dig - DNS lookup utility
Domain Information Groper (gatherer)

Simple usage: dig NS host

This documentation reflects version DiG 9.3.4-P1 , a more current version is DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4

dig [gobal opts] hostname […] [-t A|MX|NS|SOA|HINFO|TXT|SIG|SSHFP|PRT|RRSIG|OPT|CAA|AAAA||ANY^†|AXF| [queryopt …] [-x addr] lookup this IP address[@server] [-p port#] [-c class] as in INternet, CHaos and HeSiod
[class]
[-y [hmac:]tname:key]
[-f digCommandFile]
[-4] [-6]
[-q name] sets query name
[-b sourceAddress]
[-k keyFile]

The completness of the response will vary from server to server and query to query!!
To get the truth direct the query to the first NS(name server)

dig @`dig NS hostname +short|head -1` hostname -t ANY
TTL is in seconds: 3600=1hour. 14400= 4hours; 86400 = 1day; For secondary servers this is the time REMAINING

> dig NS pppg.org # ask any server ;; ANSWER SECTION: pppg.org. 3600^† IN^† NS ns64.domaincontrol.com. pppg.org. 3600 IN NS ns63.domaincontrol.com.

dig @ns63.DOMAINCONTROL.COM ANY pppg.org # ask the domain's Name Server pppg.org. 86400 3600^† IN SOA ns63.domaincontrol.com. dns.omax.net. 2011013007^† 28800^† 7200^† 604800^† 86400^† pppg.org. 3600 IN A 64.202.189.170 pppg.org. 3600 IN NS ns63.domaincontrol.com. pppg.org. 3600 IN NS ns64.domaincontrol.com. pppg.org. 3600 IN MX 0 smtp.secureserver.net. pppg.org. 3600 IN MX 10 mailstore1.secureserver.net. pppg.org. 3789 HINFO "ANY/RRSIG query Disabled" "See draft-ietf-dnsop-refuse-any" ;; ADDITIONAL SECTION: ns64.domaincontrol.com. 2897 IN A 208.109.255.42 ns63.domaincontrol.com. 597 IN A 216.69.185.42 smtp.secureserver.net. 208 IN A 72.167.238.201

Batch mode of operation from a file or use multiple lookups from the command line.

By default uses the servers in /etc/resolv.conf (which may have come from DHCP server)

User defaults in ${HOME}/.digrc are applied before the command line arguments ( no way to disable .digrc).

Output is in a form suitable for use in named.conf
with commentary information prefixed with ; which will be treated as comments.

hostname resource record(s) to be looked up.
server name or IP address of the Name Server to query.
Defaults from /etc/resolv.conf
Server hostname is permitted. IPv4 address in dotted-decimal notation or IPv6 in colon-delimited notation.

-t type
some servers refuse multiple type codes A AAAA MX NS SOA HINFO TXT SIG SSHFP PRT RRSIG OPT CAA SRV ANY AXF
ANY does not include SRV
   Try querying the Name Server for more records.

Default: A IP address.

ANY show all records. DNS may refuse or provide minimal response to ANY. See IETF comment on RFC1035 rfc8482

MX server for email messages, Format: … MX prio host where the server with the lowest priority is prefered.
TXT may contain information including

Sender Policy Framework to prevent sender address forgery
check SPR details at DMarcian example: v=spf1 a mx ip4:67.228.235.89 ?all

DMARC

DKIM Digital Key Identified mail.
example:
/usr/bin/dig pp-dkim1._domainkey.paypal.com -t txt pp-dkim1._domainkey.paypal.com. 300 TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki…

crypt string used by some services to prove that the requester of some DNS related service has the rights to alter the DNS settings. for example

DocUSign
ssl.com
Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: -87YKoj3sQZB4rVCMZTiifl9QJKYm2eYYymAkpE0zBo

arbitrary data

-t txt 3.2.3.updates.spamassassin.org
3.2.3.updates.spamassassin.org descriptive text "895075"
-t txt 3.4.3.updates.spamassassin.org
3.4.3.updates.spamassassin.org is an alias for 3.3.3.updates.spamassassin.org>
3.3.3.updates.spamassassin.org descriptive text "1902056"

SRV query must be of form _service._protocol.host for example:
/usr/bin/dig -t srv _autodiscover._tcp.domain +short /usr/bin/dig -t srv _autoconfig._tcp.domain +short # only output the answer 0 0 443 cpanelemaildiscovery.cpanel.net. Use this for the URL in the curl next
-d sends data in a POST request, in the same way that a browser does when a form is submitted

curl -d '<EMailAddress>d@real-world-systems.com</EMailAddress>' \    https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
<?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>d@real-world-systems.com</DisplayName> any username rerurns the necessary informattion <EMailAddress>d@real-world-systems.com</EMailAddress> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>IMAP</Type> <Server>mail.real-world-systems.com</Server> <Port>993</Port> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <SSL>on</SSL> <AuthRequired>on</AuthRequired> <LoginName>d@real-world-systems.com</LoginName> </Protocol> <Protocol> <Type>SMTP</Type> <Server>mail.real-world-systems.com</Server> <Port>465</Port> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <SSL>on</SSL> <AuthRequired>on</AuthRequired> <LoginName>d@real-world-systems.com</LoginName> </Protocol> </Account> </Response> </Autodiscover>%

Used by Microsoft Outlook
Thunderbird uses autoconfig
iceWarp, LDAP, Kerbos, SIP^† wikipedia
Service discovery, LiRedMail how autoxxx works. iceWarp
_caldav._tcp.domain.com. 86400 IN SRV 10 0 80 targethost.com. _caldavs._tcp.domain.com. 86400 IN SRV 10 0 443 targethost.com. _carddav._tcp.domain.com. 86400 IN SRV 10 0 80 targethost.com. _carddavs._tcp.domain.com. 86400 IN SRV 10 0 443 targethost.com. _ischedule._tcp.domain.com. 86400 IN SRV 10 0 80 targethost.com. _ischedules._tcp.domain.com. 86400 IN SRV 10 0 443 targethost.com. _sip._udp.domain.com. 86400 IN SRV 10 0 5060 targethost.com. _sip._tcp.domain.com. 86400 IN SRV 10 0 5060 targethost.com. _sip._tls.domain.com. 86400 IN SRV 10 0 5061 targethost.com. _xmpp-client._tcp.domain.com. 86400 IN SRV 10 0 5222 targethost.com. _xmpp-server._tcp.domain.com. 86400 IN SRV 10 0 5269 targethost.com. _autodiscover._tcp.domain.com. 86400 IN SRV 10 0 443 targethost.com.
Not for DKIM see txt.

