1DIG(1)                               BIND9                              DIG(1)
2
3
4

NAME

6       dig - DNS lookup utility
7

SYNOPSIS

9       dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
10           [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key]
11           [[-4] | [-6]] [name] [type] [class] [queryopt...]
12
13       dig [-h]
14
15       dig [global-queryopt...] [query...]
16

DESCRIPTION

18       dig is a flexible tool for interrogating DNS name servers. It performs
19       DNS lookups and displays the answers that are returned from the name
20       server(s) that were queried. Most DNS administrators use dig to
21       troubleshoot DNS problems because of its flexibility, ease of use and
22       clarity of output. Other lookup tools tend to have less functionality
23       than dig.
24
25       Although dig is normally used with command-line arguments, it also has
26       a batch mode of operation for reading lookup requests from a file. A
27       brief summary of its command-line arguments and options is printed when
28       the -h option is given. Unlike earlier versions, the BIND 9
29       implementation of dig allows multiple lookups to be issued from the
30       command line.
31
32       Unless it is told to query a specific name server, dig will try each of
33       the servers listed in /etc/resolv.conf. If no usable server addresses
34       are found, dig will send the query to the local host.
35
36       When no command line arguments or options are given, dig will perform
37       an NS query for "." (the root).
38
39       It is possible to set per-user defaults for dig via ${HOME}/.digrc.
40       This file is read and any options in it are applied before the command
41       line arguments.
42
43       The IN and CH class names overlap with the IN and CH top level domain
44       names. Either use the -t and -c options to specify the type and class,
45       use the -q the specify the domain name, or use "IN." and "CH." when
46       looking up these top level domains.
47

SIMPLE USAGE

49       A typical invocation of dig looks like:
50
51            dig @server name type
52
53       where:
54
55       server
56           is the name or IP address of the name server to query. This can be
57           an IPv4 address in dotted-decimal notation or an IPv6 address in
58           colon-delimited notation. When the supplied server argument is a
59           hostname, dig resolves that name before querying that name server.
60
61           If no server argument is provided, dig consults /etc/resolv.conf;
62           if an address is found there, it queries the name server at that
63           address. If either of the -4 or -6 options are in use, then only
64           addresses for the corresponding transport will be tried. If no
65           usable addresses are found, dig will send the query to the local
66           host. The reply from the name server that responds is displayed.
67
68       name
69           is the name of the resource record that is to be looked up.
70
71       type
72           indicates what type of query is required — ANY, A, MX, SIG, etc.
73           type can be any valid query type. If no type argument is supplied,
74           dig will perform a lookup for an A record.
75

