dig - DNS lookup utility
Domain Information Groper (gatherer)
Simple usage: dig any hostname
dig [gobal opts] hostname
[…]
[-t type] ANY A AAAA MX NS SOA HINFO AXF TXT SIG SSHFP PRT RRSIG OPT
[type]
[queryopt …]
[-x addr] lookup this IP address
[@server]
[-p port#]
[-c class]
[class]
[-y [hmac:]tname:key]
[-f digCommandFile]
[-4] [-6]
[-q name] sets query name
[-b sourceAddress]
[-k keyFile]
| |
dig [global-queryopt...] [query...]
Note that the completness of the response will vary from server to server and query to query!!
To get the truth
direct the query to the first NS(name server)
dig @`dig NS hostname +short|head -1` hostname -t ANY
|
> dig NS pppg.org ask any server
;; ANSWER SECTION:
pppg.org. 3600 IN NS ns64.domaincontrol.com.
pppg.org. 3600 IN NS ns63.domaincontrol.com.
> dig @ns63.DOMAINCONTROL.COM ANY pppg.org ask the host's server
pppg.org. 86400 3600† IN SOA ns63.domaincontrol.com. dns.omax.net.
2011013007†
28800†
7200†
604800†
86400†
pppg.org. 3600 IN A 64.202.189.170
pppg.org. 3600 IN NS ns63.domaincontrol.com.
pppg.org. 3600 IN NS ns64.domaincontrol.com.
pppg.org. 3600 IN MX 0 smtp.secureserver.net.
pppg.org. 3600 IN MX 10 mailstore1.secureserver.net.
;; ADDITIONAL SECTION:
ns64.domaincontrol.com. 2897 IN A 208.109.255.42
ns63.domaincontrol.com. 597 IN A 216.69.185.42
smtp.secureserver.net. 208 IN A 72.167.238.201
| |
Batch mode of operation from a file or use multiple lookups from the command line.
By default uses servers in /etc/resolv.conf
(which may have come from DHCP server
)
User defaults are in ${HOME}/.digrc
and are applied before the command line arguments.
Output is in a form suitable for use in named.conf
with commentary information prefixed with
;
which will be treated as comments.
hostname | resource record(s) to be looked up.
|
server name or IP address of the Name Server to query.
Defaults are taken from /etc/resolv.conf
Server hostname is permitted.
IPv4 address in dotted-decimal notation or IPv6 in colon-delimited notation.
| |
-t type type …
| ANY A AAAA MX NS SOA HINFO AXF TXT SIG SSHFP PRT RRSIG OPT
Default: A (not ANY aka all).
ANY show all records( ANY does not include SRV ) DNS may refuse or provide minimal response to ANY
see IETF comment on RFC1035
TXT may contain information including Sender Policy Framework to prevent sender address forgery
example: v=spf1 a mx ip4:67.228.235.89 ?all
or any arbitrary data
SRV query must be of form _service._protocol.host for example:
with LDAP, Kerbos, SIP wikipedia
AAAA IPv6 address
SSHFP secure Shell key for verification see ssh,ssh-keygen
OPT
AXFR requests a zone transfer.
IXFR=nnnnnnnn . incremental zone transfer
contains the changes made to the zone since the serial number in the zone's SOA record was nnnnnnnn .
Frequently the serial number used is in the form; yyyymmddNN where NN is incremented each time
the conf is changed in a given day.
see BIND .
IETF rfc1995bis
@ server Ask a specific DNS server dig @dns2.midphase.com cccu.us
| -x iii.iii.iii.iii | reverse lookup; maps addresses to names
YouGetSignal tool (Data base of DNS, retrieves all domains at IP x.x.x.x)
like 216.40.47.26.in-addr.arpa and sets query type to PTR and class to IN (??) .
By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
-f filename | read requests from filename .
Using the same format as a command.
| -q name | sets the query name to distingish the name from other arguments.
| -c class | Default IN internet.
HS Hesiod or CH Chaosnet
| -4
-6 | use IPv4 query transport. use IPv6
| -b address[#port]
sets the source IP address or O.O.O.O or xx:xx:xx:xx.
-p port | Default 53.
| -k keyfile | Sign DNS queries and responses using transaction signatures (TSIG)
| -y hmac tname key | TSIG
hmac type of TSIG, default HMAC†-MD5 alternate:-SHDA1
tname the name of the key
key base-64 encoded string
(typically generated by dnssec-keygen(8)).
Note: The key is visible from ps or the shell's history file.
When using TSIG authentication the name server needs to know the key and algorithm that is
being used. In BIND, this is done by providing appropriate key and server statements in named.conf.
| -i x.x.x.x.x.x.x.x.x | use the older RFC1886 method using the IP6.INT domain
Bit string labels (RFC2874) are not attempted.
| -hhelp
| | | | | | |
Options affecting Output
Keywords are preceded by a plus (+
) and an optional no
.