SOA Start Of Authority

name of the server that supplied the data for the zone;
the administrator of the zone;
the current version of the data file;
seconds a secondary name server should wait before checking for updates;
seconds """ wait before retrying a failed zone transfer;
seconds """" can use data before it must either be refreshed or expire;
and seconds for the Time-To-Live file on resource records.

AAAA IPv6 address

SIG provides signature (validation) data for another RRSet
SSHFP secure Shell key for verification see ssh,ssh-keygen

CAA Certification Authority Authorization certificate authorities (CAs) allowed to issue certificates for .
OPT

PTR reverse records
AXFR requests a zone transfer Usually denied.

IXFR=nnnnnnnn. incremental zone transfer Usually denied
contains the changes made to the zone since the serial number in the zone's SOA record was nnnnnnnn.
Frequently the serial number used is in the form; yyyymmddNN where NN is incremented each time the conf is changed in a given day. see BIND . IETF rfc1995bis

Each domain may have multiple hosts and even multiple levels of host. Each having their own DNS records
For example see TXT at spamassassin.org

@ server Ask a specific DNS server dig @dns2.midphase.com cccu.us
-4
-6 use IPv4 query transport.
use IPv6
-x iii.iii.iii.iii reverse lookup; maps addresses to names
YouGetSignal tool (Data base of DNS, retrieves all domains at IP x.x.x.x)
like 216.40.47.26.in-addr.arpa and sets query type to PTR and class to IN(??) .
By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
/usr/bin/dig a-0.info +short +identify 209.95.59.175 from server 2600:4041:4310:3c00::1 in 6 ms. /usr/bin/dig -6 -x 2600:4041:4310:3c00::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.3.0.1.3.4.1.4.0.4.0.0.6.2.ip6.arpa. 0 PTR CR1000A.Germans.org.

-f filename read requests from filename . Using the same format as a command.
-q name sets the query name to distingish the name from other arguments.
-c class Default IN internet. CHaos and Hesiod
-b address[#port] sets the source IP address or n.n.n.n orxx:xx:xx:xx.
-p port Default 53.
-k keyfile Sign DNS queries and responses using transaction signatures (TSIG)
-y hmac tname key TSIG
hmac type of TSIG, default HMAC^†-MD5 alternate:-SHDA1
tname the name of the key
key base-64 encoded string
    (typically generated by dnssec-keygen(8)).
Note: The key is visible from ps or the shell's history file.
When using TSIG authentication the name server needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in named.conf.
-i x.x.x.x.x.x.x.x.x use the older RFC1886 method using the IP6.INT domain
Bit string labels (RFC2874) are not attempted.
-h help

Options affecting Output

Keywords are preceded by a plus (+) and an optional no.

Supressing some output is useful when comparing queries that are expected to be the same.
For example since ttl keeps changing and stats includes the current time, including them will result in differences which are not significant.
Simularly outputting version identification can be supressed using +nocmd

+noall Set or clear all output flags.
> /usr/bin/dig canalrace.org +all
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;canalrace.org. IN A

;; ANSWER SECTION:
canalrace.org. 12710 IN A 174.127.119.33

;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Mar 14 15:48:31 2017
;; MSG SIZE rcvd: 47
As +noall turns off everything it should be followed by another keyword.
+nocomments nocomments supress lines like:
;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: ;; QUESTION SECTION:
;; ANSWER SECTION:

+short as cut -f 5- implies nocomments
> /usr/bin/dig +short -t any canalrace.org
ns14.midphase.com. hostmaster.midphase.com. 2015101800 86400 7200 604800 600
ns15.midphase.com.
ns16.midphase.com.
ns14.midphase.com.
"v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
0 canalrace.org.
174.127.119.33

+identify IP address and port that supplied the answer with short (short otherwise supresses that) Default: noid
67.228.235.89 from server 10.0.80.11 in 1 ms.

+nocmd dig version and options. Use as a global option (i.e. before host)
; <<>>DiG 9.3.4-P1 <<>> ;; global options: printcmd

+noquestion
dig @dns1.midphase.com cccu.us +noall +question ;cccu.us. IN A
+noanswer
dig @dns1.midphase.com cccu.us +noall +answer ;; ANSWER SECTION: cccu.us. 14407 IN A 174.127.119.33
+noadditional
dig @dns1.midphase.com cccu.us +noall +addi ;; ADDITIONAL SECTION: dns1.midphase.com. 86400 IN A 67.213.216.225 dns2.midphase.com. 86400 IN A 69.4.235.113
+noauthority
dig @dns1.midphase.com cccu.us +noall +auth ;; AUTHORITY SECTION: cccu.us. 86400 IN NS dns2.midphase.com. cccu.us. 86400 IN NS dns1.midphase.com.

+nostats Performance of responding server
;; Query time: 2 msec ;; SERVER: 10.0.80.11#53(10.0.80.11) ;; WHEN: Fri Nov 13 22:42:39 2009 ;; MSG SIZE rcvd: 294

+nocl nocl supresses column 3 (usually IN (might be CHaos or HeSiod)
+nomultiline records like the SOA in verbose multi-line format with human-readable comments.

119.127.174.in-addr.arpa. 10788 IN SOA dns1.midphase.com. hostmaster.midphase.com. ( 2010091964 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hours) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; TTL (1 day) )
nomultiline uses [tab] to seperate fields Multiline uses spaces.

119.127.174.in-addr.arpa. 10800 IN SOA dns1.midphase.com. hostmaster.midphase.com. 2010091964 86400 7200 3600000 86400^†
Default output each record on a single line, to facilitate parsing.

QUERY OPTIONS

Some of these set or reset flag bits in the query header

keywords are preceded by a plus (+).
keywords which set or reset an option and may be preceded by no.
keywords which assign values to options (like the timeout interval), have the form keyword=value.

+nonssearch determines authoritative Name Servers for the zone and SOA
/usr/bin/dig pppg.us +nss SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 98.158.191.172 (dns1.midphase.com) in 26 ms. SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 69.4.235.113 (dns2.midohase.com) in 72 ms.

