Getting started with dig - DNS troubleshooting
Getting started with dig
Please note that this blog post is not an in-depth guide on DNS and dig. It will provide you with the basics, and more advanced topics that are out of the scope. Some more advanced topics are DNS over HTTPs/TLS, all kinds of methods to format the results, DNSSEC, and so on. I'll go into more detail in separate posts.
Basic usage
Dig stands for 'Domain Information Groper' and is a great tool to troubleshoot DNS issues or get information about certain domains. It is an excellent alternative to nslookup
and host
and generally presents results that are more script-friendly.
- The typical syntax is the following:
dig @server name type
-
@server
- is the IP or name of the name server you want to handle the request. It is optional and if it is not specified, dig checks/etc/resolv.conf
. -
name
- is the host or domain name for the request -
type
- the DNS type that is requested. It is optional and if it is not specified, dig will use theA
record.
Basic example with line numbers added:
kuser@pleasejustwork:~$ dig ittavern.com 1 ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> ittavern.com 2 ;; global options: +cmd 3 ;; Got answer: 4 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64814 5 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 6 7 ;; OPT PSEUDOSECTION: 8 ; EDNS: version: 0, flags:; udp: 65494 9 ;; QUESTION SECTION: 10 ;ittavern.com. IN A 11 12 ;; ANSWER SECTION: 13 ittavern.com. 600 IN A 95.216.194.187 14 15 ;; Query time: 40 msec 16 ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) 17 ;; WHEN: Fri Oct 13 20:26:34 CEST 2023 18 ;; MSG SIZE rcvd: 67
Without providing too many options, we already get a lot of information, and I'll try to get into more detail in the following sections.
Let us start with line 4: the status
field is the first indicator of the request's success.
-
NOERROR
: - There was no problem. All requested information were delivered.
-
SERVFAIL
: - The requested name exists, but there's no data available or the data is invalid.
-
NXDOMAIN
: - The requested name doesn't exist.
-
REFUSED
: - The zone doesn't exist at the name server.
I'll go into more detail of the other information when we talk about the usage.
Basic commands
- To get the version of dig:
-v
- To get more information
-h
man dig
- Chose the DNS record type:
dig ittavern.com mx
- this would be an example of requesting an
MX
record. The default is anA
record. - you can add the flag
-t
in front of it to separate it from the rest and make it more verbose - the
ANY
request to get all entries won't be answered from most name servers - I couldn't find a way to request all records for a domain without a script
- Start a reverse lookup:
-x
- if you want to lookup a name behind an IP
- you don't have to specify the
PTR
type orIN
class.
- Choose a specific name server with
@
: dig @9.9.9.9 ittavern.com
- Specify the source IP and source port:
-b address[#port]
dig ittavern.com -b 10.10.10.10#12345
- Specify the destination port:
-
-p port
# the default port is 53, but some name servers listen to another one.
- Send query over TCP:
+tcp
- the default is UDP
- Specify the query class:
-
-c CLASS
# default isIN
- Specify the IP version:
-
-4
# IPv4 -
-6
# IPv6
Multiple queries
You can write them in a single command one after the other, like the following example, or use a batch file like described in the following section.
dig ittavern.com ittavern.com mx brrl.net
Using a batch file
Simply use batch files when you have a high number of requests. Every request should stand in a single line.
Using the -f
flag to do so.
Sample file:
kuser@pleasejustwork: $ cat batch.txt ittavern.com a ittavern.com mx brrl.net a
- You then can tell dig to use this file to send the queries:
dig -f batch.txt
You can use the usual options to shorten the output:
kuser@pleasejustwork: $ dig -f batch.txt +short 95.216.194.187 10 mxext2.mailbox.org. 10 mxext1.mailbox.org. 20 mxext3.mailbox.org. 94.130.76.189
Verbosity
As mentioned before, without additional options, dig provides you with a lot of information by default - more than nslookup
or host
.
To get less information, simply use +short
:
kuser@pleasejustwork:~$ dig +short ittavern.com 95.216.194.187
To get even more information, use +trace
:
kuser@pleasejustwork: $ dig +trace ittavern.com ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> +trace ittavern.com ;; global options: +cmd . 40164 IN NS l.root-servers.net. . 40164 IN NS m.root-servers.net. . 40164 IN NS f.root-servers.net. . 40164 IN NS d.root-servers.net. . 40164 IN NS e.root-servers.net. . 40164 IN NS b.root-servers.net. . 40164 IN NS c.root-servers.net. . 40164 IN NS a.root-servers.net. . 40164 IN NS h.root-servers.net. . 40164 IN NS k.root-servers.net. . 40164 IN NS g.root-servers.net. . 40164 IN NS j.root-servers.net. . 40164 IN NS i.root-servers.net. ;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 40 ms ;; communications error to 199.7.91.13#53: connection refused ;; communications error to 199.7.91.13#53: connection refused ;; communications error to 199.7.91.13#53: connection refused ;; communications error to 202.12.27.33#53: connection refused ;; communications error to 192.112.36.4#53: connection refused [...]
It gives you more insight into the DNS process.
Conclusion
I hope this blog post will help you to get started with dig. It provides even more options to troubleshoot certain issues, but I'll tackle those topics in a separate post.
E-Mail
hello
More reading:
- 04.02.2024 Adding a trash can to Linux with trash-cli
- 14.01.2024 Getting started with rsync - Comprehensive Guide
- 10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
- 12.11.2023 Port Knocking with knockd and Linux - Server Hardening
- 08.11.2023 Getting started with rclone - Data transmission
- 04.02.2024 Adding a trash can to Linux with trash-cli
- 20.01.2024 Bandwidth Measurement using netcat on Linux
- 14.01.2024 Getting started with rsync - Comprehensive Guide
- 10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
- 22.11.2023 SSH Server Hardening Guide v2