Supressing some output is useful when comparing queries that are expected to be the same.
For example since ttl
keeps changing and stats
includes the current time,
including them will result in differences which are not significant.
Simularly outputting version identification can be supressed using +nocmd
+[no]all Set or clear all output flags.
> /usr/bin/dig canalrace.org +all
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;canalrace.org. IN A
;; ANSWER SECTION:
canalrace.org. 12710 IN A 174.127.119.33
;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Mar 14 15:48:31 2017
;; MSG SIZE rcvd: 47
As +noall turns off everything it should be followed by another keyword.
| +nocomments nocomments supress lines like:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
;; QUESTION SECTION:
;; ANSWER SECTION:
| +short as cut -f 5- implies nocomments
> /usr/bin/dig +short -t any canalrace.org
ns14.midphase.com. hostmaster.midphase.com. 2015101800 86400 7200 604800 600
ns15.midphase.com.
ns16.midphase.com.
ns14.midphase.com.
"v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
0 canalrace.org.
174.127.119.33
| +nocmd
dig version and options.
Use as a global option. |
; <<>> DiG 9.3.4-P1 <<>>
;; global options: printcmd
|
| +qr query as it is reqeusted. Default: noqr ;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62753
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
| +noquestion
dig @dns1.midphase.com cccu.us +noall +question
;cccu.us. IN A
+noanswer
dig @dns1.midphase.com cccu.us +noall +answer
;; ANSWER SECTION:
cccu.us. 14407 IN A 174.127.119.33
+noadditional
dig @dns1.midphase.com cccu.us +noall +addi
;; ADDITIONAL SECTION:
dns1.midphase.com. 86400 IN A 67.213.216.225
dns2.midphase.com. 86400 IN A 69.4.235.113
+noauthority
dig @dns1.midphase.com cccu.us +noall +auth
;; AUTHORITY SECTION:
cccu.us. 86400 IN NS dns2.midphase.com.
cccu.us. 86400 IN NS dns1.midphase.com.
| +nostats Performance of responding server ;; Query time: 2 msec
;; SERVER: 10.0.80.11#53(10.0.80.11)
;; WHEN: Fri Nov 13 22:42:39 2009
;; MSG SIZE rcvd: 294
| +identify IP address and port that supplied the answer when short is enabled.
Default: noid 67.228.235.89 from server 10.0.80.11 in 1 ms.
| +nocl nocl supresses column 3 (usually IN )
| +nomultiline records like the SOA in verbose multi-line format with human-readable comments.
119.127.174.in-addr.arpa. 10788 IN SOA dns1.midphase.com. hostmaster.midphase.com. (
2010091964 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
nomultiline uses [tab] to seperate fields Multiline uses spaces.
119.127.174.in-addr.arpa. 10800 IN SOA dns1.midphase.com. hostmaster.midphase.com.
2010091964 86400 7200 3600000 86400†
Default output each record on a single line, to facilitate parsing.
| | | | | | | | | | | | | | | | |
QUERY OPTIONS
Some of these set or reset flag bits in the query header
keywords are preceded by a plus (+
).
keywords which set or reset an option and may be preceded by no
.
keywords which assign values to options (like the timeout interval), have the form keyword=value
.
+nonssearchdetermines authoritative Name Servers for the zone and SOA
/usr/bin/dig pppg.us +nss
SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 98.158.191.172 in 26 ms.
SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 69.4.235.113 in 72 ms.
| +nodomain=somename | Set the search list to contain the single domain somename , as if specified in a domain directive in /etc/resolv.conf, and
enable search list processing as if search were given.
| +nosearch Use the search list in
searchlist or domain directive in resolv.conf . not used by default.
| +noshowsearch show intermediate results.
| +notrace Toggle tracing of the delegation path from the root name servers .
Initaly disabled.
> dig -t any +showsearch +trace real-world-systems.com
; << DiG 9.6.0-APPLE-P2 << -t any +showsearch +trace real-world-systems.com
;; global options: +cmd
. 3600 IN NS FWDR-12.FWDR-0.FWDR-250.FWDR-71.
. 3600 IN NS FWDR-12.FWDR-161.FWDR-237.FWDR-68.
;; Received 203 bytes from 192.168.1.1#53(192.168.1.1) in 8 ms
com. 77665 IN NS g.gtld-servers.net.
com. 77665 IN NS h.gtld-servers.net.
…
com. 77665 IN NS a.gtld-servers.net.
