Skip to main content
โšก Calmops
๐Ÿค– AI ๐Ÿ—๏ธ Architecture ๐ŸŒ Web ๐Ÿ—ƒ๏ธ Database โš™๏ธ DevOps ๐ŸŒ Network ๐Ÿ’ป Programming ๐Ÿงฎ Algorithms ๐Ÿ“ Software Eng. โ˜๏ธ Cloud ๐Ÿ”’ Security ๐Ÿ“ˆ Finance More โ†’

The dig Command: Complete Guide to DNS Queries in Linux

Created: April 21, 2016 CalmOps 6 min read

Introduction

The dig command (Domain Information Groper) is one of the most powerful and flexible tools for performing DNS queries in Linux and Unix systems. Whether you’re a system administrator troubleshooting network issues, a developer debugging application DNS problems, or a network engineer verifying DNS configurations, dig is an essential utility in your toolkit.

This comprehensive guide covers everything from basic dig usage to advanced DNS query techniques, helping you become proficient in diagnosing and understanding DNS-related issues.

Understanding DNS and Why It Matters

What is DNS?

The Domain Name System (DNS) is often called the “phonebook of the internet.” It translates human-readable domain names (like google.com) into IP addresses (like 142.250.185.78) that computers use to identify each other.

Without DNS, we would need to memorize the IP address of every website we want to visitโ€”a nearly impossible task given that there are billions of websites on the internet today.

Why DNS Troubleshooting Matters

DNS issues can cause:

  • Website accessibility problems
  • Email delivery failures
  • Application connection errors
  • Security vulnerabilities
  • Performance degradation

Understanding how to query DNS directly gives you the ability to diagnose these issues accurately and quickly.

Installing dig

Most Linux distributions include dig as part of the bind-utils or dnsutils package.

Installation Commands

# Debian/Ubuntu
sudo apt-get install dnsutils

# RHEL/CentOS/Fedora
sudo dnf install bind-utils

# Arch Linux
sudo pacman -S bind

# macOS (pre-installed in most versions)

Basic dig Usage

Simple Domain Lookup

The most basic use of dig is to query a domain name:

dig google.com

This returns comprehensive output including:

  • The version of dig
  • Global options used
  • The query section
  • The answer section
  • Additional information section
  • Query statistics

Simplified Output

For simpler output without all the details:

dig +short google.com

This returns just the IP addresses, making it useful for scripts.

Querying Specific Record Types

DNS stores various types of records, each serving a different purpose:

A Records (Address Records)

dig -t A google.com

Returns IPv4 addresses for the domain.

AAAA Records

dig -t AAAA google.com

Returns IPv6 addresses for the domain.

MX Records (Mail Exchange)

dig -t MX google.com

Returns mail server information, including priority:

;; ANSWER SECTION:
google.com.		3600	IN	MX	10 smtp.google.com.

NS Records (Name Server)

dig -t NS google.com

Returns the authoritative name servers for the domain.

CNAME Records (Canonical Name)

dig -t CNAME www.google.com

Returns alias records pointing to canonical names.

TXT Records

dig -t TXT google.com

Returns text records, often used for SPF, DKIM, and DMARC verification.

SOA Records (Start of Authority)

dig -t SOA google.com

Returns authoritative information about the zone.

PTR Records (Pointer)

dig -t PTR 8.8.8.8.in-addr.arpa

Returns reverse DNS information (IP to domain).

Specifying DNS Servers

By default, dig uses the DNS servers configured in your system. You can specify a different DNS server using the @ symbol.

Querying a Specific DNS Server

dig @8.8.8.8 google.com

This queries Google’s public DNS server (8.8.8.8) instead of your default server.

Common Public DNS Servers

  • Google: 8.8.8.8 and 8.8.4.4
  • Cloudflare: 1.1.1.1 and 1.0.0.1
  • OpenDNS: 208.67.222.222 and 208.67.220.220
  • Quad9: 9.9.9.9

Using Specific DNS for Specific Query Types

dig @8.8.8.8 -t MX google.com
dig @1.1.1.1 -t NS example.com

Query Options

dig offers numerous options to customize your queries:

Non-Recursive Queries

By default, dig performs recursive queries. To perform a non-recursive query:

dig +norecurse -t A www.google.com @dns.google.com

This returns only what the specified DNS server knows directly, not what it can look up from other servers.

