1DIG(1) BIND9 DIG(1)
2
6 dig - DNS lookup utility
7
9 dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
10 [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key]
11 [[-4] | [-6]] [name] [type] [class] [queryopt...]
12 dig [-h]
14 dig [global-queryopt...] [query...]
16
18 dig is a flexible tool for interrogating DNS name servers. It performs
19 DNS lookups and displays the answers that are returned from the name
20 server(s) that were queried. Most DNS administrators use dig to
21 troubleshoot DNS problems because of its flexibility, ease of use and
22 clarity of output. Other lookup tools tend to have less functionality
23 than dig.
24 Although dig is normally used with command-line arguments, it also has
26 a batch mode of operation for reading lookup requests from a file. A
27 brief summary of its command-line arguments and options is printed when
28 the -h option is given. Unlike earlier versions, the BIND 9
29 implementation of dig allows multiple lookups to be issued from the
30 command line.
31 Unless it is told to query a specific name server, dig will try each of
33 the servers listed in /etc/resolv.conf. If no usable server addresses
34 are found, dig will send the query to the local host.
35 When no command line arguments or options are given, dig will perform
37 an NS query for "." (the root).
38 It is possible to set per-user defaults for dig via ${HOME}/.digrc.
40 This file is read and any options in it are applied before the command
41 line arguments. The -r option disables this feature, for scripts that
42 need predictable behaviour.
43 The IN and CH class names overlap with the IN and CH top level domain
45 names. Either use the -t and -c options to specify the type and class,
46 use the -q the specify the domain name, or use "IN." and "CH." when
47 looking up these top level domains.
48
50 A typical invocation of dig looks like:
51 dig @server name type
53 where:
55 server
57 is the name or IP address of the name server to query. This can be
58 an IPv4 address in dotted-decimal notation or an IPv6 address in
59 colon-delimited notation. When the supplied server argument is a
60 hostname, dig resolves that name before querying that name server.
61 If no server argument is provided, dig consults /etc/resolv.conf;
63 if an address is found there, it queries the name server at that
64 address. If either of the -4 or -6 options are in use, then only
65 addresses for the corresponding transport will be tried. If no
66 usable addresses are found, dig will send the query to the local
67 host. The reply from the name server that responds is displayed.
68 name
70 is the name of the resource record that is to be looked up.
71 type
73 indicates what type of query is required — ANY, A, MX, SIG, etc.
74 type can be any valid query type. If no type argument is supplied,
75 dig will perform a lookup for an A record.
76
78 -4
79 Use IPv4 only.
80 -6
82 Use IPv6 only.
83 -b address[#port]
85 Set the source IP address of the query. The address must be a valid
86 address on one of the host's network interfaces, or "0.0.0.0" or
87 "::". An optional port may be specified by appending "#<port>"
88 -c class
90 Set the query class. The default class is IN; other classes are HS
91 for Hesiod records or CH for Chaosnet records.
92 -f file
94 Batch mode: dig reads a list of lookup requests to process from the
95 given file. Each line in the file should be organized in the same
96 way they would be presented as queries to dig using the
97 command-line interface.
98 -i
100 Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT domain,
101 which is no longer in use. Obsolete bit string label queries (RFC
102 2874) are not attempted.
103 -k keyfile
105 Sign queries using TSIG using a key read from the given file. Key
106 files can be generated using tsig-keygen(8). When using TSIG
107 authentication with dig, the name server that is queried needs to
108 know the key and algorithm that is being used. In BIND, this is
109 done by providing appropriate key and server statements in
110 named.conf.
111 -m
113 Enable memory usage debugging.
114 -p port
116 Send the query to a non-standard port on the server, instead of the
117 default port 53. This option would be used to test a name server
118 that has been configured to listen for queries on a non-standard
119 port number.
120 -q name
122 The domain name to query. This is useful to distinguish the name
123 from other arguments.
124 -r
126 Do not read options from ${HOME}/.digrc. This is useful for scripts
127 that need predictable behaviour.
