dig DNS Lookup

dig cheatsheet — query DNS records for A, MX, NS, TXT, CNAME. dig +short, dig @8.8.8.8, dig +trace for full resolution path. The DNS debugging tool.

6 min read

What it is

dig is a flexible command-line tool for querying DNS name servers, useful for troubleshooting DNS resolution issues and understanding DNS records.

Installation

Linux:

sudo apt update && sudo apt install dnsutils
# or
sudo yum install bind-utils

macOS: dig is pre-installed.

Windows: dig is not natively included. You can install it via Windows Subsystem for Linux (WSL) or by downloading a third-party binary.

Core Concepts

  • DNS (Domain Name System): A hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It translates human-readable domain names (like www.google.com) into machine-readable IP addresses (like 172.217.160.142).
  • Name Server: A server that stores DNS records for a domain and responds to queries about that domain.
  • Query: A request sent to a DNS server for information about a domain name or IP address.
  • Record Types: Different types of information stored in DNS:
    • A: Address record, maps a hostname to an IPv4 address.
    • AAAA: IPv6 Address record, maps a hostname to an IPv6 address.
    • CNAME: Canonical Name record, maps a hostname to another hostname.
    • MX: Mail Exchanger record, specifies mail servers responsible for accepting email for a domain.
    • NS: Name Server record, specifies the authoritative name servers for a domain.
    • TXT: Text record, used for various purposes, often for domain verification or SPF records.
    • SOA: Start of Authority record, provides authoritative information about a DNS zone.
    • PTR: Pointer record, maps an IP address to a hostname (used in reverse DNS lookups).
    • ANY: A query for all available record types (often blocked by servers).

Commands / Usage

Basic DNS Lookup:

  • dig www.google.com Perform a standard DNS lookup for the A record of www.google.com.
  • dig AAAA www.google.com Query for the IPv6 address (AAAA record) of www.google.com.
  • dig CNAME www.github.com Query for the canonical name (CNAME record) of www.github.com.
  • dig MX google.com Query for the Mail Exchanger (MX) records for google.com.
  • dig NS google.com Query for the Name Server (NS) records for google.com.
  • dig TXT google.com Query for the Text (TXT) records for google.com.
  • dig SOA google.com Query for the Start of Authority (SOA) record for google.com.
  • dig -x 8.8.8.8 Perform a reverse DNS lookup for the IP address 8.8.8.8 (maps IP to hostname).

Querying Specific Name Servers:

  • dig @8.8.8.8 www.google.com Query Google’s public DNS server (8.8.8.8) for the A record of www.google.com.
  • dig @ns1.google.com google.com Query Google’s ns1.google.com name server for records of google.com.
  • dig @1.1.1.1 MX google.com Query Cloudflare’s DNS server (1.1.1.1) for the MX records of google.com.

Controlling Output:

  • dig +short www.google.com Display only the answer (the IP address) for www.google.com.
  • dig +nocmd www.google.com Omit the command line and version details from the output.
  • dig +nostats www.google.com Omit the statistics section from the output.
  • dig +noquestion www.google.com Omit the question section from the output.
  • dig +noauthority www.google.com Omit the authority section from the output.
  • dig +noadditional www.google.com Omit the additional records section from the output.
  • dig +noall www.google.com Omit all sections by default.
  • dig +answer www.google.com Display only the answer section.
  • dig +trace www.google.com Trace the delegation path from the root servers down to the authoritative server for www.google.com.

Advanced Options:

  • dig www.google.com ANY Attempt to query for all record types for www.google.com (often blocked).
  • dig +tcp www.google.com Force the use of TCP for the query (useful for large responses or when UDP is blocked).
  • dig +bufsize=1400 www.google.com Set the UDP buffer size for the query.
  • dig www.google.com +qr Print the query packet as well as the response.
  • dig www.google.com +dnssec Request DNSSEC records.
  • dig www.google.com +multiline Display output in a more human-readable, multi-line format.

Querying Specific Zones (often used with NS queries):

  • dig google.com NS Get the Name Servers for the google.com zone.
  • dig google.com SOA Get the Start of Authority record for the google.com zone.

Common Patterns

Checking if a domain resolves and getting its IP:

dig www.example.com +short

This will output just the IP address if the domain resolves.

Tracing DNS resolution path:

dig +trace www.example.com

See how your query travels from the root servers down to the authoritative server.

Checking mail servers for a domain:

dig MX example.com

Lists mail servers and their preference values.

Verifying a domain’s TXT records (e.g., for SPF or domain verification):

dig TXT example.com

Testing DNS resolution against a specific server:

dig @ns1.yourdomain.com www.yourdomain.com

This is useful if you’ve just made DNS changes and want to see if a specific authoritative server is responding correctly.

Checking reverse DNS for an IP address:

dig -x 192.0.2.1

Getting all records for a domain (if supported):

dig example.com ANY +noall +answer

Note: ANY queries are often disabled by DNS servers for security and performance reasons.

Forcing TCP connection (useful for large responses or blocked UDP):

dig +tcp www.example.com

Gotchas

  • ANY queries are unreliable: Many DNS servers block or limit ANY queries due to potential for abuse and performance impact. It’s better to query for specific record types (A, MX, TXT, etc.).
  • UDP vs TCP: By default, dig uses UDP. If the response is too large for UDP, dig will automatically retry over TCP. However, sometimes network firewalls block UDP but allow TCP, so explicitly using +tcp can be necessary.
  • Caching: DNS results are often cached by your local resolver, your ISP’s DNS server, and the authoritative servers themselves. This means repeated queries might not reflect immediate changes. Use +nocache (though not a standard dig option, some resolvers might respond differently or you’d query a different server) or wait for cache expiry.
  • Authoritative vs Recursive: When you query a server like 8.8.8.8 (a recursive resolver), it does the work of finding the answer for you. When you query an authoritative server (e.g., ns1.example.com), it only provides answers for the zones it manages. The +trace option helps differentiate this flow.
  • Output interpretation: The dig output can be verbose. Pay attention to the QUESTION SECTION, ANSWER SECTION, AUTHORITY SECTION, and ADDITIONAL SECTION for complete information. +short is your friend for quick answers.
  • TTL (Time To Live): The ANSWER SECTION shows a TTL value, indicating how long the record is valid and can be cached. Changes to DNS records take time to propagate globally due to TTLs.