Tracing the Full Resolution Path

The +trace option shows the complete DNS resolution path:

dig +trace -t A www.google.com @223.5.5.5

This displays:

  1. Root server queries (.com servers)
  2. TLD server queries (google.com servers)
  3. Authoritative server queries (www.google.com)

The output shows the iterative process:

. 151821 IN NS a.root-servers.net.
...
com. 172800 IN NS b.gtld-servers.net.
...
google.com. 172800 IN NS ns2.google.com.
...
www.google.com. 300 IN A 142.250.185.78

Controlling Output Format

Compact Output

dig +noall +answer google.com

Shows only the answer section.

####็ฎ€ๅŒ–็š„่พ“ๅ‡บ

dig +noall +question google.com

Shows only the question section.

Showing All Sections

dig +noall +answer +comments google.com

Combines sections with comments.

Setting Query Timeout

dig +time=5 +tries=2 google.com
  • +time: Sets timeout in seconds (default: 5)
  • +tries: Number of UDP attempts (default: 3)

TCP Instead of UDP

dig +tcp google.com

Uses TCP instead of UDP for the query (TCP is used for zone transfers and large responses).

Practical Examples

Checking Email Server Configuration

dig -t MX example.com +short

Verify mail routing is correct.

Finding Authoritative Nameservers

dig -t NS example.com +short

Get the authoritative nameservers for a domain.

Reverse DNS Lookup

dig -x 8.8.8.8 +short

Returns: dns.google.

Verifying SPF Records

dig -t TXT example.com +short

Check the SPF record for email sender verification.

Checking DNSSEC Keys

dig -t DNSKEY example.com

View DNSSEC security keys.

Batch Queries

Create a file with domains:

google.com
example.com
github.com

Query all at once:

dig -f domains.txt +short

Checking TTL Values

dig google.com

Look for the TTL (Time To Live) value in the answer section:

google.com.	299	IN	A	142.250.185.78

The 299 is the TTL in seconds.

Troubleshooting DNS Issues

DNS Resolution Not Working

dig problematic-site.com

Check if the domain resolves at all.

Verifying Specific Nameserver

dig @ns1.hostingcompany.com website.com

Query the specific nameserver hosting your domain.

Comparing DNS Responses

Compare responses from different DNS servers:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

Differences may indicate caching or configuration issues.

Checking for DNS Propagation

Query multiple DNS servers to check propagation:

for ns in a.root-servers.net b.root-servers.net; do
  echo "=== $ns ==="
  dig @$ns example.com +short
done

Email Delivery Issues

dig -t MX domain.com +noall +answer
dig -t TXT domain.com +noall +answer

Check MX records and SPF configuration.

Advanced dig Usage

Using dig in Scripts

#!/bin/bash
# Check if domain resolves

DOMAIN=$1
RESULT=$(dig +short $DOMAIN)

if [ -z "$RESULT" ]; then
    echo "DNS resolution failed for $DOMAIN"
    exit 1
else
    echo "$DOMAIN resolves to: $RESULT"
fi

IPv4 and IPv6 Queries

# Force IPv4
dig +short -4 google.com

# Force IPv6
dig +short -6 google.com

Checking CAA Records

dig -t CAA example.com

Certificate Authority Authorization records specify which CAs can issue certificates.

Looking up SRV Records

dig -t SRV _service._protocol.example.com

Service records for locating services.

dig vs. Other DNS Tools

dig vs. nslookup

  • dig: More detailed output, more options, actively maintained
  • nslookup: Simpler syntax, considered legacy

dig vs. host

# Using host
host google.com

# Using dig
dig google.com +short

dig vs. getent

getent hosts google.com

Uses the system’s resolver library.

Best Practices

  1. Use +short for scripts: Reduces output to essentials
  2. Specify DNS server: Avoids reliance on local resolver
  3. Check TTL values: Important for DNS changes planning
  4. Use +trace for debugging: Shows complete resolution path
  5. Compare multiple servers: Identifies caching issues

Common Use Cases

Web Development

# Verify domain points to correct IP
dig mywebsite.com +short

# Check CDN configuration
dig cdn.mywebsite.com +short

System Administration

# Monitor DNS changes
dig example.com | grep "ANSWER"

# Check nameserver delegation
dig +nssearch example.com

Security

# Verify DNSSEC
dig +dnssec example.com +short

# Check for SPF records
dig -t TXT example.com | grep SPF

Conclusion

The dig command is an indispensable tool for anyone working with DNS. Its flexibility and detailed output make it perfect for troubleshooting, verification, and learning about DNS configuration.

Remember these key points:

  • Use +short for simple output in scripts
  • Use +trace to understand resolution path
  • Use @server to query specific DNS servers
  • Use -t type to query specific record types

With practice, dig will become your go-to tool for all DNS-related tasks.

References

Comments