dig - DNS lookup utility
Domain Information Groper (gatherer)

Simple usage: dig NS hostname

This documentation reflects version DiG 9.3.4-P1 , a more current version is DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4

dig [gobal opts]    hostname [] [-t type] A MX NS SOA HINFO TXT SIG SSHFP PRT RRSIG OPT CAA AAAA ANY AXF
[queryopt …]
[-x addr]
lookup this IP address
[-p port#]
[-c class]
as in INternet, CHaos and HeSiod
[-y [hmac:]tname:key]
[-f digCommandFile]
[-4] [-6]
[-q name] sets query name
[-b sourceAddress]
[-k keyFile]

The completness of the response will vary from server to server and query to query!!
To get the truth direct the query to the first NS(name server)

dig @`dig NS hostname +short|head -1` hostname -t ANY

TTL is in seconds: 3600=1hour. 14400= 4hours; 86400 = 1day; For secondary servers this is the time REMAINING

> dig NS pppg.org   ask any server
pppg.org.       3600    IN  NS  ns64.domaincontrol.com.
pppg.org.       3600     IN   NS  ns63.domaincontrol.com.
>  dig @ns63.DOMAINCONTROL.COM  ANY pppg.org   ask the domain's Name Server
pppg.org.       86400     3600 IN  SOA ns63.domaincontrol.com. dns.omax.net.  
                                        2011013007 28800 7200 604800 86400
pppg.org.       3600    IN  A
pppg.org.       3600    IN  NS  ns63.domaincontrol.com.
pppg.org.       3600    IN  NS  ns64.domaincontrol.com.
pppg.org.       3600    IN  MX  0 smtp.secureserver.net.
pppg.org.       3600    IN  MX  10 mailstore1.secureserver.net.
pppg.org.       3789        HINFO   "ANY/RRSIG query Disabled" "See draft-ietf-dnsop-refuse-any"

ns64.domaincontrol.com. 2897 IN  A
ns63.domaincontrol.com.  597 IN  A
smtp.secureserver.net.   208 IN  A

Batch mode of operation from a file or use multiple lookups from the command line.

By default uses the servers in /etc/resolv.conf (which may have come from DHCP server)

User defaults in ${HOME}/.digrc are applied before the command line arguments ( no way to disable .digrc).

Output is in a form suitable for use in named.conf
with commentary information prefixed with ; which will be treated as comments.

hostname resource record(s) to be looked up.
server name or IP address of the Name Server to query.
Defaults from /etc/resolv.conf

Server hostname is permitted. IPv4 address in dotted-decimal notation or IPv6 in colon-delimited notation.

-t type type … some servers REFUSED multiple type codes A AAAA MX NS SOA HINFO TXT SIG SSHFP PRT RRSIG OPT CAA ANY AXF
( ANY does not include SRV) DNS may refuse or provide minimal response to ANY see IETF comment on RFC1035
   Try querying the Name Server for more records.

ANY show all records

Default: A

  • MX server for email messages, Format: … MX prio host where the server with the lowest priority is prefered.
  • TXT may contain information including
    • Sender Policy Framework to prevent sender address forgery
      check spr record more details at DMarcian       example: v=spf1 a mx ip4: ?all
    • DMARC
    • DKIM
    • crypt string used by some services to prove that the requester of some DNS related service has the rights to alter the DNS settings. for example
    • any arbitrary data
  • SRV query must be of form _service._protocol.host for example: with LDAP, Kerbos, SIP wikipedia
  • SOA Start Of Authority name of the server that supplied the data for the zone; the administrator of the zone; the current version of the data file; the number of seconds a secondary name server should wait before checking for updates; the number of seconds a secondary name server should wait before retrying a failed zone transfer; the maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire; and a default number of seconds for the time-to-live file on resource records.
  • AAAA IPv6 address
  • SIG provides signature (validation) data for another RRSet
  • SSHFP secure Shell key for verification see ssh,ssh-keygen
  • CAA Certification Authority Authorization certificate authorities (CAs) allowed to issue certificates for .
  • OPT
  • PTR reverse records