OPTIONS

77       -4
78           Use IPv4 only.
79
80       -6
81           Use IPv6 only.
82
83       -b address[#port]
84           Set the source IP address of the query. The address must be a valid
85           address on one of the host's network interfaces, or "0.0.0.0" or
86           "::". An optional port may be specified by appending "#<port>"
87
88       -c class
89           Set the query class. The default class is IN; other classes are HS
90           for Hesiod records or CH for Chaosnet records.
91
92       -f file
93           Batch mode: dig reads a list of lookup requests to process from the
94           given file. Each line in the file should be organized in the same
95           way they would be presented as queries to dig using the
96           command-line interface.
97
98       -i
99           Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT domain,
100           which is no longer in use. Obsolete bit string label queries (RFC
101           2874) are not attempted.
102
103       -k keyfile
104           Sign queries using TSIG using a key read from the given file. Key
105           files can be generated using tsig-keygen(8). When using TSIG
106           authentication with dig, the name server that is queried needs to
107           know the key and algorithm that is being used. In BIND, this is
108           done by providing appropriate key and server statements in
109           named.conf.
110
111       -m
112           Enable memory usage debugging.
113
114       -p port
115           Send the query to a non-standard port on the server, instead of the
116           default port 53. This option would be used to test a name server
117           that has been configured to listen for queries on a non-standard
118           port number.
119
120       -q name
121           The domain name to query. This is useful to distinguish the name
122           from other arguments.
123
124       -t type
125           The resource record type to query. It can be any valid query type.
126           If it is a resource record type supported in BIND 9, it can be
127           given by the type mnemonic (such as "NS" or "AAAA"). The default
128           query type is "A", unless the -x option is supplied to indicate a
129           reverse lookup. A zone transfer can be requested by specifying a
130           type of AXFR. When an incremental zone transfer (IXFR) is required,
131           set the type to ixfr=N. The incremental zone transfer will contain
132           the changes made to the zone since the serial number in the zone's
133           SOA record was N.
134
135           All resource record types can be expressed as "TYPEnn", where "nn"
136           is the number of the type. If the resource record type is not
137           supported in BIND 9, the result will be displayed as described in
138           RFC 3597.
139
140       -u
141           Print query times in microseconds instead of milliseconds.
142
143       -v
144           Print the version number and exit.
145
146       -x addr
147           Simplified reverse lookups, for mapping addresses to names. The
148           addr is an IPv4 address in dotted-decimal notation, or a
149           colon-delimited IPv6 address. When the -x is used, there is no need
150           to provide the name, class and type arguments.  dig automatically
151           performs a lookup for a name like 94.2.0.192.in-addr.arpa and sets
152           the query type and class to PTR and IN respectively. IPv6 addresses
153           are looked up using nibble format under the IP6.ARPA domain (but
154           see also the -i option).
155
156       -y [hmac:]keyname:secret
157           Sign queries using TSIG with the given authentication key.  keyname
158           is the name of the key, and secret is the base64 encoded shared
159           secret.  hmac is the name of the key algorithm; valid choices are
160           hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, or
161           hmac-sha512. If hmac is not specified, the default is hmac-md5 or
162           if MD5 was disabled hmac-sha256.
163
164           NOTE: You should use the -k option and avoid the -y option, because
165           with -y the shared secret is supplied as a command line argument in
166           clear text. This may be visible in the output from ps(1) or in a
167           history file maintained by the user's shell.
168

