1. Library
  2. Tools and Commands
  3. Dns Tools

dig (Domain Information Groper)

Updated 10 hours ago

Most DNS tools show you the answer. Dig shows you the conversation.

When you ask "what's the IP for example.com?", dig doesn't just return an address. It shows you which server answered, how long the query took, how long you can cache the result, and every detail of the exchange. This transparency transforms DNS from a black box into something you can understand and debug.

Basic Usage

The simplest dig command:

dig example.com

This produces detailed output. Let's decode it.

Reading the Output

; <<>> DiG 9.18.1 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            86400   IN      A       93.184.216.34

;; Query time: 12 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Jan 15 10:30:45 EST 2024
;; MSG SIZE  rcvd: 56

The header tells you the query status. NOERROR means success. You'll also see NXDOMAIN (domain doesn't exist), SERVFAIL (server error), or REFUSED (server won't answer you).

The flags reveal the response characteristics:

  • qr: This is a response (not a query)
  • rd: You asked for recursive resolution
  • ra: The server supports recursion
  • aa: Authoritative answer (appears when the response comes directly from the domain's nameserver, not from cache)

The question section echoes what you asked: "What is the A record for example.com?"

The answer section contains the goods:

  • example.com. — the domain
  • 86400 — TTL in seconds (24 hours). This is how long the answer can be cached.
  • IN — Internet class
  • A — record type
  • 93.184.216.34 — the answer

The statistics show query time (12ms), which server answered (192.168.1.1), and when.

Querying Different Record Types

dig example.com A        # IPv4 address
dig example.com AAAA     # IPv6 address
dig example.com MX       # Mail servers
dig example.com NS       # Nameservers
dig example.com TXT      # Text records (SPF, DKIM, verification)
dig example.com SOA      # Start of Authority
dig www.example.com CNAME  # Canonical name (alias)

Querying Specific Servers

By default, dig uses your system's DNS resolver. To query a specific server:

dig @8.8.8.8 example.com        # Google DNS
dig @1.1.1.1 example.com        # Cloudflare DNS
dig @208.67.222.222 example.com # OpenDNS

To see the authoritative answer (bypassing all caches), first find the nameservers:

dig example.com NS +short

Then query one directly:

dig @ns1.example.com example.com

This shows the official current record, not a cached copy.

Controlling Output

Just the answer:

dig +short example.com

Returns only:

93.184.216.34

Perfect for scripts.

Answer section with details:

dig +noall +answer example.com

Returns:

example.com.            86400   IN      A       93.184.216.34

Trace the entire resolution path:

dig +trace example.com

This is genuinely magical. You watch your query travel from root servers (.) through TLD servers (.com.) to the authoritative nameservers. It's like watching a letter get sorted through the postal system in real time.

Reverse Lookups

Given an IP, find its hostname:

dig -x 93.184.216.34

This queries PTR records.

Practical Troubleshooting

Have DNS changes propagated?

Compare authoritative and public DNS:

dig @ns1.example.com example.com +short  # Authoritative
dig @8.8.8.8 example.com +short          # Public

If they differ, changes haven't fully propagated.

When will the cache expire?

The TTL tells you. Query twice with a gap:

dig example.com
# wait 30 seconds
dig example.com

Watch the TTL decrease. When it hits zero, the record will be fetched fresh.

Is the response authoritative or cached?

Look for the aa flag. Present means authoritative. Absent means cached.

Debug a CNAME chain:

dig www.example.com

The answer section shows each hop in the chain.

Verify mail configuration:

dig example.com MX +short

Shows mail servers and priorities. Then verify they resolve:

dig mail.example.com A +short

Advanced Options

Force TCP (instead of UDP):

dig +tcp example.com

Useful for testing firewalls or large responses.

Set timeout:

dig +time=2 example.com

Wait only 2 seconds.

Query DNSSEC:

dig +dnssec example.com

Shows cryptographic signatures if the domain uses DNSSEC.

Multiline TXT records:

dig +multiline example.com TXT

Makes long records readable.

Status Codes

When things go wrong, the status tells you why:

  • NOERROR: Success (even if the answer section is empty—domain exists but has no records of that type)
  • NXDOMAIN: Domain doesn't exist
  • SERVFAIL: Server encountered an error (often misconfigured nameservers)
  • REFUSED: Server won't answer you (access restrictions)

Script-Friendly Patterns

# Get the IP
IP=$(dig +short example.com)

# Get first IP if multiple exist
IP=$(dig +short example.com | head -n 1)

# Check all nameservers return same answer
for ns in $(dig +short example.com NS); do
  echo "$ns: $(dig @$ns example.com A +short)"
done

Frequently Asked Questions About dig

Was this page helpful?

😔
🤨
😃