  • AXFR requests a zone transfer Usually denied.
  • IXFR=nnnnnnnn. incremental zone transfer Usually denied
    contains the changes made to the zone since the serial number in the zone's SOA record was nnnnnnnn.
    Frequently the serial number used is in the form; yyyymmddNN where NN is incremented each time the conf is changed in a given day. see BIND . IETF rfc1995bis
  • @ server Ask a specific DNS server dig @dns2.midphase.com cccu.us
    -x iii.iii.iii.iii reverse lookup; maps addresses to names
    YouGetSignal tool (Data base of DNS, retrieves all domains at IP x.x.x.x)

    like and sets query type to PTR and class to IN(??) .
    By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.

    -f filename read requests from filename . Using the same format as a command.
    -q namesets the query name to distingish the name from other arguments.
    -c class Default IN internet. CHaos and Hesiod
    use IPv4 query transport.
    use IPv6
    -b address[#port] sets the source IP address or n.n.n.n or xx:xx:xx:xx.
    -p portDefault 53.
    -k keyfile Sign DNS queries and responses using transaction signatures (TSIG)
    -y hmac tname key TSIG
    hmac type of TSIG, default HMAC-MD5 alternate:-SHDA1
    tname the name of the key
    key base-64 encoded string
        (typically generated by dnssec-keygen(8)).
    Note: The key is visible from ps or the shell's history file.
    When using TSIG authentication the name server needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf.
    -i x.x.x.x.x.x.x.x.x use the older RFC1886 method using the IP6.INT domain
    Bit string labels (RFC2874) are not attempted.

    Options affecting Output

    Keywords are preceded by a plus (+) and an optional no.

    Supressing some output is useful when comparing queries that are expected to be the same.
    For example since ttl keeps changing and stats includes the current time, including them will result in differences which are not significant.
    Simularly outputting version identification can be supressed using +nocmd

    +no​all Set or clear all output flags.
    > /usr/bin/dig canalrace.org +all
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;canalrace.org. IN A

    canalrace.org. 12710 IN A

    ;; Query time: 20 msec
    ;; SERVER:
    ;; WHEN: Tue Mar 14 15:48:31 2017
    ;; MSG SIZE rcvd: 47
    As +noall turns off everything it should be followed by another keyword.
    +no​comments nocomments supress lines like:
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 
    +short as cut -f 5- implies nocomments
    > /usr/bin/dig +short -t any canalrace.org
    ns14.midphase.com. hostmaster.midphase.com. 2015101800 86400 7200 604800 600
    "v=spf1 +a +mx +ip4: +ip4: ~all"
    0 canalrace.org.
    dig version and options.
    Use as a global option.
    ; <<>> DiG 9.3.4-P1 <<>>
    ;; global options:  printcmd
    +qr query as it is reqeusted. Default: noqr
    ;; Sending:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62753
    ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    dig @dns1.midphase.com cccu.us +noall +question 
    ;cccu.us.           IN  A
    dig @dns1.midphase.com cccu.us +noall +answer
    cccu.us.        14407   IN  A
     dig @dns1.midphase.com cccu.us +noall +addi
    dns1.midphase.com.  86400   IN  A
    dns2.midphase.com.  86400   IN  A
    dig @dns1.midphase.com cccu.us +noall +auth
    cccu.us.        86400   IN  NS  dns2.midphase.com.
    cccu.us.        86400   IN  NS  dns1.midphase.com.
    +no​stats Performance of responding server
      ;; Query time: 2 msec
      ;; SERVER:
      ;; WHEN: Fri Nov 13 22:42:39 2009
      ;; MSG SIZE  rcvd: 294
    +identify IP address and port that supplied the answer when short is enabled.
    Default: noid from server in 1 ms.
    +nocl nocl supresses column 3 (usually IN (might be CHaos or HeSiod)
    +no​multiline records like the SOA in verbose multi-line format with human-readable comments.
    119.127.174.in-addr.arpa. 10788    IN SOA dns1.midphase.com. hostmaster.midphase.com. (
                    2010091964 ; serial
                    86400      ; refresh (1 day)
                    7200       ; retry (2 hours)
                    3600000    ; expire (5 weeks 6 days 16 hours)
                    86400      ; minimum (1 day)
    nomultiline uses [tab] to seperate fields Multiline uses spaces.
    119.127.174.in-addr.arpa. 10800    IN  SOA dns1.midphase.com. hostmaster.midphase.com.
                             2010091964 86400 7200 3600000 86400
    Default output each record on a single line, to facilitate parsing.