QUERY OPTIONS

170       dig provides a number of query options which affect the way in which
171       lookups are made and the results displayed. Some of these set or reset
172       flag bits in the query header, some determine which sections of the
173       answer get printed, and others determine the timeout and retry
174       strategies.
175
176       Each query option is identified by a keyword preceded by a plus sign
177       (+). Some keywords set or reset an option. These may be preceded by the
178       string no to negate the meaning of that keyword. Other keywords assign
179       values to options like the timeout interval. They have the form
180       +keyword=value. Keywords may be abbreviated, provided the abbreviation
181       is unambiguous; for example, +cd is equivalent to +cdflag. The query
182       options are:
183
184       +[no]aaflag
185           A synonym for +[no]aaonly.
186
187       +[no]aaonly
188           Sets the "aa" flag in the query.
189
190       +[no]additional
191           Display [do not display] the additional section of a reply. The
192           default is to display it.
193
194       +[no]adflag
195           Set [do not set] the AD (authentic data) bit in the query. This
196           requests the server to return whether all of the answer and
197           authority sections have all been validated as secure according to
198           the security policy of the server. AD=1 indicates that all records
199           have been validated as secure and the answer is not from a OPT-OUT
200           range. AD=0 indicate that some part of the answer was insecure or
201           not validated. This bit is set by default.
202
203       +[no]all
204           Set or clear all display flags.
205
206       +[no]answer
207           Display [do not display] the answer section of a reply. The default
208           is to display it.
209
210       +[no]authority
211           Display [do not display] the authority section of a reply. The
212           default is to display it.
213
214       +[no]badcookie
215           Retry lookup with the new server cookie if a BADCOOKIE response is
216           received.
217
218       +[no]besteffort
219           Attempt to display the contents of messages which are malformed.
220           The default is to not display malformed answers.
221
222       +bufsize=B
223           Set the UDP message buffer size advertised using EDNS0 to B bytes.
224           The maximum and minimum sizes of this buffer are 65535 and 0
225           respectively. Values outside this range are rounded up or down
226           appropriately. Values other than zero will cause a EDNS query to be
227           sent.
228
229       +[no]cdflag
230           Set [do not set] the CD (checking disabled) bit in the query. This
231           requests the server to not perform DNSSEC validation of responses.
232
233       +[no]class
234           Display [do not display] the CLASS when printing the record.
235
236       +[no]cmd
237           Toggles the printing of the initial comment in the output
238           identifying the version of dig and the query options that have been
239           applied. This comment is printed by default.
240
241       +[no]comments
242           Toggle the display of comment lines in the output. The default is
243           to print comments.
244
245       +[no]cookie[=####]
246           Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
247           from a previous response will allow the server to identify a
248           previous client. The default is +cookie.
249
250           +cookie is also set when +trace is set to better emulate the
251           default queries from a nameserver.
252
253       +[no]crypto
254           Toggle the display of cryptographic fields in DNSSEC records. The
255           contents of these field are unnecessary to debug most DNSSEC
256           validation failures and removing them makes it easier to see the
257           common failures. The default is to display the fields. When omitted
258           they are replaced by the string "[omitted]" or in the DNSKEY case
259           the key id is displayed as the replacement, e.g. "[ key id = value
260           ]".
261
262       +[no]defname
263           Deprecated, treated as a synonym for +[no]search
264
265       +[no]dnssec
266           Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
267           in the OPT record in the additional section of the query.
268
269       +domain=somename
270           Set the search list to contain the single domain somename, as if
271           specified in a domain directive in /etc/resolv.conf, and enable
272           search list processing as if the +search option were given.
273
274       +dscp=value
275           Set the DSCP code point to be used when sending the query. Valid
276           DSCP code points are in the range [0..63]. By default no code point
277           is explicitly set.
278
279       +[no]edns[=#]
280           Specify the EDNS version to query with. Valid values are 0 to 255.
281           Setting the EDNS version will cause a EDNS query to be sent.
282           +noedns clears the remembered EDNS version. EDNS is set to 0 by
283           default.
284
285       +[no]ednsflags[=#]
286           Set the must-be-zero EDNS flags bits (Z bits) to the specified
287           value. Decimal, hex and octal encodings are accepted. Setting a
288           named flag (e.g. DO) will silently be ignored. By default, no Z
289           bits are set.
290
291       +[no]ednsnegotiation
292           Enable / disable EDNS version negotiation. By default EDNS version
293           negotiation is enabled.
294
295       +[no]ednsopt[=code[:value]]
296           Specify EDNS option with code point code and optionally payload of
297           value as a hexadecimal string.  code can be either an EDNS option
298           name (for example, NSID or ECS), or an arbitrary numeric value.
299           +noednsopt clears the EDNS options to be sent.
300
301       +[no]expire
302           Send an EDNS Expire option.
303
304       +[no]fail
305           Do not try the next server if you receive a SERVFAIL. The default
306           is to not try the next server which is the reverse of normal stub
307           resolver behavior.
308
309       +[no]header-only
310           Send a query with a DNS header without a question section. The
311           default is to add a question section. The query type and query name
312           are ignored when this is set.
313
314       +[no]identify
315           Show [or do not show] the IP address and port number that supplied
316           the answer when the +short option is enabled. If short form answers
317           are requested, the default is not to show the source address and
318           port number of the server that provided the answer.
319
320       +[no]idnin
321           Process [do not process] IDN domain names on input. This requires
322           IDN SUPPORT to have been enabled at compile time. The default is to
323           process IDN input.
324
325       +[no]idnout
326           Convert [do not convert] puny code on output. This requires IDN
327           SUPPORT to have been enabled at compile time. The default is to
328           convert output.
329
330       +[no]ignore
331           Ignore truncation in UDP responses instead of retrying with TCP. By
332           default, TCP retries are performed.
333
334       +[no]keepopen
335           Keep the TCP socket open between queries and reuse it rather than
336           creating a new TCP socket for each lookup. The default is
337           +nokeepopen.
338
339       +[no]mapped
