Nov 302009
 

How to use the dig command

dig is a command-line tool for querying DNS name servers for information about host addresses, mail exchanges, name servers, and related information.

Understanding the default output

The most typical, simplest query is for a single host. By default, however, dig is pretty verbose. You probably don’t need all the information in the default output, but it’s probably worth knowing what it is. Below is an annotated query.

$ dig www.isc.org

That’s the command-line invocation of dig I used.

; < <>> DiG 9.2.3 < <>> www.isc.org
;; global options: printcmd

The opening section of dig’s output tells us a little about itself (version 9.2.3) and the global options that are set (in this case, printcmd). This part of the output can be quelled by using the +nocmd option, but only if it’s the very first argument on the command line (even preceeding the host you’re querying).

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43071 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 Here, dig tells us some technical details about the answer received from the DNS server. This section of the output can be toggled using the +[no]comments option—but beware that disabling the comments also turns off many section headers. ;; QUESTION SECTION: ;www.isc.org. IN A In the question section, dig reminds us of our query. The default query is for an Internet address (A). You can turn this output on or off using the +[no]question option. ;; ANSWER SECTION: www.isc.org. 600 IN A 204.152.184.88 Finally, we get our answer: the address of www.isc.org is 204.152.184.88. I don’t know why you’d ever want to turn off the answer, but you can toggle this section of the output using the +[no]answer option. ;; AUTHORITY SECTION: isc.org. 2351 IN NS ns-int.isc.org. isc.org. 2351 IN NS ns1.gnac.com. isc.org. 2351 IN NS ns-ext.isc.org. The authority section tells us what DNS servers can provide an authoritative answer to our query. In this example, isc.org has three name servers. You can toggle this section of the output using the +[no]authority option. ;; ADDITIONAL SECTION: ns1.gnac.com. 171551 IN A 209.182.216.75 ns-int.isc.org. 2351 IN A 204.152.184.65 ns-int.isc.org. 2351 IN AAAA 2001:4f8:0:2::15 The additional section typically includes the IP addresses of the DNS servers listed in the authority section. This section of the output can be toggled with the +[no]additional option. ;; Query time: 2046 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Aug 27 08:22:26 2004 ;; MSG SIZE rcvd: 173 The final section of the default output contains statistics about the query; it can be toggled with the +[no]stats option. What can I discover? dig will let you perform any valid DNS query, the most common of which are A (the IP address), TXT (text annotations), MX (mail exchanges), NS name servers, or the omnibus ANY. # get the address(es) for yahoo.com dig yahoo.com A +noall +answer # get a list of yahoo's mail servers dig yahoo.com MX +noall +answer # get a list of DNS servers authoritative for yahoo.com dig yahoo.com NS +noall +answer # get all of the above dig yahoo.com ANY +noall +answer More obscurely, for the present anyway, you can also poll for a host’s IPv6 address using the AAAA option. dig www.isc.org AAAA +short If the domain you want to query allows DNS transfers, you can get those, too. The reality of life on the Internet, however, is that very few domains allow unrestricted transfers these days. dig yourdomain.com AXFR How to a short answer? When all you want is a quick answer, the +short option is your friend: $ dig www.isc.org +short 204.152.184.88 not-quite-so-short answer? Note that a short answer is different from only an answer. The way to get a detailed answer, but without any auxiliary information, is to turn off all the results (+noall) and then turn on only those sections you want. Here’s a short answer followed by only an answer; the latter includes all the configuration information, including time-to-live (TTL) data, displayed in a format compatible with BIND configuration files. $ dig fsf.org mx +short 20 mx20.gnu.org. 30 mx30.gnu.org. 10 mx10.gnu.org. $ dig +nocmd fsf.org mx +noall +answer fsf.org. 3583 IN MX 30 mx30.gnu.org. fsf.org. 3583 IN MX 10 mx10.gnu.org. fsf.org. 3583 IN MX 20 mx20.gnu.org. Get a long answer? According to its man page, the +multiline option will give you an answer with “the SOA records in a verbose multi-line format with human-readable comments.” In general, the answers retrieved using the +multiline option will appear more like BIND config files than they will without it. $ dig +nocmd ogi.edu any +multiline +noall +answer ogi.edu. 14267 IN A 129.95.59.31 ogi.edu. 14267 IN MX 5 cse.ogi.edu. ogi.edu. 14267 IN MX 15 hermes.admin.ogi.edu. ogi.edu. 14267 IN SOA zeal.admin.ogi.edu. hostmaster.admin.ogi.edu. ( 200408230 ; serial 14400 ; refresh (4 hours) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 14400 ; minimum (4 hours) ) ogi.edu. 14267 IN NS zeal.admin.ogi.edu. ogi.edu. 14267 IN NS cse.ogi.edu. ogi.edu. 14267 IN NS fork.admin.ogi.edu. Do a reverse lookup? Use the -x option to lookup the main hostname associated with an IP address. $ dig -x 204.152.184.167 +short mx-1.isc.org. In a loop, this is a slick way to map the names in a given subnet: #!/bin/bash NET=18.7.22 for n in $(seq 1 254); do ADDR=${NET}.${n} echo -e "${ADDR}\t$(dig -x ${ADDR} +short)" done Query a different nameserver? Just specify it on the command line: dig @ns1.google.com www.google.com Use the search list in /etc/resolv.conf? The host utility will automatically use the search list in your /etc/resolv.conf file. $ host www www.madboa.com has address 65.102.49.170 By default, however, dig doesn’t—which may produce some unexpected results. If you want to use local hostnames instead of fully qualified domain names, use the +search option. dig www +search Do bulk lookups? If you want to look up a large number of hostnames, you can put them in a file (one name per line) and use the -f option to query each one in turn. # do full lookups for a number of hostnames dig -f /path/to/host-list.txt # the same, with more focused output dig -f /path/to/host-list.txt +noall +answer As far as I can tell, dig versions up to and including 9.2.3 are unable to do reverse lookups using the -f option.

 Posted by at 11:48 pm