    Some of these set or reset flag bits in the query header

    keywords are preceded by a plus (+).
    keywords which set or reset an option and may be preceded by no.
    keywords which assign values to options (like the timeout interval), have the form keyword=value.
    +no​nssearchdetermines authoritative Name Servers for the zone and SOA
    /usr/bin/dig   pppg.us +nss
    SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server in 26 ms.
    SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server in 72 ms.  
    +no​domain=name Set the search list to contain the single domain name, as if specified in a domain directive in /etc/resolv.conf, and
    enable search list processing as if search were given.
    +no​search Use the search list in searchlist or domain directive in resolv.conf . not used by default.
    +no​showsearch show intermediate results.
    +no​trace Toggle tracing of the delegation path from the root name servers .
    Initaly disabled.
     > dig -t any +showsearch +trace real-world-systems.com
    ; << DiG 9.6.0-APPLE-P2 << -t any +showsearch +trace real-world-systems.com
    ;; global options: +cmd
    .           3600    IN  NS  FWDR-12.FWDR-0.FWDR-250.FWDR-71.
    .           3600    IN  NS  FWDR-12.FWDR-161.FWDR-237.FWDR-68.
    ;; Received 203 bytes from in 8 ms
    com.            77665   IN  NS  g.gtld-servers.net.
    com.            77665   IN  NS  h.gtld-servers.net.
    com.            77665   IN  NS  a.gtld-servers.net.
    ;; Received 472 bytes from in 19 ms
    real-world-systems.com. 172800  IN  NS  ns3.midphase.com.
    real-world-systems.com. 172800  IN  NS  ns4.midphase.com.
    ;; Received 117 bytes from in 10 ms
    real-world-systems.com. 600 IN  TXT "v=spf1 ip4: a mx ip4: ?all"
    real-world-systems.com. 600 IN  MX  0 real-world-systems.com.
    real-world-systems.com. 600 IN  SOA dns1.midphase.com. dnsadmin.business3.midphase.com. 
                                                                2011022107 14400 7200 3600000 86400
    real-world-systems.com. 600 IN  NS  dns1.midphase.com.
    real-world-systems.com. 600 IN  NS  dns2.midphase.com.
    real-world-systems.com. 600 IN  A
    ;; Received 289 bytes from in 16 ms
    +no​recurse Toggle RD (recursion desired) . Initally set.
    Recursion is disabled when nssearch or trace are used.
    +no​aaonly Sets aa Authoritative Answer
    +no​aaflag +noaaonly.
    +time=s Timeout. min 1 second. Default: 15 seconds!
    DNS response from local router may be in the range of .01-.20 for a cached entry, .3 for uncached .com
    +tries=T for UDP queries. Default: 3.
    +retry=r retry UDP Default: 2. does not include the initial query.
    +ndots=D the number of dots in name for it to be absolute.
    Default: 1 or ndots statement in /etc/resolv.conf.
    Names with fewer dots are relative and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
    Heavy options used when there's a real problem
    (not for the faint hearted)
    +no​fail Do not try the next server if SERVFAIL is received. Default: fail.
    +tcp Use TCP when querying name servers.
    Default UDP, except for AXFR or IXFR .
    +bufsize=bytes UDP message buffer size advertised using EDNS0 0-65535.
    Values other than zero causes an EDNS query to be sent.
    +edns=# EDNS version to query with. 0 - 255.
    Setting the EDNS version causes an EDNS query to be sent.
    noedns clears the EDNS version.
    +vc aka tcp "virtual circuit"
    +no​besteffort output the contents of messages which are malformed. Default don't.
    +no​ignore Ignore truncation in UDP responses. Default: retry with TCP query
    +no​dnssecRequests DNSSEC records (DO)
    +no​cdflag Checking Disabled. requests the server not to perform DNSSEC validation of responses.
    +sigchase Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHSE.
    trusted-key=xxxx Specifies a file containing trusted keys to be used with sigchase. Each DNSKEY record must be on its own line.
    If not specified dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.
    +notopdown When chasing DNSSEC signature chains perform a top down validation.
    Requires dig be compiled with -DDIG_SIGCHASE.
    adflag AD (authentic data) meaningful in responses, not in queries
    defname Deprecated, treated as a synonym for search