340           Allow mapped IPv4 over IPv6 addresses to be used. The default is
341           +mapped.
342
343       +[no]multiline
344           Print records like the SOA records in a verbose multi-line format
345           with human-readable comments. The default is to print each record
346           on a single line, to facilitate machine parsing of the dig output.
347
348       +ndots=D
349           Set the number of dots that have to appear in name to D for it to
350           be considered absolute. The default value is that defined using the
351           ndots statement in /etc/resolv.conf, or 1 if no ndots statement is
352           present. Names with fewer dots are interpreted as relative names
353           and will be searched for in the domains listed in the search or
354           domain directive in /etc/resolv.conf if +search is set.
355
356       +[no]nsid
357           Include an EDNS name server ID request when sending a query.
358
359       +[no]nssearch
360           When this option is set, dig attempts to find the authoritative
361           name servers for the zone containing the name being looked up and
362           display the SOA record that each name server has for the zone.
363
364       +[no]onesoa
365           Print only one (starting) SOA record when performing an AXFR. The
366           default is to print both the starting and ending SOA records.
367
368       +[no]opcode=value
369           Set [restore] the DNS message opcode to the specified value. The
370           default value is QUERY (0).
371
372       +[no]qr
373           Print [do not print] the query as it is sent. By default, the query
374           is not printed.
375
376       +[no]question
377           Print [do not print] the question section of a query when an answer
378           is returned. The default is to print the question section as a
379           comment.
380
381       +[no]rdflag
382           A synonym for +[no]recurse.
383
384       +[no]recurse
385           Toggle the setting of the RD (recursion desired) bit in the query.
386           This bit is set by default, which means dig normally sends
387           recursive queries. Recursion is automatically disabled when the
388           +nssearch or +trace query options are used.
389
390       +retry=T
391           Sets the number of times to retry UDP queries to server to T
392           instead of the default, 2. Unlike +tries, this does not include the
393           initial query.
394
395       +[no]rrcomments
396           Toggle the display of per-record comments in the output (for
397           example, human-readable key information about DNSKEY records). The
398           default is not to print record comments unless multiline mode is
399           active.
400
401       +[no]search
402           Use [do not use] the search list defined by the searchlist or
403           domain directive in resolv.conf (if any). The search list is not
404           used by default.
405
406           'ndots' from resolv.conf (default 1) which may be overridden by
407           +ndots determines if the name will be treated as relative or not
408           and hence whether a search is eventually performed or not.
409
410       +[no]short
411           Provide a terse answer. The default is to print the answer in a
412           verbose form.
413
414       +[no]showsearch
415           Perform [do not perform] a search showing intermediate results.
416
417       +[no]sigchase
418           Chase DNSSEC signature chains. Requires dig be compiled with
419           -DDIG_SIGCHASE. This feature is deprecated. Use delv instead.
420
421       +split=W
422           Split long hex- or base64-formatted fields in resource records into
423           chunks of W characters (where W is rounded up to the nearest
424           multiple of 4).  +nosplit or +split=0 causes fields not to be split
425           at all. The default is 56 characters, or 44 characters when
426           multiline mode is active.
427
428       +[no]stats
429           This query option toggles the printing of statistics: when the
430           query was made, the size of the reply and so on. The default
431           behavior is to print the query statistics.
432
433       +[no]subnet=addr[/prefix-length]
434           Send (don't send) an EDNS Client Subnet option with the specified
435           IP address or network prefix.
436
437           dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends an
438           EDNS CLIENT-SUBNET option with an empty address and a source
439           prefix-length of zero, which signals a resolver that the client's
440           address information must not be used when resolving this query.
441
442       +[no]tcp
443           Use [do not use] TCP when querying name servers. The default
444           behavior is to use UDP unless a type any or ixfr=N query is
445           requested, in which case the default is TCP. AXFR queries always
446           use TCP.
447
448       +timeout=T
449           Sets the timeout for a query to T seconds. The default timeout is 5
450           seconds. An attempt to set T to less than 1 will result in a query
451           timeout of 1 second being applied.
452
453       +[no]topdown
454           When chasing DNSSEC signature chains perform a top-down validation.
455           Requires dig be compiled with -DDIG_SIGCHASE. This feature is
456           deprecated. Use delv instead.
457
458       +[no]trace
459           Toggle tracing of the delegation path from the root name servers
460           for the name being looked up. Tracing is disabled by default. When
461           tracing is enabled, dig makes iterative queries to resolve the name
462           being looked up. It will follow referrals from the root servers,
463           showing the answer from each server that was used to resolve the
464           lookup.
465
466           If @server is also specified, it affects only the initial query for
467           the root zone name servers.
468
469           +dnssec is also set when +trace is set to better emulate the
470           default queries from a nameserver.
471
472       +tries=T
473           Sets the number of times to try UDP queries to server to T instead
474           of the default, 3. If T is less than or equal to zero, the number
475           of tries is silently rounded up to 1.
476
477       +trusted-key=####
478           Specifies a file containing trusted keys to be used with +sigchase.
479           Each DNSKEY record must be on its own line.
480
481           If not specified, dig will look for /etc/trusted-key.key then
482           trusted-key.key in the current directory.
483
484           Requires dig be compiled with -DDIG_SIGCHASE. This feature is
485           deprecated. Use delv instead.
486
487       +[no]ttlid
488           Display [do not display] the TTL when printing the record.
489
490       +[no]ttlunits
491           Display [do not display] the TTL in friendly human-readable time
492           units of "s", "m", "h", "d", and "w", representing seconds,
493           minutes, hours, days and weeks. Implies +ttlid.
494
495       +[no]unknownformat
496           Print all RDATA in unknown RR type presentation format (RFC 3597).
497           The default is to print RDATA for known types in the type's
498           presentation format.
499
500       +[no]vc
501           Use [do not use] TCP when querying name servers. This alternate
502           syntax to +[no]tcp is provided for backwards compatibility. The
503           "vc" stands for "virtual circuit".
504
505       +[no]zflag
506           Set [do not set] the last unassigned DNS header flag in a DNS
507           query. This flag is off by default.
508