+noshowsearch show intermediate results.
+notrace Toggle tracing of the delegation path from the root name servers .
Initaly disabled.
> dig -t any +trace +showsearch real-world-systems.com 45461 NS a.root-servers.net. ~~start at~~ root . 45461 NS b.root-servers.net. … . 45461 NS l.root-servers.net . 45461 NS m.root-servers.net. . 45461 RRSIG NS 8 0 518400 20230206050000 20230124040000 951 . … ;; Received 1097 bytes from 2600:4041:4310:3c00::1#53(CR1000A.Germans.org) in 12 ms com. 172800 NS a.gtld-servers.net. ~~xxx said to go to~~ .com ~~as they always do.~~ … GlobatTopLevelDomain com. 172800 NS l.gtld-servers.net. com. 172800 NS m.gtld-servers.net. com. 86400 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 RRSIG DS 8 1 86400 20230211170000 20230129160000 951 . &heiip; ;; Received 1182 bytes from 2001:500:9f::42#53(l.root-servers.net) in 106 ms l.gtld-servers.net cloudflare.com. 172800 NS ns3.cloudflare.com. … cloudflare.com. 172800 NS ns7.cloudflare.com. cloudflare.com. 86400 DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9 cloudflare.com. 86400 RRSIG DS 8 2 86400 20230202051554 20230126040554 36739 com. XZZvr5&hellipi; ;; Received 824 bytes from 192.41.162.30#53(l.gtld-servers.net) in 6 ms ~~said to to~~ clouflare.com
/usr/bin/dig +trace +showsearch a-0.info -t any . 42086 NS m.root-servers.net. ~~start at~~ root as always. . 42086 NS g.root-servers.net. … . 42086 NS l.root-servers.net. . 42086 RRSIG NS 8 0 518400 20230206050000 20230124040000 951 . … ;; Received 1097 bytes from 2600:4041:4310:3c00::1#53(CR1000A.Germans.org.) in 6 ms info. 172800 NS b0.info.afilias-nst.org. g.root-servers.net ~~says go to~~ info info. 172800 NS c0.info.afilias-nst.info. … info. 172800 NS b2.info.afilias-nst.org. info. 86400 DS 5104 8 2 1AF7548A8D3E2950C20303757DF9390C26CFA39E26C8B6A8F6C8B1E7 2DD8F744 info. 86400 RRSIG DS 8 1 86400 20230211170000 20230129160000 951 .… ;; Received 779 bytes from 2001:500:12::d0d#53(g.root-servers.net) in 30 ms a-0.info. 3600 NS ns14.midphase.com. a-0.info. 3600 NS ns15.midphase.com. a-0.info. 3600 NS ns16.midphase.com. dr3kecftk5dlgg1gdcs9q10f5vjs86ll.info. 3600 NSEC3 1 1 10 332539EE7F95C32A DR3N3PU0BNFRV1GS8FSQAU902DADMOGJ NS SOA RRSIG DNSKEY NSEC3PARAM … 3600 RRSIG NSEC3 8 2 3600 20230219221658 20230129211658 3891 info. … lafrai1abkq5a96uu2tdhr3b4qi24r3v.info. 3600 NSEC3 1 1 10 332539EE7F95C32A LAG8AFVF4R0BMCUM4SUPQTTKVLV23TD0 NS DS RRSIG lafrai1abkq5a96uu2tdhr3b4qi24r3v.info. 3600 RRSIG NSEC3 8 2 3600 20230215153623 20230125143623 3891 info. … ;; Received 609 bytes from 199.254.49.1#53(c0.info.afilias-nst.info) in 169 ms a-0.info. 14400 A 209.95.59.175 a-0.info. 14400 NS ns14.midphase.com. a-0.info. 14400 NS ns15.midphase.com. a-0.info. 14400 NS ns16.midphase.com. a-0.info. 86400 SOA ns14.midphase.com. domainmaster.uk2group.com. 1675023209 86400 7200 3600000 86400 a-0.info. 14400 MX 0 mx.a-0.info.cust.a.hostedemail.com. a-0.info. 14400 TXT "v=spf1 +a +mx +ip4:209.236.71.20 +ip4:209.95.59.175 ~all" ;; Received 344 bytes from 69.36.161.37#53(ns16.midphase.com) in 72 ms

+time=s Timeout. min 1 second. Default: 15 seconds! (see .digrc)
DNS response from local router may be in the range of .01-.20 for a cached entry, .3 for uncached .com
+tries=T for UDP queries. Default: 3.
+retry=r retry UDP Default: 2. does not include the initial query.
+ndots=D the number of dots in name for it to be absolute.
Default: 1 or ndots statement in /etc/resolv.conf.
Names with fewer dots are relative and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

flags
+noqr query as it is reqeusted. Default: noqr
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62753
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

+norecurse Toggle RD (Recursion Desired) . Initally set. Recursion is disabled with nssearch or trace .
+noaaonly Sets aa Authoritative Answer
+noaaflag +noaaonly.

Heavy options used when there's a real problem
(not for the faint hearted)
+nofail Do not try the next server if SERVFAIL is received. Default: fail.
+tcp Use TCP when querying name servers. Default UDP, except for AXFR or IXFR .
+nodomain=name Set the search list to contain the single domain name, as if specified in a domain directive in /etc/resolv.conf, and
enable search list processing as if search were given.
+nosearch Use the search list in searchlist or domain directive in resolv.conf . not used by default.
+bufsize=bytes UDP message buffer size advertised using EDNS0 0-65535.
Values other than zero causes an EDNS query to be sent.
+edns=# EDNS version to query with. 0 - 255.
Setting the EDNS version causes an EDNS query to be sent.
noedns clears the EDNS version.
+vc aka tcp "virtual circuit"
+nobesteffort output the contents of messages which are malformed. Default don't.
+noignore Ignore truncation in UDP responses. Default: retry with TCP query
+nodnssec Requests DNSSEC records (DO)
+nocdflag Checking Disabled. requests the server not to perform DNSSEC validation of responses.
+sigchase Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHSE.
trusted-key=xxxx Specifies a file containing trusted keys to be used with sigchase. Each DNSKEY record must be on its own line.
If not specified dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. Requires dig be compiled with -DDIG_SIGCHASE.
+notopdown When chasing DNSSEC signature chains perform a top down validation.
Requires dig be compiled with -DDIG_SIGCHASE.
adflag AD (authentic data) meaningful in responses, not in queries
defname Deprecated, treated as a synonym for search