    Multiple Queries

    In addition to supporting -f file, specifying multiple queries on the command line is permited, each can be supplied with its own set of flags, options and query options.

    Each query argument represents an individual query in the command-line syntax, consisting of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options applied to that query.

    Global query options, applied to all queries,
    precede the first hostname, class, type, options, flags, and query options can be overridden by a query-specific set of query options. For example:

    dig +qr www.isc.org any -x isc.org ns +noqr
    1. Global query option +qr is applied, so the initial query it made for each lookup.
    2. an ANY query for www.isc.org,
    3. a reverse lookup of and
    4. a query for the NS records of isc.org.
    5. a local query option of +noqr not output the initial query when it looks up isc.org.


    Built with Internationalized Domain Name support, accepts and outputs non-ASCII domain names.
    Disabled by defining the IDN_DISABLE environment variable.

    tip: The IN and CH class names overlap with the IN and CH top level domains names.




    See host, named, dnssec-keygen, RFC1035.


     dig [@global-server] [domain] [q-type] [q-class] {q-opt}
                {global-d-opt} host [@local-server] {local-d-opt}
                             [ host [@local-server] {local-d-opt} …
    domain    is in the Domain Name System
    q-class  one of: in, hs, ch,… default: in
    q-type   one of: any, a, mx, ns, soa, hinfo, axf, txt,… default:a
                     Use ixfr=version for type ixfr
    q-opt  :
    -q name  -t type   -c class      
    -f filename         batch mode
    -x dot-notation     shortcut for in-addr lookups
    -i                  IP6.INT reverse IPv6 lookups
    -b address#port  bind to source address/port
    -p port          
    -4 -6         use IPv4/IPv6 query transport only
    d-opt    is of the form +keyword=value, where keyword is:
    vc    tcp            TCP mode aka Virtual Circuit
    +time=###       timeout 5 sec.
    +tries=###      UDP attempts 3        +retry=### UDP retries 2
    +domain=###     default domainname
    +bufsize=###    EDNS0 Max UDP packet size
    search         Set whether to use searchlist
    showsearch     Search with intermediate results
    ignore         Don't revert to TCP for TC responses
    fail           Don't try next server on SERVFAIL
    besteffort     Try to parse even illegal messages
    all            Set or clear all output flags
    aaonly         Set AA flag in query aaflag
    adflag         Set AD       
    cdflag         Set CD 
    cmd            output command line
    qr             output question before sending 
    cl             output class 
    comments       question     answer       
    authority      additional   stats      
    short          ttlid  (ommits type=txt)
    nssearch       Search all authoritative nameservers
    identify       ID responders in short answers
    trace          Trace delegation down from root
    multiline      output records in an expanded format
    dnssec         Request DNSSEC records
    -k keyfile          specify tsig key file
    -y [hmac:]name:key  (specify named base64 tsig key)
    global d-opts and servers (before host name) affect all queries.
    local  d-opts and servers (after host name)  affect only that lookup.
