dig Command
Purpose
A Domain Name System (DNS) lookup utility.
Syntax
dig [@server] [-b address] [-c class] [-f file] [-k keyfile] [-m] [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:] Keyname:secret] [-4] [-6] [name] [type] [class] [queryopt...]
dig [-h]
dig [global-queryopt...] [query...]
Description
The Domain Information Groper (dig) command is a flexible tool for interrogating the Domain Name System (DNS) name servers. It performs DNS lookups and displays the answers that are returned from the queried name servers. Most DNS administrators use the dig command to troubleshoot DNS problems as it is flexible, easier to use, and produces clear output.
Although the dig command is normally used with the command-line arguments, it
also has a batch mode to read lookup requests from a file. A brief summary of its command-line
arguments and options is printed when the -h flag is used. The BIND9
implementation of the dig command allows multiple lookups to be issued from the
command line. Unless it is told to query a specific name server, the dig command
tries each of the servers that are listed in the /etc/resolv.conf file. If no
usable server addresses are found, the dig command sends the query to the local
host. If you specify no command-line arguments or options, the dig command
performs an NS query for the root.
It is possible to set per-user defaults for the dig command through the ${HOME}/.digrc file. The dig command reads this file and applies any options before the command-line arguments. The -r option disables this feature for scripts that need predictable behavior.
The IN and CH class names overlap with the IN
and CH top-level domains names. When you look up these high-level domains, you can
either use the -t and -c options to specify the type and
class, the -q option to specify the domain name, or the IN and
CH names.
Flags
| Item | Description |
|---|---|
| -4 | Allows the dig command to use only the IPv4 query transport. |
| -6 | Allows the dig command to use only the IPv6 query transport. |
| -b address[#port] | Sets the source IP address of the query. The specified address must be a valid
address on one of the network interfaces of the host or 0.0.0.0 or
::. You can specify an optional port by appending the #port
parameter value. |
| -c class | Sets the query class. The class parameter value is any
valid class, such as HS for HESIOD records or CH
for CHAOSNET records. |
| -f file | Makes the dig command operate in batch mode by reading a list of lookup requests to process from the specified file name. Each entry in the file must be organized in the same way they are presented as queries to the dig command by using the command-line interface. |
| -h | Prints a brief summary of command-line arguments and options. |
| -k keyfile | Specifies a transaction signing (TSIG) or SIG(0) key file by using the
-k option to sign the DNS queries sent by the dig command.
You can generate key files by using the tsig-keygen command. When you use the
TSIG authentication with the dig command, the name server that
is queried must identify the key and algorithm that is being used. In BIND, this operation is
performed by specifying the appropriate key and server statements
in the named.conf file for TSIG and checking the KEY record in zone data for
SIG(0). |
| -m | Enables memory usage and debugging. |
| -p port# | Queries a nonstandard port number on the server. The port# parameter value is the port number that the dig command sends its queries to instead of the standard DNS port number 53. You can use this option to test a name server that is configured to listen for queries on a nonstandard port number. |
| -q name | Distinguishes the name from other arguments. Sets the query name to the specified name parameter value. |
| -t type | Sets the query type to the type parameter value. It can be
any valid query type that is supported in BIND 9 and is specified by the type mnemonic such as
NS or AAAA. The default query type is A, unless
the -x option is supplied to indicate a reverse lookup. A zone transfer is
requested by specifying a type of AXFR for zone transfers. When
an incremental zone transfer (IXFR) is needed, the type parameter value is set to
ixfr=N. The incremental zone transfer contains the changes that are made to the
zone as the serial number in the SOA of the zone record is N. All the resource
record types can be expressed as type nn, where nn is the
number of type. If the resource record type is not supported in BIND 9, the
result is displayed as described in the |
| -u | Indicates that the print query times must be specified in microseconds instead of milliseconds. |
| -v | Prints the version number and exits. |
| -x addr | Simplifies the reverse lookups (mapping addresses to names). The
addr parameter value is an IPv4 address in dotted decimal notation, or a
colon-delimited IPv6 address. When you use this option, no need to provide the
name
class, and type arguments. The dig command
automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets
the query type and class to the PTR and IN. IPv6 addresses are
looked up by using a nibble format under the IP6.ARPA domain. |
| -y[hmac:] Keyname:secret | Specifies a transaction signing (TSIG) key file to sign the DNS queries sent
by the dig command. The keyname denotes the name of the key,
secret is the base64-encoded shared secret, and hmac is the
name of the key algorithm. The following options are the valid choices for hmac:
hmac-md5. If
MD5 is disabled, the default value is hmac-sha256. |
Parameters
| Item | Description |
|---|---|
| global-queryopt... | Global query options. For more information about multiple queries, see Multiple Queries. |
| query | Query options. For more information about query options, see Query Options. |
IDN SUPPORT
If the dig command is built with an internationalized domain name (IDN) support, it can accept and display a non-ASCII domain names. The dig command converts character encoding of the domain name before sending a request to the DNS server or displaying a reply from the server. To turn off the IDN support, use the +idnin and +idnout parameters, or define the IDN DISABLE environment variable.
Exit Status
| Item | Description |
|---|---|
| 0 | Indicates that the DNS response is received, including
NXDOMAIN status. |
| 1 | Indicates usage errors. |
| 8 | Unable to open the batch file. |
| 9 | Indicates no reply from the server |
| 10 | Indicates internal error. |
Examples
dig @server name type- server
- The name or IP address of the name server to query. The server can be an IPv4 address in dotted decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a hostname, the dig command resolves that name before querying the name server. If no server argument is provided, the dig command consults the /etc/resolv.conf file. If an address is found, the dig command queries the name server at that address. If either of the -4 or -6 options are in use, then only addresses for the corresponding transport are tried. If no usable addresses are found, the dig command sends the query to the local host. The reply from the name server that responds is displayed.
- name
- The name of the resource record to be looked up.
- type
- Indicates the type of query that is needed. For example,
ANY,A,MX,SIG, so on. The type argument value can be any valid query type. If no type argument is supplied, the dig command performs a lookup for anArecord.
Files
/etc/resolv.conf
${HOME}/.digrc