`+nonssearch`	determines authoritative Name Servers for the zone and SOA /usr/bin/dig pppg.us +nss SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 98.158.191.172 (dns1.midphase.com) in 26 ms. SOA dns1.midphase.com. hostmaster.midphase.com. 2017112706 86400 7200 604800 600 from server 69.4.235.113 (dns2.midohase.com) in 72 ms.
`+noshowsearch`	show intermediate results.
`+notrace`	Toggle tracing of the delegation path from the root name servers . Initaly disabled. > dig -t any +trace +showsearch real-world-systems.com 45461 NS a.root-servers.net. ~~start at~~ root . 45461 NS b.root-servers.net. … . 45461 NS l.root-servers.net . 45461 NS m.root-servers.net. . 45461 RRSIG NS 8 0 518400 20230206050000 20230124040000 951 . … ;; Received 1097 bytes from 2600:4041:4310:3c00::1#53(CR1000A.Germans.org) in 12 ms com. 172800 NS a.gtld-servers.net. ~~xxx said to go to~~ .com ~~as they always do.~~ … GlobatTopLevelDomain com. 172800 NS l.gtld-servers.net. com. 172800 NS m.gtld-servers.net. com. 86400 DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 RRSIG DS 8 1 86400 20230211170000 20230129160000 951 . &heiip; ;; Received 1182 bytes from 2001:500:9f::42#53(l.root-servers.net) in 106 ms l.gtld-servers.net cloudflare.com. 172800 NS ns3.cloudflare.com. … cloudflare.com. 172800 NS ns7.cloudflare.com. cloudflare.com. 86400 DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9 cloudflare.com. 86400 RRSIG DS 8 2 86400 20230202051554 20230126040554 36739 com. XZZvr5&hellipi; ;; Received 824 bytes from 192.41.162.30#53(l.gtld-servers.net) in 6 ms ~~said to to~~ clouflare.com /usr/bin/dig +trace +showsearch a-0.info -t any . 42086 NS m.root-servers.net. ~~start at~~ root as always. . 42086 NS g.root-servers.net. … . 42086 NS l.root-servers.net. . 42086 RRSIG NS 8 0 518400 20230206050000 20230124040000 951 . … ;; Received 1097 bytes from 2600:4041:4310:3c00::1#53(CR1000A.Germans.org.) in 6 ms info. 172800 NS b0.info.afilias-nst.org. g.root-servers.net ~~says go to~~ info info. 172800 NS c0.info.afilias-nst.info. … info. 172800 NS b2.info.afilias-nst.org. info. 86400 DS 5104 8 2 1AF7548A8D3E2950C20303757DF9390C26CFA39E26C8B6A8F6C8B1E7 2DD8F744 info. 86400 RRSIG DS 8 1 86400 20230211170000 20230129160000 951 .… ;; Received 779 bytes from 2001:500:12::d0d#53(g.root-servers.net) in 30 ms a-0.info. 3600 NS ns14.midphase.com. a-0.info. 3600 NS ns15.midphase.com. a-0.info. 3600 NS ns16.midphase.com. dr3kecftk5dlgg1gdcs9q10f5vjs86ll.info. 3600 NSEC3 1 1 10 332539EE7F95C32A DR3N3PU0BNFRV1GS8FSQAU902DADMOGJ NS SOA RRSIG DNSKEY NSEC3PARAM … 3600 RRSIG NSEC3 8 2 3600 20230219221658 20230129211658 3891 info. … lafrai1abkq5a96uu2tdhr3b4qi24r3v.info. 3600 NSEC3 1 1 10 332539EE7F95C32A LAG8AFVF4R0BMCUM4SUPQTTKVLV23TD0 NS DS RRSIG lafrai1abkq5a96uu2tdhr3b4qi24r3v.info. 3600 RRSIG NSEC3 8 2 3600 20230215153623 20230125143623 3891 info. … ;; Received 609 bytes from 199.254.49.1#53(c0.info.afilias-nst.info) in 169 ms a-0.info. 14400 A 209.95.59.175 a-0.info. 14400 NS ns14.midphase.com. a-0.info. 14400 NS ns15.midphase.com. a-0.info. 14400 NS ns16.midphase.com. a-0.info. 86400 SOA ns14.midphase.com. domainmaster.uk2group.com. 1675023209 86400 7200 3600000 86400 a-0.info. 14400 MX 0 mx.a-0.info.cust.a.hostedemail.com. a-0.info. 14400 TXT "v=spf1 +a +mx +ip4:209.236.71.20 +ip4:209.95.59.175 ~all" ;; Received 344 bytes from 69.36.161.37#53(ns16.midphase.com) in 72 ms

`+time=s`	Timeout. min 1 second. Default: 15 seconds! (see .digrc) DNS response from local router may be in the range of .01-.20 for a cached entry, .3 for uncached `.com`
`+tries=T`	for UDP queries. Default: 3.
`+retry=r`	retry UDP Default: 2. does not include the initial query.
`+ndots=D`	the number of dots in name for it to be absolute. Default: 1 or `ndots` statement in `/etc/resolv.conf`. Names with fewer dots are relative and will be searched for in the domains listed in the search or domain directive in `/etc/resolv.conf`.
flags
`+noqr`	query as it is reqeusted. Default: `noqr` ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62753 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
`+norecurse`	Toggle `RD` (Recursion Desired) . Initally set. Recursion is disabled with `nssearch` or `trace` .
`+noaaonly`	Sets `aa` Authoritative Answer
`+noaaflag`	`+noaaonly`.
Heavy options used when there's a real problem (not for the faint hearted)
`+nofail`	Do not try the next server if `SERVFAIL` is received. Default: fail.
`+tcp`	Use TCP when querying name servers. Default UDP, except for `AXFR` or `IXFR` .
`+nodomain=name`	Set the search list to contain the single domain `name`, as if specified in a domain directive in `/etc/resolv.conf,` and enable search list processing as if `search` were given.
`+nosearch`	Use the search list in `searchlist` or `domain` directive in `resolv.conf` . not used by default.
`+bufsize=bytes`	UDP message buffer size advertised using `EDNS0` 0-65535. Values other than zero causes an `EDNS` query to be sent.
`+edns=#`	EDNS version to query with. 0 - 255. Setting the EDNS version causes an EDNS query to be sent. `noedns` clears the EDNS version.
`+vc`	aka `tcp` "virtual circuit"
`+nobesteffort`	output the contents of messages which are malformed. Default don't.
`+noignore`	Ignore truncation in UDP responses. Default: retry with TCP query
`+nodnssec`	Requests DNSSEC records (DO)
`+nocdflag`	Checking Disabled. requests the server not to perform `DNSSEC` validation of responses.
`+sigchase`	Chase DNSSEC signature chains. Requires dig be compiled with `-DDIG_SIGCHSE`.
`trusted-key=xxxx`	Specifies a file containing trusted keys to be used with `sigchase`. Each DNSKEY record must be on its own line. If not specified dig will look for `/etc/trusted-key.key` then `trusted-key`.key in the current directory. Requires dig be compiled with `-DDIG_SIGCHASE`.
`+notopdown`	When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with `-DDIG_SIGCHASE`.
`adflag`	AD (authentic data) meaningful in responses, not in queries
`defname`	Deprecated, treated as a synonym for `search`

