Search... ⌘ K
Get Started Contact Sales

How to Use dig

When you’re trying to troubleshoot DNS issues, dig (domain information groper) is one of the most valuable tools.

From the dig manual:

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried.

An example:

$ dig dnsimple.com

; <<>> DiG 9.8.3-P1 <<>> dnsimple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60554
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnsimple.com.			IN	A

;; ANSWER SECTION:
dnsimple.com.		59	IN	A	50.31.213.210

;; Query time: 294 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb  3 11:17:13 2015
;; MSG SIZE  rcvd: 46

What this output tells you

  • Line one shows the dig version that was used and the domain queried.
  • Then you see any global dig options, followed by packet details in human-readable form.
  • NOERROR indicates the response was returned without an error.
  • The line ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 provides various details about the DNS packet (RFC 1035 has an in-depth explanation of the content of a DNS packet).
  • The QUESTION section shows the question that was sent: “I want A records for dnsimple.com.”
  • The ANSWER section shows the reply: “dnsimple.com has one A record with the content 50.31.213.210 and a time-to-live (TTL) of 59 seconds.”
  • The footer shows how long the query took, which server was used, when the query ran, and the packet size.

dig at a name server

What else can you do with dig? The first example uses the name servers configured locally. In that example, it’s the Google public resolver at 8.8.8.8.

You can also specify a name server:

$ dig @ns1.dnsimple.com dnsimple.com

; <<>> DiG 9.8.3-P1 <<>> @ns1.dnsimple.com dnsimple.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35081
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dnsimple.com.			IN	A

;; ANSWER SECTION:
dnsimple.com.		60	IN	A	50.31.213.210

;; Query time: 145 msec
;; SERVER: 198.241.10.53#53(198.241.10.53)
;; WHEN: Tue Feb  3 11:28:02 2015
;; MSG SIZE  rcvd: 46

+trace

Another useful option is +trace. This causes dig to make iterative queries to resolve the name being looked up. It starts from the root name servers and works its way through the domain name hierarchy.

$ dig +trace dnsimple.com

; <<>> DiG 9.8.3-P1 <<>> +trace dnsimple.com
;; global options: +cmd
.			21456	IN	NS	a.root-servers.net.
.			21456	IN	NS	b.root-servers.net.
.			21456	IN	NS	c.root-servers.net.
.			21456	IN	NS	d.root-servers.net.
.			21456	IN	NS	e.root-servers.net.
.			21456	IN	NS	f.root-servers.net.
.			21456	IN	NS	g.root-servers.net.
.			21456	IN	NS	h.root-servers.net.
.			21456	IN	NS	i.root-servers.net.
.			21456	IN	NS	j.root-servers.net.
.			21456	IN	NS	k.root-servers.net.
.			21456	IN	NS	l.root-servers.net.
.			21456	IN	NS	m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 740 ms

com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
;; Received 490 bytes from 192.112.36.4#53(192.112.36.4) in 1849 ms

dnsimple.com.		172800	IN	NS	ns1.dnsimple.com.
dnsimple.com.		172800	IN	NS	ns2.dnsimple-edge.net.
dnsimple.com.		172800	IN	NS	ns3.dnsimple.com.
dnsimple.com.		172800	IN	NS	ns4.dnsimple-edge.org.
;; Received 278 bytes from 192.55.83.30#53(192.55.83.30) in 306 ms

dnsimple.com.		60	IN	A	50.31.213.210
;; Received 46 bytes from 50.31.242.53#53(50.31.242.53) in 55 ms

With +trace enabled, you can see the entire delegation tree.

  • First you receive a list of NS records showing the next name server set to query from the server 8.8.8.8. One of the NS records is chosen randomly (in this case it was 192.112.36.4, which is g.root-servers.net. That server is queried and responds with a list of servers that respond for .com. domains.

  • dig then queries 192.55.83.30 (m.gtld-servers.net.), and that name server responds with the ns1.dnsimple.com through ns4.dnsimple.com name servers. One of those is selected at random (50.31.242.53 which is ns3.dnsimple.com). That name server finally returns the authoritative response and the IP address for the A record.

Additional common lookups

Querying AAAA (IPv6) records

You can use dig to determine the AAAA record associated with a domain name. The result is contained in the ANSWER section. It contains the fully-qualified domain name (FQDN), the remaining time-to-live (TTL), and the IP address.

$ dig AAAA ns1.dnsimple.com

; <<>> DiG 9.10.6 <<>> AAAA ns1.dnsimple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52403
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.dnsimple.com.		IN	AAAA

;; ANSWER SECTION:
ns1.dnsimple.com.	1795	IN	AAAA	2400:cb00:2049:1::a29f:1804

;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 02 19:20:40 CET 2018
;; MSG SIZE  rcvd: 73

Querying CNAME records

You can use dig in your terminal to determine the CNAME record associated to a domain name. The result contained in the ANSWER section has the fully-qualified domain name (FQDN), the remaining time-to-live (TTL), and the domain-name.

$ dig CNAME www.dnsimple.com

; <<>> DiG 9.10.6 <<>> CNAME www.dnsimple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5274
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dnsimple.com.		IN	CNAME

;; ANSWER SECTION:
www.dnsimple.com.	3599	IN	CNAME	dnsimple.com.

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 02 20:33:09 CET 2018
;; MSG SIZE  rcvd: 59

Digging deeper

To dig even deeper into dig, open a console and type dig -h for the list of supported options, or man dig for more in-depth details about dig and how it functions.

Have more questions?

If you have additional questions or need any assistance troubleshooting your DNS, just contact support, and we’ll be happy to help.