MULTIPLE QUERIES

510       The BIND 9 implementation of dig supports specifying multiple queries
511       on the command line (in addition to supporting the -f batch file
512       option). Each of those queries can be supplied with its own set of
513       flags, options and query options.
514
515       In this case, each query argument represent an individual query in the
516       command-line syntax described above. Each consists of any of the
517       standard options and flags, the name to be looked up, an optional query
518       type and class and any query options that should be applied to that
519       query.
520
521       A global set of query options, which should be applied to all queries,
522       can also be supplied. These global query options must precede the first
523       tuple of name, class, type, options, flags, and query options supplied
524       on the command line. Any global query options (except the +[no]cmd
525       option) can be overridden by a query-specific set of query options. For
526       example:
527
528           dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
529
530       shows how dig could be used from the command line to make three
531       lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1
532       and a query for the NS records of isc.org. A global query option of +qr
533       is applied, so that dig shows the initial query it made for each
534       lookup. The final query has a local query option of +noqr which means
535       that dig will not print the initial query when it looks up the NS
536       records for isc.org.
537

IDN SUPPORT

539       If dig has been built with IDN (internationalized domain name) support,
540       it can accept and display non-ASCII domain names.  dig appropriately
541       converts character encoding of domain name before sending a request to
542       DNS server or displaying a reply from the server. If you'd like to turn
543       off the IDN support for some reason, use parameters +noidnin and
544       +noidnout or define the IDN_DISABLE environment variable.
545

RETURN CODES

547       Dig return codes are:
548
549           0: Everything went well, including things like NXDOMAIN
550
551           1: Usage error
552
553           8: Couldn't open batch file
554
555           9: No reply from server
556
557           10: Internal error
558

FILES

560       /etc/resolv.conf
561
562       ${HOME}/.digrc
563

SEE ALSO

565       delv(1), host(1), named(8), dnssec-keygen(8), RFC 1035.
566

BUGS

568       There are probably too many query options.
569

AUTHOR

571       Internet Systems Consortium, Inc.
572
574       Copyright © 2000-2011, 2013-2018 Internet Systems Consortium, Inc.
575       ("ISC")
576
577
578
579ISC                               2014-02-19                            DIG(1)
Impressum