Multiple Queries

In addition to supporting -f file, specifying multiple queries on the command line is permited, each can be supplied with its own set of flags, options and query options.

Each query argument represents an individual query in the command-line syntax, consisting of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options applied to that query.

Global query options, applied to all queries,
precede the first hostname, class, type, options, flags, and query options can be overridden by a query-specific set of query options. For example:

dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

Global query option +qr is applied, so the initial query it made for each lookup.
an ANY query for www.isc.org,
a reverse lookup of 127.0.0.1 and
a query for the NS records of isc.org.
a local query option of +noqr not output the initial query when it looks up isc.org.

IDN SUPPORT

Built with Internationalized Domain Name support, accepts and outputs non-ASCII domain names.
Disabled by defining the IDN_DISABLE environment variable.

tip: The IN and CH class names overlap with the IN and CH top level domains names.

FILES

/etc/resolv.conf

${HOME}/.digrc

See host, named, dnssec-keygen, RFC1035.

Help

 dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
                         [ host [@local-server] {local-d-opt} …

Where:  
domain    is in the Domain Name System
q-class  one of: in, hs, ch,… default: in
q-type   one of: any, a, mx, ns, soa, hinfo, axf, txt,… default:a
                 Use ixfr=version for type ixfr
q-opt  :
-q name  -t type   -c class      
-f filename         batch mode
-x dot-notation     shortcut for in-addr lookups
-i                  IP6.INT reverse IPv6 lookups
-b address#port  bind to source address/port
-p port          
-4 -6         use IPv4/IPv6 query transport only

d-opt    is of the form +keyword=value, where keyword is:
vc    tcp            TCP mode aka Virtual Circuit

+time=###       timeout 5 sec.
+tries=###      UDP attempts 3        +retry=### UDP retries 2
+domain=###     default domainname
+bufsize=###    EDNS0 Max UDP packet size
+ndots=###         
+edns=###         
search         Set whether to use searchlist
showsearch     Search with intermediate results
defname  
recurse   
ignore         Don't revert to TCP for TC responses
fail           Don't try next server on SERVFAIL
besteffort     Try to parse even illegal messages

all            Set or clear all output flags
aaonly         Set AA flag in query aaflag
adflag         Set AD       
cdflag         Set CD 

cmd            output command line
qr             output question before sending 
cl             output class 

comments       question     answer       
authority      additional   stats      

short          ttlid  (ommits type=txt)
nssearch       Search all authoritative nameservers
identify       ID responders in short answers
trace          Trace delegation down from root
multiline      output records in an expanded format

dnssec         Request DNSSEC records
-k keyfile          specify tsig key file
-y [hmac:]name:key  (specify named base64 tsig key)

global d-opts and servers (before host name) affect all queries.
local  d-opts and servers (after host name)  affect only that lookup.




 

 7/13/19        
 /usr/bin/dig   @`/usr/bin/dig +short Real-World-Systems.com -t NS  | head -1` Real-World-Systems.com -t A MX TXT NS SOA  
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41712
;; flags: ^†qr aa^† rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4

Real-World-Systems.com. 14400   MX  20 spamalizer.midphase.com.
Real-World-Systems.com. 14400   TXT "v=spf1 +a +mx +ip4:209.236.71.20 +ip4:209.95.59.175 +ip4:209.236.71.17 +ip4:174.127.119.33  ~all"
Real-World-Systems.com. 86400   NS  ns14.midphase.com.
Real-World-Systems.com. 86400   NS  ns15.midphase.com.
Real-World-Systems.com. 14407   A   209.95.59.175
Real-World-Systems.com. 86400   NS  ns16.midphase.com.
Real-World-Systems.com. 3600    MX  17 Real-World-Systems.com.
Real-World-Systems.com. 600 SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600

;; Query time: 61 msec
;; SERVER: 69.36.161.36#53(69.36.161.36)
;; WHEN: Sat Jul 13 08:12:34 EDT 2019



 8/16/17 (notice OPT PSEDUOSECTION)
>usr/bin/dig $RWS -t any
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13645
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; ANSWER SECTION:
Real-World-Systems.com. 600 IN  SOA ns14.midphase.com. domainmaster.uk2group.com. 2016120500 14400 7200 3600000 600
Real-World-Systems.com. 14400   IN  TXT "v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all"
Real-World-Systems.com. 86400   IN  NS  ns16.midphase.com.
Real-World-Systems.com. 86400   IN  NS  ns14.midphase.com.
Real-World-Systems.com. 86400   IN  NS  ns15.midphase.com.
Real-World-Systems.com. 14400   IN  MX  0 spamalizer.midphase.com.
Real-World-Systems.com. 14407   IN  A   174.127.119.33

;; ADDITIONAL SECTION:
ns14.midphase.com.  886 IN  A   69.36.163.232
ns15.midphase.com.  12625   IN  A   69.36.161.36
ns16.midphase.com.  10893   IN  A   69.36.161.37

;; Query time: 187 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Aug 16 15:28:16 EDT 2017
;; MSG SIZE  rcvd: 336



dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 14114   IN  TXT     "v=spf1 a mx ip4:67.228.235.89 ?all"
real-world-systems.com. 13835   IN  A       67.228.235.89
real-world-systems.com. 13835   IN  MX      0 real-world-systems.com.
real-world-systems.com. 53938   IN  NS      dns2.midphase.com.
real-world-systems.com. 53938   IN  NS      dns1.midphase.com.