    7/13/19 /usr/bin/dig @`/usr/bin/dig +short Real-World-Systems.com -t NS | head -1` Real-World-Systems.com -t A MX TXT NS SOA ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41712 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4 Real-World-Systems.com. 14400 MX 20 spamalizer.midphase.com. Real-World-Systems.com. 14400 TXT "v=spf1 +a +mx +ip4: +ip4: +ip4: +ip4: ~all" Real-World-Systems.com. 86400 NS ns14.midphase.com. Real-World-Systems.com. 86400 NS ns15.midphase.com. Real-World-Systems.com. 14407 A Real-World-Systems.com. 86400 NS ns16.midphase.com. Real-World-Systems.com. 3600 MX 17 Real-World-Systems.com. Real-World-Systems.com. 600 SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600 ;; Query time: 61 msec ;; SERVER: ;; WHEN: Sat Jul 13 08:12:34 EDT 2019 8/16/17 (notice OPT PSEDUOSECTION) >usr/bin/dig $RWS -t any ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13645 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; ANSWER SECTION: Real-World-Systems.com. 600 IN SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600 Real-World-Systems.com. 14400 IN TXT "v=spf1 +a +mx +ip4: +ip4: ~all" Real-World-Systems.com. 86400 IN NS ns16.midphase.com. Real-World-Systems.com. 86400 IN NS ns14.midphase.com. Real-World-Systems.com. 86400 IN NS ns15.midphase.com. Real-World-Systems.com. 14400 IN MX 0 spamalizer.midphase.com. Real-World-Systems.com. 14407 IN A ;; ADDITIONAL SECTION: ns14.midphase.com. 886 IN A ns15.midphase.com. 12625 IN A ns16.midphase.com. 10893 IN A ;; Query time: 187 msec ;; SERVER: ;; WHEN: Wed Aug 16 15:28:16 EDT 2017 ;; MSG SIZE rcvd: 336 dig +noall +answer -t any real-world-systems.com real-world-systems.com. 14114 IN TXT "v=spf1 a mx ip4: ?all" real-world-systems.com. 13835 IN A real-world-systems.com. 13835 IN MX 0 real-world-systems.com. real-world-systems.com. 53938 IN NS dns2.midphase.com. real-world-systems.com. 53938 IN NS dns1.midphase.com. +++ 2/15/12 from MI424WR router (repeated queries returns only A record or A,TXT,INx2,SOA and MX records go figure dig +noall +answer -t any real-world-systems.com real-world-systems.com. 600 IN TXT "v=spf1 ip4: ip4: a mx ip4: ?all" real-world-systems.com. 600 IN A real-world-systems.com. 86400 IN NS dns2.midphase.com. real-world-systems.com. 86400 IN NS dns1.midphase.com. real-world-systems.com. 600 IN SOA dns1.midphase.com. cpanel-admin.midphase.com. 2012021503 14400 7200 3600000 86400 real-world-systems.com. 600 IN MX 0 real-world-systems.com. dig +noall +answer -t any real-world-systems.com real-world-systems.com. 2981 IN TXT "v=spf1 ip4: ip4: a mx ip4: ?all" real-world-systems.com. 76534 IN NS dns1.midphase.com. real-world-systems.com. 76534 IN NS dns2.midphase.com.

    compare pppg

    compare gardenStateAudubonCouncil

    cccu.us.        86367   IN  RRSIG   NSEC 5 2 86400 20110219155930 20110120152137 4787 US. 
       BXULGzhPzobdw1Rk1FrDLdo/MYNMjAe5946JXozyxVXJiqZJt+VGa9KC LpU=
    cccu.us.        86367   IN  NSEC    CCCUN.us. NS RRSIG NSEC

    Sample /etc/resolve.conf

    domain Germans

    cPanel creates autodiscovery. and autoconfiguration records records enable the Microsoft Outlook and Mozilla Thunderbird e-mail clients to automatically discover and configure access to e-mail accounts.


    DNS returns SERVFAIL if SOA's says NS is xxx, but xxx does not know about it!

    Return codes:
    0 Even if a NXDOMAIN or SERVFAIL returns!
    So you should :

    > dig  -x|tee /tmp/$$ ;grep NOERROR /tmp/$$ 
    > echo $? # rep  will output 1 if that IP address reports an  error 
     1 Invalid option, Usage Error
    10 is not a legal name (empty label); for example is address specified has training dot ex:
     8 Couldn't open batch file
     9 No reply from server, ;; connection timed out; no servers could be reached
        Try dig @ … ( google-public-dns-a.google.com )


    Extension mechanisms for DNS