;; Received 472 bytes from 68.237.161.12#53(FWDR-12.FWDR-161.FWDR-237.FWDR-68) in 19 ms
real-world-systems.com. 172800 IN NS ns3.midphase.com.
real-world-systems.com. 172800 IN NS ns4.midphase.com.
;; Received 117 bytes from 192.26.92.30#53(c.gtld-servers.net) in 10 ms
real-world-systems.com. 600 IN TXT "v=spf1 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 600 IN MX 0 real-world-systems.com.
real-world-systems.com. 600 IN SOA dns1.midphase.com. dnsadmin.business3.midphase.com.
2011022107 14400 7200 3600000 86400
real-world-systems.com. 600 IN NS dns1.midphase.com.
real-world-systems.com. 600 IN NS dns2.midphase.com.
real-world-systems.com. 600 IN A 174.127.70.94
;; Received 289 bytes from 67.213.216.225#53(ns3.midphase.com) in 16 ms
| +norecurse Toggle RD (recursion desired) . Initally set.
Recursion is disabled when nssearch or trace are used.
| +noaaonly Sets aa
| +noaaflag +noaaonly .
| |
| +time=s Timeout. min 1 second. Default: 15 seconds!
DNS response from local router may be in the range of .01-.20 for a cached entry, .3 for uncached .com
| +tries=T for UDP queries. Default: 3.
| +retry=r retry UDP Default: 2. does not include the initial query.
| +ndots=D the number of dots in name for it to be absolute.
Default: 1 or ndots statement in /etc/resolv.conf .
Names with fewer dots are relative and will be
searched for in the domains listed in the search or domain directive in /etc/resolv.conf .
| +edns=# EDNS version to query with. 0 - 255.
Setting the EDNS version causes an EDNS query to be sent.
noedns clears the EDNS version.
| +nodnssecRequests DNSSEC records (DO)
| Heavy options used when there's a real problem
(not for the faint hearted)
|
---|
+nofail Do not try the next server if SERVFAIL is received.
Default: fail.
| +tcp Use TCP when querying name servers.
Default UDP, except for AXFR or IXFR .
| +bufsize=bytes UDP message buffer size advertised using EDNS0 0-65535.
Values other than zero causes an EDNS query to be sent.
| +nocdflag Checking Disabled. requests the server not to perform DNSSEC validation of responses.
| +vc aka tcp "virtual circuit"
| +nobesteffort output the contents of messages which are malformed. Default don't.
| +noignore Ignore truncation in UDP responses. Default: retry with TCP query
| +sigchase
Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHSE .
| trusted-key=xxxx Specifies a file containing trusted keys to be used with sigchase .
Each DNSKEY record must be on its own line.
If not specified dig will look for /etc/trusted-key.key
then trusted-key .key in the current directory.
Requires dig be compiled with -DDIG_SIGCHASE .
| +notopdown When chasing DNSSEC signature chains perform a top down validation.
Requires dig be compiled with -DDIG_SIGCHASE .
| adflag AD (authentic data) meaningful in responses, not in queries
| defname Deprecated, treated as a synonym for search
| | | | | | | | | | | | | | | | | | | | | | | | | |
Multiple Queries
In addition to supporting -f file
, specifying multiple queries on the command line is permited, each can be supplied with its own set of flags, options and query options.
Each query argument represents an individual query in the command-line syntax,
consisting of any of the standard options and flags, the name to be looked up, an optional
query type and class and any query options applied to that query.
Global query options, applied to all queries,
precede the first hostname, class, type
, options, flags, and query options
can be overridden by a query-specific set of query options. For example:
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
- Global query option
+qr
is applied, so the initial query it made for each lookup.
- an ANY query for www.isc.org,
- a reverse lookup of 127.0.0.1 and
- a query for the NS records of isc.org.
- a local query option of
+noqr
not output the initial query when it
looks up isc.org.
IDN SUPPORT
Built with Internationalized Domain Name support, accepts and outputs non-ASCII domain names.
Disabled by defining the IDN_DISABLE
environment variable.
tip: The IN
and CH
class names
overlap with the IN
and CH
top level domains names.
FILES
/etc/resolv.conf
${HOME}/.digrc
See host, named, dnssec-keygen, RFC1035.
Help
dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} …
Where:
domain is in the Domain Name System
q-class one of: in, hs, ch,… default: in
q-type one of: any, a, mx, ns, soa, hinfo, axf, txt,… default:a
Use ixfr=version for type ixfr
q-opt :
-q name -t type -c class
-f filename batch mode
-x dot-notation shortcut for in-addr lookups
-i IP6.INT reverse IPv6 lookups
-b address#port bind to source address/port
-p port
-4 -6 use IPv4/IPv6 query transport only
d-opt is of the form +keyword=value, where keyword is:
vc tcp TCP mode aka Virtual Circuit
+time=### timeout 5 sec.