128 -t type
130 The resource record type to query. It can be any valid query type.
131 If it is a resource record type supported in BIND 9, it can be
132 given by the type mnemonic (such as "NS" or "AAAA"). The default
133 query type is "A", unless the -x option is supplied to indicate a
134 reverse lookup. A zone transfer can be requested by specifying a
135 type of AXFR. When an incremental zone transfer (IXFR) is required,
136 set the type to ixfr=N. The incremental zone transfer will contain
137 the changes made to the zone since the serial number in the zone's
138 SOA record was N.
139 All resource record types can be expressed as "TYPEnn", where "nn"
141 is the number of the type. If the resource record type is not
142 supported in BIND 9, the result will be displayed as described in
143 RFC 3597.
144 -u
146 Print query times in microseconds instead of milliseconds.
147 -v
149 Print the version number and exit.
150 -x addr
152 Simplified reverse lookups, for mapping addresses to names. The
153 addr is an IPv4 address in dotted-decimal notation, or a
154 colon-delimited IPv6 address. When the -x is used, there is no need
155 to provide the name, class and type arguments. dig automatically
156 performs a lookup for a name like 94.2.0.192.in-addr.arpa and sets
157 the query type and class to PTR and IN respectively. IPv6 addresses
158 are looked up using nibble format under the IP6.ARPA domain (but
159 see also the -i option).
160 -y [hmac:]keyname:secret
162 Sign queries using TSIG with the given authentication key. keyname
163 is the name of the key, and secret is the base64 encoded shared
164 secret. hmac is the name of the key algorithm; valid choices are
165 hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, or
166 hmac-sha512. If hmac is not specified, the default is hmac-md5 or
167 if MD5 was disabled hmac-sha256.
168 NOTE: You should use the -k option and avoid the -y option, because
170 with -y the shared secret is supplied as a command line argument in
171 clear text. This may be visible in the output from ps(1) or in a
172 history file maintained by the user's shell.
173
175 dig provides a number of query options which affect the way in which
176 lookups are made and the results displayed. Some of these set or reset
177 flag bits in the query header, some determine which sections of the
178 answer get printed, and others determine the timeout and retry
179 strategies.
180 Each query option is identified by a keyword preceded by a plus sign
182 (+). Some keywords set or reset an option. These may be preceded by the
183 string no to negate the meaning of that keyword. Other keywords assign
184 values to options like the timeout interval. They have the form
185 +keyword=value. Keywords may be abbreviated, provided the abbreviation
186 is unambiguous; for example, +cd is equivalent to +cdflag. The query
187 options are:
188 +[no]aaflag
190 A synonym for +[no]aaonly.
191 +[no]aaonly
193 Sets the "aa" flag in the query.
194 +[no]additional
196 Display [do not display] the additional section of a reply. The
197 default is to display it.
198 +[no]adflag
200 Set [do not set] the AD (authentic data) bit in the query. This
201 requests the server to return whether all of the answer and
202 authority sections have all been validated as secure according to
203 the security policy of the server. AD=1 indicates that all records
204 have been validated as secure and the answer is not from a OPT-OUT
205 range. AD=0 indicate that some part of the answer was insecure or
206 not validated. This bit is set by default.
207 +[no]all
209 Set or clear all display flags.
210 +[no]answer
212 Display [do not display] the answer section of a reply. The default
213 is to display it.
214 +[no]authority
216 Display [do not display] the authority section of a reply. The
217 default is to display it.
218 +[no]badcookie
220 Retry lookup with the new server cookie if a BADCOOKIE response is
221 received.
222 +[no]besteffort
224 Attempt to display the contents of messages which are malformed.
225 The default is to not display malformed answers.
226 +bufsize=B
228 Set the UDP message buffer size advertised using EDNS0 to B bytes.
229 The maximum and minimum sizes of this buffer are 65535 and 0
230 respectively. Values outside this range are rounded up or down
231 appropriately. Values other than zero will cause a EDNS query to be
232 sent.
233 +[no]cdflag
235 Set [do not set] the CD (checking disabled) bit in the query. This
236 requests the server to not perform DNSSEC validation of responses.
237 +[no]class
239 Display [do not display] the CLASS when printing the record.
240 +[no]cmd
242 Toggles the printing of the initial comment in the output,
243 identifying the version of dig and the query options that have been
244 applied. This option always has global effect; it cannot be set
245 globally and then overridden on a per-lookup basis. The default is
246 to print this comment.
247 +[no]comments
249 Toggles the display of some comment lines in the output, containing
250 information about the packet header and OPT pseudosection, and the
251 names of the response section. The default is to print these
252 comments.
253 Other types of comments in the output are not affected by this
255 option, but can be controlled using other command line switches.
256 These include +[no]cmd, +[no]question, +[no]stats, and
257 +[no]rrcomments.