+++ 2/15/12   from  MI424WR router  (repeated queries returns only A record or A,TXT,INx2,SOA and MX records go figure

dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 600 IN  TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 600 IN  A   174.127.119.33
real-world-systems.com. 86400   IN  NS  dns2.midphase.com.
real-world-systems.com. 86400   IN  NS  dns1.midphase.com.
real-world-systems.com. 600 IN  SOA dns1.midphase.com. cpanel-admin.midphase.com. 2012021503 14400 7200 3600000 86400
real-world-systems.com. 600 IN  MX  0 real-world-systems.com.


 dig +noall +answer -t any real-world-systems.com
real-world-systems.com. 2981    IN  TXT "v=spf1 ip4:209.236.71.17 ip4:174.36.146.71 a mx ip4:206.46.173.1/24 ?all"
real-world-systems.com. 76534   IN  NS  dns1.midphase.com.
real-world-systems.com. 76534   IN  NS  dns2.midphase.com.

compare pppg

compare gardenStateAudubonCouncil

cccu.us.        86367   IN  RRSIG   NSEC 5 2 86400 20110219155930 20110120152137 4787 US. 
   FVbkawbzpPd5cKbvj24QSZJ1hDVawkohCA3+65kIVhZBp5EVqa6U0hjl 
   +oP3ZMTYCM0v38ezLOKuKBZR0+rRS6UUaN+TWC77EoGY85LGe+o9Sz4x 
   BXULGzhPzobdw1Rk1FrDLdo/MYNMjAe5946JXozyxVXJiqZJt+VGa9KC LpU=
cccu.us.        86367   IN  NSEC    CCCUN.us. NS RRSIG NSEC

Sample `/etc/resolve.conf`

domain Germans
nameserver 192.168.1.1
nameserver 71.250.0.12

cPanel creates autodiscovery. and autoconfiguration records records enable the Microsoft Outlook and Mozilla Thunderbird e-mail clients to automatically discover and configure access to e-mail accounts.

Errors

DNS returns SERVFAIL if SOA's says NS is xxx, but xxx does not know about it!

Return codes:
0 Even if a NXDOMAIN or SERVFAIL returns!
So you should :

> dig  -x  142.176.85.230|tee /tmp/$$ ;grep NOERROR /tmp/$$ 
> echo $? # rep  will output 1 if that IP address reports an  error

1 Invalid option, Usage Error
10 is not a legal name (empty label); for example is address specified has training dot ex:142.12.13.13.
8 Couldn't open batch file
9 No reply from server, ;; connection timed out; no servers could be reached
Try dig @8.8.8.8 … ( google-public-dns-a.google.com )

http://internetsupervision.com/scripts/urlcheck/check.aspx?lan=en-US&checkurl=real-world-systems.com&email=

txt dmarc

DNSchecker
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a TXT record added to a domain DNS record. It specifies the policy that the email owner wants to implement and the recipient's server has to follow.
It protects both the email sender and recipient from spam, spoofing, and phishing.
The record allows you to set policies on:
. Who can send you the email based on your SPF and DKIM record?
. It also supplements SMTP. If the DMARC record is published for the domain, it has the following main functions. . Tell the recipient's server to either.
. . Quarantine the email.
. . Reject the email.
. . Allow the email to continue delivery.
DMARC allows you to receive your domain's sending activity reports. Through support from ISPs (Gmail, Yahoo, Microsoft, and more), send reports to the email address(es) containing all the domain's messages.

The DMARC relies on the established DKIM and SPF for email authentication.
. When the email owner publishes the DMARC policy, it bound the receiving email server how to handle the email if it fails DMARC validation.
. When the receiving email server receives the email, it performs the DNS lookup for the DMARC policy for the domain included in the message's "From" header. The server then checks and evaluates the email on three determinants.
. . Does the email DKIM signature validate?
. . Did the email come from IP addresses allowed to send emails on the domain's behalf (SPF records)?
. . Do the headers in the email show proper "domain alignment"?

With this information, the receiving server is ready to apply the sender domain's DMARC policy to determine either to accept, reject, or otherwise flag the email.

After using the DMARC policy to determine the email's proper disposition, the receiving mail server will report to sending domain owner about the outcome.

Available DMARC policies for the email that fails DMARC authentication.
. . None: Treat the email as the same, as it would be without any DMARC validation. That policy is adopted when your motive is to collect data and monitor your current email channel(s).
. . Quarantine: Accept the email but placed it somewhere else other than the recipient's inbox. Usually, such emails are placed in the spam folder.
. . Reject: Reject the email that fails DMARC validation.

DMARC domain alignment :
When an email is sent, the "From" contains the domain name after @ within the email address. The DKIM should also have the same domain name embedded into the key string.
DMARC tries to tie the SPF and DKIM results to the email content, particularly to the domain found in the "From" header of an email.
Having the SPF and DKIM align means that email passes the DMARC validation.
DMARC setup is complicated and risky to implement.
When you implement the DMARC policy without knowing your sending email sources like mailboxes, email marketing, CRM, transactional email, server alerts, etc., you could potentially reject all your legitimate emails.

First, set DMARC policy p=none to receive the report of all sending email sources. Then slowly align all outgoing emails with DKIM and SPF for the domain.

Monitor the aggregate reports daily.
Then deploy the quarantine, then reject the policy.

Example of a DMARC record

A DMARC record's name "_dmarc" which forms a TXT record such as _dmarc.mydomain.com. Example: v=DMARC1\; p=none\; rua=mailto:CUSTOMERID@mydomain.com\; ruf=mailto:CUSTOMERID@mydomain.com\; pct=100

v=DMARC1 DMARC version.
p=none policy to implement.
rua=mailto:CUSTOMERID@mydomain.com aggregate reports are sent.
ruf=mailto:CUSTOMERID@mydomain.com forensic reports are sent.
pct=100 is the percentage of emails to implement its policy. 100% is the default "pct=20" only one-fifth of the total emails are affected by the policy.
rf: format for message-specific forensic information reports (rf=afrf).
sp: policy for the subdomains (sp=r).
aspf: Alignment mode for SPF (aspf=r).
adkim: Alignment mode for DKIM (adkim=r).