+tries=### UDP attempts 3 +retry=### UDP retries 2
+domain=### default domainname
+bufsize=### EDNS0 Max UDP packet size
+ndots=###
+edns=###
search Set whether to use searchlist
showsearch Search with intermediate results
defname
recurse
ignore Don't revert to TCP for TC responses
fail Don't try next server on SERVFAIL
besteffort Try to parse even illegal messages
all Set or clear all output flags
aaonly Set AA flag in query aaflag
adflag Set AD
cdflag Set CD
cmd output command line
qr output question before sending
cl output class
comments question answer
authority additional stats
short ttlid (ommits type=txt)
nssearch Search all authoritative nameservers
identify ID responders in short answers
trace Trace delegation down from root
multiline output records in an expanded format
dnssec Request DNSSEC records
-k keyfile specify tsig key file
-y [hmac:]name:key (specify named base64 tsig key)
global d-opts and servers (before host name) affect all queries.
local d-opts and servers (after host name) affect only that lookup.
8/16/17 (notice OPT PSEDUOSECTION)
>usr/bin/dig $RWS -t any
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13645
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; ANSWER SECTION:
Real-World-Systems.com. 600 IN SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600
Real-World-Systems.com. 14400 IN TXT "v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
Real-World-Systems.com. 86400 IN NS ns16.midphase.com.
Real-World-Systems.com. 86400 IN NS ns14.midphase.com.
Real-World-Systems.com. 86400 IN NS ns15.midphase.com.
Real-World-Systems.com. 14400 IN MX 0 spamalizer.midphase.com.
Real-World-Systems.com. 14407 IN A 174.127.119.33
;; ADDITIONAL SECTION:
ns14.midphase.com. 886 IN A 69.36.163.232
ns15.midphase.com. 12625 IN A 69.36.161.36
ns16.midphase.com. 10893 IN A 69.36.161.37
;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Aug 16 15:28:16 EDT 2017
;; MSG SIZE rcvd: 336
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 14114 IN TXT "v=spf1 a mx ip4:67.228.235.89 ?all"
real-world-systems.com. 13835 IN A 67.228.235.89
real-world-systems.com. 13835 IN MX 0 real-world-systems.com.
real-world-systems.com. 53938 IN NS dns2.midphase.com.
real-world-systems.com. 53938 IN NS dns1.midphase.com.
+++ 2/15/12 from MI424WR router (repeated queries returns only A record or A,TXT,INx2,SOA and MX records go figure
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 600 IN TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 600 IN A 174.127.119.33
real-world-systems.com. 86400 IN NS dns2.midphase.com.
real-world-systems.com. 86400 IN NS dns1.midphase.com.
real-world-systems.com. 600 IN SOA dns1.midphase.com. cpanel-admin.midphase.com. 2012021503 14400 7200 3600000 86400
real-world-systems.com. 600 IN MX 0 real-world-systems.com.
dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 2981 IN TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 76534 IN NS dns1.midphase.com.
real-world-systems.com. 76534 IN NS dns2.midphase.com.
compare pppg
compare gardenStateAudubonCouncil
cccu.us. 86367 IN RRSIG NSEC 5 2 86400 20110219155930 20110120152137 4787 US.
FVbkawbzpPd5cKbvj24QSZJ1hDVawkohCA3+65kIVhZBp5EVqa6U0hjl
+oP3ZMTYCM0v38ezLOKuKBZR0+rRS6UUaN+TWC77EoGY85LGe+o9Sz4x
BXULGzhPzobdw1Rk1FrDLdo/MYNMjAe5946JXozyxVXJiqZJt+VGa9KC LpU=
cccu.us. 86367 IN NSEC CCCUN.us. NS RRSIG NSEC
Sample /etc/resolve.conf
domain Germans
nameserver 192.168.1.1
nameserver 71.250.0.12
|
Errors
Return codes:
0
Even if a NXDOMAIN
or SERVFAIL
returns!
So you should :
> dig -x 142.176.85.230|tee /tmp/$$ ;grep NOERROR /tmp/$$
echo $?
will outoput 1 since that IP address reports NXDOMAIN
1
Invalid option, Usage Error
10
is not a legal name (empty label); for example is address specified has training dot ex:142.12.13.13.
8
Couldn't open batch file
9
No reply from server, ;; connection timed out; no servers could be reached
Try dig @8.8.8.8 &hellip
( google-public-dns-a.google.com )
http://internetsupervision.com/scripts/urlcheck/check.aspx?lan=en-US&checkurl=real-world-systems.com&email=
See
Extension mechanisms for DNS