258 +[no]cookie[=####]
260 Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
261 from a previous response will allow the server to identify a
262 previous client. The default is +cookie.
263 +cookie is also set when +trace is set to better emulate the
265 default queries from a nameserver.
266 +[no]crypto
268 Toggle the display of cryptographic fields in DNSSEC records. The
269 contents of these field are unnecessary to debug most DNSSEC
270 validation failures and removing them makes it easier to see the
271 common failures. The default is to display the fields. When omitted
272 they are replaced by the string "[omitted]" or in the DNSKEY case
273 the key id is displayed as the replacement, e.g. "[ key id = value
274 ]".
275 +[no]defname
277 Deprecated, treated as a synonym for +[no]search
278 +[no]dnssec
280 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
281 in the OPT record in the additional section of the query.
282 +domain=somename
284 Set the search list to contain the single domain somename, as if
285 specified in a domain directive in /etc/resolv.conf, and enable
286 search list processing as if the +search option were given.
287 +dscp=value
289 Set the DSCP code point to be used when sending the query. Valid
290 DSCP code points are in the range [0..63]. By default no code point
291 is explicitly set.
292 +[no]edns[=#]
294 Specify the EDNS version to query with. Valid values are 0 to 255.
295 Setting the EDNS version will cause a EDNS query to be sent.
296 +noedns clears the remembered EDNS version. EDNS is set to 0 by
297 default.
298 +[no]ednsflags[=#]
300 Set the must-be-zero EDNS flags bits (Z bits) to the specified
301 value. Decimal, hex and octal encodings are accepted. Setting a
302 named flag (e.g. DO) will silently be ignored. By default, no Z
303 bits are set.
304 +[no]ednsnegotiation
306 Enable / disable EDNS version negotiation. By default EDNS version
307 negotiation is enabled.
308 +[no]ednsopt[=code[:value]]
310 Specify EDNS option with code point code and optionally payload of
311 value as a hexadecimal string. code can be either an EDNS option
312 name (for example, NSID or ECS), or an arbitrary numeric value.
313 +noednsopt clears the EDNS options to be sent.
314 +[no]expire
316 Send an EDNS Expire option.
317 +[no]fail
319 Do not try the next server if you receive a SERVFAIL. The default
320 is to not try the next server which is the reverse of normal stub
321 resolver behavior.
322 +[no]header-only
324 Send a query with a DNS header without a question section. The
325 default is to add a question section. The query type and query name
326 are ignored when this is set.
327 +[no]identify
329 Show [or do not show] the IP address and port number that supplied
330 the answer when the +short option is enabled. If short form answers
331 are requested, the default is not to show the source address and
332 port number of the server that provided the answer.
333 +[no]idnin
335 Process [do not process] IDN domain names on input. This requires
336 IDN SUPPORT to have been enabled at compile time.
337 The default is to process IDN input when standard output is a tty.
339 The IDN processing on input is disabled when dig output is
340 redirected to files, pipes, and other non-tty file descriptors.
341 +[no]idnout
343 Convert [do not convert] puny code on output. This requires IDN
344 SUPPORT to have been enabled at compile time.
345 The default is to process puny code on output when standard output
347 is a tty. The puny code processing on output is disabled when dig
348 output is redirected to files, pipes, and other non-tty file
349 descriptors.
350 +[no]ignore
352 Ignore truncation in UDP responses instead of retrying with TCP. By
353 default, TCP retries are performed.
354 +[no]keepopen
356 Keep the TCP socket open between queries and reuse it rather than
357 creating a new TCP socket for each lookup. The default is
358 +nokeepopen.
359 +[no]mapped
361 Allow mapped IPv4 over IPv6 addresses to be used. The default is
362 +mapped.
363 +[no]multiline
365 Print records like the SOA records in a verbose multi-line format
366 with human-readable comments. The default is to print each record
367 on a single line, to facilitate machine parsing of the dig output.
368 +ndots=D
370 Set the number of dots that have to appear in name to D for it to
371 be considered absolute. The default value is that defined using the
372 ndots statement in /etc/resolv.conf, or 1 if no ndots statement is
373 present. Names with fewer dots are interpreted as relative names
374 and will be searched for in the domains listed in the search or
375 domain directive in /etc/resolv.conf if +search is set.
376 +[no]nsid
378 Include an EDNS name server ID request when sending a query.
379 +[no]nssearch
381 When this option is set, dig attempts to find the authoritative
382 name servers for the zone containing the name being looked up and
383 display the SOA record that each name server has for the zone.
