specifies the DNS server to query (e.g., @8.8.8.8 for Google’s public DNS). |
-b <address> | Sets the source IP address for the query. |
-c <class> | Specifies the query class (default is IN; others include CH and HS). |
-h | Displays the help message and usage information. |
-k <keyfile> | Specifies a TSIG key file for authenticated requests. |
-m | Enables memory usage debugging. |
-p <port> | Specifies the port number to query on the DNS server (default is 53). |
-q <name> | Specifies the domain name or ip address to query (alternative to providing it as an argument). |
-u | Prints the query time in microseconds instead of milliseconds. |
-v | Displays the version of dig. |
Query options #
The following options can be combined to customize the output and behavior of the dig command based on your specific needs.
| Option | Description |
|---|---|
+additional | Displays only the Additional section of the response. |
+answer | Displays only the Answer section of the response. |
+authority | Shows only the Authority section of the response. |
+bufsize=<size> | Sets the UDP buffer size for the query. |
+cookie | Requests a DNS Cookie for the query. |
+dnssec | Requests DNSSEC (DNS Security Extensions) records in the response. |
+edns=<version> | Enables EDNS (Extension Mechanisms for DNS) with the specified version. |
+expire | Sends an EDNS Expire option to the server. |
+multiline | Formats the output in a more readable, multi-line format. |
+noall | Disables all sections of the output by default, allowing selective enabling. |
+nocmd | Hides the initial command and version information in the output. |
+nocomments | Removes comments and section headers from the output. |
+noedns | Disables EDNS for the query. |
+notcp | Forces dig to use UDP (default behavior). |
+nsid | Requests the Name Server Identifier (NSID) from the DNS server. |
+qr | Shows the query as it was sent to the DNS server. |
+question | Displays only the Question section of the response. |
+retry=<attempts> | Specifies the number of retries if the query fails. |
+short | Provides a concise output, showing only essential information (e.g., IP addresses). |
+stats | Provides statistics about the query (e.g., query time, server response). |
+subnet=<address> | Sends an EDNS Client Subnet option with the specified IP address. |
+tcp | Forces dig to use TCP instead of UDP for the query. |
+time=<timeout> | Sets the timeout for the query in seconds. |
+trace | Performs a trace of the DNS query, showing each step in the resolution process. |
+ttlid | Displays the Time-to-Live (TTL) values for records in the output. |
For example, return only the IP address of example.com without additional details.:
dig example.com +short +nocmd
DNS record types #
DNS record types are standardized formats used in the Domain Name System (DNS) to specify different types of information, such as mapping domain names to IP addresses (A and AAAA records), mail server locations (MX records), or domain aliases (CNAME records).
The following is a list of record types you can query with dig:
| Record Type | Description |
|---|---|
A | IPv4 address record |
AAAA | IPv6 address record |
CNAME | Canonical name record |
MX | Mail exchange record |
NS | Name server record |
PTR | Pointer record (reverse DNS) |
SOA | Start of authority record |
TXT | Text record |
SRV | Service locator record |
CAA | Certification Authority Authorization record |
Examples #
Basic domain lookup:
dig example.com
Retrieve A record:
dig -t A example.com
Reverse DNS lookup:
dig -x 93.184.216.34
Query MX records:
dig -t MX example.com
Query NS records:
dig -t NS example.com
Query TXT records:
dig -t TXT example.com
Use a specific DNS server:
dig @8.8.8.8 example.com
Retrieve only the answer section:
dig example.com +short
Trace the DNS resolution:
dig example.com +trace
Force query using IPv4:
dig -4 example.com
Foce query using IPv6:
dig -6 example.com
Query with DNSSEC:
dig example.com +dnssec
Query without additional section:
dig example.com +noadditional
Query only the authoritative section:
dig example.com +authority
Perform a batch query from a file:
dig -f queries.txt
Query a specific port:
dig @8.8.8.8 -p 5353 example.com
Set the query class to Chaos (CH):
dig -c CH version.bind
Use a TSIG key for authentication:
dig -y hmac-sha256:keyname:secret example.com
Read queries from a file:
dig -f queries.txt
Output sections #
The dig command output is divided into several sections, each providing specific details about the DNS query and response. These sections include the Question, Answer, Authority, and Additional sections, which collectively offer a comprehensive view of the DNS resolution process, from the query details to the returned records and supporting information.
Question #
This section displays the query details, including the domain name and record type being requested.
;; QUESTION SECTION:
;example.com. IN A
Here, the query is for the A record of example.com, indicating a request to resolve the domain to an IPv4 address.
Answer #
The answer section contains the actual DNS record(s) returned for the query, such as IP addresses for an A record lookup.
;; ANSWER SECTION:
example.com. 3600 IN A 93.184.216.34
This shows that example.com resolves to the IPv4 address 93.184.216.34 with a Time-to-Live (TTL) of 3600 seconds.
Authority #
If the queried DNS server is authoritative for the domain, this section lists the authoritative name servers responsible for the domain.
;; AUTHORITY SECTION:
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
This indicates that a.iana-servers.net and b.iana-servers.net are the authoritative name servers for example.com.
Additional #
This section may contain extra information, such as IP addresses for the authoritative name servers listed in the Authority section.
;; ADDITIONAL SECTION:
a.iana-servers.net. 172800 IN A 199.43.135.53
b.iana-servers.net. 172800 IN A 199.43.133.53
Here, the IP addresses for the authoritative name servers a.iana-servers.net and b.iana-servers.net are provided as additional information.
FAQ's #
Most common questions and brief, easy-to-understand answers on the topic:
What is the dig command used for?
The dig command is used for querying Domain Name System (DNS) records. It helps troubleshoot domain resolution issues and retrieve specific DNS information.
How do I query a specific DNS server with dig?
You can specify a DNS server by adding it before the domain name, e.g., dig @8.8.8.8 example.com. This queries Google's public DNS.
How do I look up a specific record type with dig?
Use the -t option followed by the record type, e.g., dig -t MX example.com to retrieve Mail Exchange (MX) records.
What is the difference between dig and nslookup?
dig provides more detailed output and advanced query options, while nslookup is simpler but less powerful for DNS troubleshooting.
Can I use dig to perform a reverse DNS lookup?
Yes, use the -x option with an IP address, e.g., dig -x 8.8.8.8, to find the associated domain name.
Further readings #
Sources and recommended, further resources on the topic:
- Arch Linux: dig manual page
- ISC BIND Official Site
- Wikipedia: dig (command)
- IANA: Root Zone Database
- IETF RFC 1034: Domain Concepts and Facilities
- IETF RFC 1035: Domain Name System Implementation
Author
Jonas Jared Jacek (J15k)
Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/License
Dig cheat sheet by Jonas Jared Jacek is licensed under CC BY-SA 4.0.
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/dig-cheat-sheet">Dig cheat sheet</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>For more information see the Ditig legal page.