These are the basic tags.
v(version) and p(policy) tags are required.

Aggregate reports: sent daily. These reports are XML documents that show the statistics about the received message, claimed to be from a particular domain. These reports are designed to be machine-readable and show the authentication results and message disposition.

Forensic reports: real-time reports that are sent on failure. copies of the emails that failed authentication. help troubleshoot authentication issues and identifying malicious domains and websites.

DMARC policy is a request, not an obligation for the recipient email server.

The receiving email server may apply its local policy when it thinks that the email is legitimate. The email can still land in the receiver inbox, even it fails DMARC validation. Usually, email receivers will override DMARC policy with local policy. To validate the DMARC record.

Open the DMARC Check & DMARC Lookup tool.
Enter the domain/host address in the space provided for that purpose and click the "Lookup DMARC" button.

The tool will perform the DMARC lookup for record validation and will validate the DMARC record on the following checks. Require the DMARC record in the DNS so that it can validate it.

Are RUA / RUF domains valid?
Check which DMARC policy is enabled.

An e-commerce business or sending transactional or commercial emails, apply more than one email authentication method to verify that an email is actually from you or your business.

DMARC helps the recipient email server evaluate the emails claiming to be coming from your domain. That is one of the essential steps you can take to improve your deliverability.

See

scutil ,  system preferences.

scutil --dns
DNS configuration 
resolver #1 search domain[0]: germans  nameserver[0]: 192.168.1.1  if_index: 4 (en0) 
                                                                   flags: Request A records  reach: Reachable, Directly Reachable Address 
resolver #2 domain: local                options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 300000 
resolver #3 domain: 254.169.in-addr.arpa options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 300200 
resolver #4 domain: 8.e.f.ip6.arpa       options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 300400 
resolver #5 domain: 9.e.f.ip6.arpa       options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 300600 
resolver #6 domain: a.e.f.ip6.arpa       options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 300800 
resolver #7 domain: b.e.f.ip6.arpa       options: mdns  timeout: 5 flags: Request A records  reach: Not Reachable  order: 301000 

DNS configuration (for scoped queries) 
resolver #1 search domain[0]: germans  nameserver[0]: 192.168.1.1  if_index: 4 (en0) 
                                                                   flags: Request A records  reach: Reachable, Directly Reachable Address

Extension mechanisms for DNS

IPv6

DNS White List anti spam

`hostname`	resource record(s) to be looked up.
`server`	name or IP address of the Name Server to query. Defaults from `/etc/resolv.conf` Server `hostname` is permitted. IPv4 address in dotted-decimal notation or IPv6 in colon-delimited notation.

`-t type` some servers refuse multiple type codes	`A AAAA MX NS SOA HINFO TXT SIG SSHFP PRT RRSIG OPT CAA SRV ANY AXF` `ANY` does not include `SRV` Try querying the Name Server for more records. Default: `A` IP address. `ANY` show all records. DNS may refuse or provide minimal response to `ANY`. See IETF comment on RFC1035 rfc8482 `MX` server for email messages, Format: … `MX prio host` where the server with the lowest priority is prefered. `TXT` may contain information including Sender Policy Framework to prevent sender address forgery check SPR details at DMarcian example: `v=spf1 a mx ip4:67.228.235.89 ?all` DMARC DKIM Digital Key Identified mail. example: /usr/bin/dig pp-dkim1._domainkey.paypal.com -t txt pp-dkim1._domainkey.paypal.com. 300 TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki… crypt string used by some services to prove that the requester of some DNS related service has the rights to alter the DNS settings. for example DocUSign ssl.com Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: -87YKoj3sQZB4rVCMZTiifl9QJKYm2eYYymAkpE0zBo arbitrary data -t txt 3.2.3.updates.spamassassin.org 3.2.3.updates.spamassassin.org descriptive text "895075" -t txt 3.4.3.updates.spamassassin.org 3.4.3.updates.spamassassin.org is an alias for 3.3.3.updates.spamassassin.org> 3.3.3.updates.spamassassin.org descriptive text "1902056" `SRV` query must be of form `_service._protocol.host` for example: /usr/bin/dig -t srv _autodiscover._tcp.`domain` +short /usr/bin/dig -t srv _autoconfig._tcp.`domain` +short # only output the answer 0 0 443 cpanelemaildiscovery.cpanel.net. Use this for the URL in the curl next -d sends data in a POST request, in the same way that a browser does when a form is submitted curl -d '<EMailAddress>d@real-world-systems.com</EMailAddress>' \ https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>d@real-world-systems.com</DisplayName> any username rerurns the necessary informattion <EMailAddress>d@real-world-systems.com</EMailAddress> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>IMAP</Type> <Server>mail.real-world-systems.com</Server> <Port>993</Port> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <SSL>on</SSL> <AuthRequired>on</AuthRequired> <LoginName>d@real-world-systems.com</LoginName> </Protocol> <Protocol> <Type>SMTP</Type> <Server>mail.real-world-systems.com</Server> <Port>465</Port> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <SSL>on</SSL> <AuthRequired>on</AuthRequired> <LoginName>d@real-world-systems.com</LoginName> </Protocol> </Account> </Response> </Autodiscover>% Used by Microsoft Outlook Thunderbird uses `autoconfig` iceWarp, LDAP, Kerbos, SIP^† wikipedia Service discovery, LiRedMail how autoxxx works. iceWarp _caldav._tcp.`domain.com`. 86400 IN SRV 10 0 80 `targethost.com`. _caldavs._tcp.`domain.com`. 86400 IN SRV 10 0 443 `targethost.com`. _carddav._tcp.`domain.com`. 86400 IN SRV 10 0 80 `targethost.com`. _carddavs._tcp.`domain.com`. 86400 IN SRV 10 0 443 `targethost.com`. _ischedule._tcp.`domain.com`. 86400 IN SRV 10 0 80 `targethost.com`. _ischedules._tcp.`domain.com`. 86400 IN SRV 10 0 443 `targethost.com`. _sip._udp.`domain.com`. 86400 IN SRV 10 0 5060 `targethost.com`. _sip._tcp.`domain.com`. 86400 IN SRV 10 0 5060 `targethost.com`. _sip._tls.`domain.com`. 86400 IN SRV 10 0 5061 `targethost.com`. _xmpp-client._tcp.`domain.com`. 86400 IN SRV 10 0 5222 `targethost.com`. _xmpp-server._tcp.`domain.com`. 86400 IN SRV 10 0 5269 `targethost.com`. _autodiscover._tcp.`domain.com`. 86400 IN SRV 10 0 443 `targethost.com`. Not for `DKIM` see `txt`. `SOA` Start Of Authority name of the server that supplied the data for the zone; the administrator of the zone; the current version of the data file; seconds a secondary name server should wait before checking for updates; seconds """ wait before retrying a failed zone transfer; seconds """" can use data before it must either be refreshed or expire; and seconds for the Time-To-Live file on resource records. `AAAA` IPv6 address `SIG` provides signature (validation) data for another RRSet `SSHFP` secure Shell key for verification see ssh,ssh-keygen `CAA` Certification Authority Authorization certificate authorities (CAs) allowed to issue certificates for . `OPT` `PTR` reverse records `AXFR` requests a zone transfer Usually denied. `IXFR=nnnnnnnn`. incremental zone transfer Usually denied contains the changes made to the zone since the serial number in the zone's `SOA` record was `nnnnnnnn`. Frequently the serial number used is in the form; `yyyymmddNN` where NN is incremented each time the conf is changed in a given day. see BIND . IETF rfc1995bis Each domain may have multiple hosts and even multiple levels of host. Each having their own DNS records For example see TXT at spamassassin.org
`@ server`	Ask a specific DNS server `dig @dns2.midphase.com cccu.us`
`-4` `-6`	use IPv4 query transport. use IPv6
`-x iii.iii.iii.iii`	reverse lookup; maps addresses to names YouGetSignal tool (Data base of DNS, retrieves all domains at IP x.x.x.x) like 216.40.47.26.in-addr.arpa and sets query type to `PTR` and class to `IN`(??) . By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. /usr/bin/dig a-0.info +short +identify 209.95.59.175 from server 2600:4041:4310:3c00::1 in 6 ms. /usr/bin/dig -6 -x 2600:4041:4310:3c00::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.3.0.1.3.4.1.4.0.4.0.0.6.2.ip6.arpa. 0 PTR CR1000A.Germans.org.
`-f filename`	read requests from `filename` . Using the same format as a command.
`-q name`	sets the query name to distingish the name from other arguments.
`-c class`	Default `IN` internet. CHaos and Hesiod
`-b address[#port]`	sets the `source` IP address or `n.n.n.n` or`xx:xx:xx:xx.`
`-p port`	Default 53.
`-k keyfile`	Sign DNS queries and responses using transaction signatures (TSIG)
`-y hmac tname key`	TSIG `hmac` type of TSIG, default `HMAC^†-MD5` alternate:`-SHDA1` `tname` the name of the key `key` base-64 encoded string (typically generated by dnssec-keygen(8)). Note: The key is visible from `ps` or the shell's history file. When using `TSIG` authentication the name server needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate key and server statements in `named.conf.`
`-i x.x.x.x.x.x.x.x.x`	use the older RFC1886 method using the `IP6.INT` domain Bit string labels (RFC2874) are not attempted.
`-h`	help

`+noall`	Set or clear all output flags. > /usr/bin/dig canalrace.org +all ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;canalrace.org. IN A ;; ANSWER SECTION: canalrace.org. 12710 IN A 174.127.119.33 ;; Query time: 20 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Mar 14 15:48:31 2017 ;; MSG SIZE rcvd: 47 As `+noall` turns off everything it should be followed by another keyword.
`+nocomments`	`nocomments` supress lines like: ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50353 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: ;; QUESTION SECTION: ;; ANSWER SECTION:
`+short`	as `cut -f 5-` implies `nocomments` > /usr/bin/dig +short -t any canalrace.org ns14.midphase.com. hostmaster.midphase.com. 2015101800 86400 7200 604800 600 ns15.midphase.com. ns16.midphase.com. ns14.midphase.com. "v=spf1 +a +mx +ip4:209.236.71.17 +ip4:174.127.119.33 ~all" 0 canalrace.org. 174.127.119.33
`+identify`	IP address and port that supplied the answer with `short` (`short` otherwise supresses that) Default: `noid` 67.228.235.89 from server 10.0.80.11 in 1 ms.
`+nocmd`	dig version and options. Use as a global option (i.e. before `host`) ; <<>>DiG 9.3.4-P1 <<>> ;; global options: printcmd
`+noquestion`	dig @dns1.midphase.com cccu.us +noall +question ;cccu.us. IN A
`+noanswer`	dig @dns1.midphase.com cccu.us +noall +answer ;; ANSWER SECTION: cccu.us. 14407 IN A 174.127.119.33
`+noadditional`	dig @dns1.midphase.com cccu.us +noall +addi ;; ADDITIONAL SECTION: dns1.midphase.com. 86400 IN A 67.213.216.225 dns2.midphase.com. 86400 IN A 69.4.235.113
`+noauthority`	dig @dns1.midphase.com cccu.us +noall +auth ;; AUTHORITY SECTION: cccu.us. 86400 IN NS dns2.midphase.com. cccu.us. 86400 IN NS dns1.midphase.com.
`+nostats`	Performance of responding server ;; Query time: 2 msec ;; SERVER: 10.0.80.11#53(10.0.80.11) ;; WHEN: Fri Nov 13 22:42:39 2009 ;; MSG SIZE rcvd: 294
`+nocl`	`nocl` supresses column 3 (usually `IN` (might be CHaos or HeSiod)
`+nomultiline`	records like the SOA in verbose multi-line format with human-readable comments. 119.127.174.in-addr.arpa. 10788 IN SOA dns1.midphase.com. hostmaster.midphase.com. ( 2010091964 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hours) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; TTL (1 day) ) `nomultiline` uses [tab] to seperate fields Multiline uses spaces. 119.127.174.in-addr.arpa. 10800 IN SOA dns1.midphase.com. hostmaster.midphase.com. 2010091964 86400 7200 3600000 86400^† Default output each record on a single line, to facilitate parsing.

dig - DNS lookup utility Domain Information Groper (gatherer)