384 +[no]onesoa
386 Print only one (starting) SOA record when performing an AXFR. The
387 default is to print both the starting and ending SOA records.
388 +[no]opcode=value
390 Set [restore] the DNS message opcode to the specified value. The
391 default value is QUERY (0).
392 +[no]qr
394 Toggles the display of the query message as it is sent. By default,
395 the query is not printed.
396 +[no]question
398 Toggles the display of the question section of a query when an
399 answer is returned. The default is to print the question section as
400 a comment.
401 +[no]rdflag
403 A synonym for +[no]recurse.
404 +[no]recurse
406 Toggle the setting of the RD (recursion desired) bit in the query.
407 This bit is set by default, which means dig normally sends
408 recursive queries. Recursion is automatically disabled when using
409 the +nssearch option, and when using +trace except for an initial
410 recursive query to get the list of root servers.
411 +retry=T
413 Sets the number of times to retry UDP queries to server to T
414 instead of the default, 2. Unlike +tries, this does not include the
415 initial query.
416 +[no]rrcomments
418 Toggle the display of per-record comments in the output (for
419 example, human-readable key information about DNSKEY records). The
420 default is not to print record comments unless multiline mode is
421 active.
422 +[no]search
424 Use [do not use] the search list defined by the searchlist or
425 domain directive in resolv.conf (if any). The search list is not
426 used by default.
427 'ndots' from resolv.conf (default 1) which may be overridden by
429 +ndots determines if the name will be treated as relative or not
430 and hence whether a search is eventually performed or not.
431 +[no]short
433 Provide a terse answer. The default is to print the answer in a
434 verbose form. This option always has global effect; it cannot be
435 set globally and then overridden on a per-lookup basis.
436 +[no]showsearch
438 Perform [do not perform] a search showing intermediate results.
439 +[no]sigchase
441 Chase DNSSEC signature chains. Requires dig be compiled with
442 -DDIG_SIGCHASE. This feature is deprecated. Use delv instead.
443 +split=W
445 Split long hex- or base64-formatted fields in resource records into
446 chunks of W characters (where W is rounded up to the nearest
447 multiple of 4). +nosplit or +split=0 causes fields not to be split
448 at all. The default is 56 characters, or 44 characters when
449 multiline mode is active.
450 +[no]stats
452 Toggles the printing of statistics: when the query was made, the
453 size of the reply and so on. The default behavior is to print the
454 query statistics as a comment after each lookup.
455 +[no]subnet=addr[/prefix-length]
457 Send (don't send) an EDNS Client Subnet option with the specified
458 IP address or network prefix.
459 dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends an
461 EDNS CLIENT-SUBNET option with an empty address and a source
462 prefix-length of zero, which signals a resolver that the client's
463 address information must not be used when resolving this query.
464 +[no]tcp
466 Use [do not use] TCP when querying name servers. The default
467 behavior is to use UDP unless a type any or ixfr=N query is
468 requested, in which case the default is TCP. AXFR queries always
469 use TCP.
470 +timeout=T
472 Sets the timeout for a query to T seconds. The default timeout is 5
473 seconds. An attempt to set T to less than 1 will result in a query
474 timeout of 1 second being applied.
475 +[no]topdown
477 When chasing DNSSEC signature chains perform a top-down validation.
478 Requires dig be compiled with -DDIG_SIGCHASE. This feature is
479 deprecated. Use delv instead.
480 +[no]trace
482 Toggle tracing of the delegation path from the root name servers
483 for the name being looked up. Tracing is disabled by default. When
484 tracing is enabled, dig makes iterative queries to resolve the name
485 being looked up. It will follow referrals from the root servers,
486 showing the answer from each server that was used to resolve the
487 lookup.
488 If @server is also specified, it affects only the initial query for
490 the root zone name servers.
491 +dnssec is also set when +trace is set to better emulate the
493 default queries from a nameserver.
494 +tries=T
496 Sets the number of times to try UDP queries to server to T instead
497 of the default, 3. If T is less than or equal to zero, the number
498 of tries is silently rounded up to 1.
499 +trusted-key=####
501 Specifies a file containing trusted keys to be used with +sigchase.
502 Each DNSKEY record must be on its own line.
503 If not specified, dig will look for /etc/trusted-key.key then
505 trusted-key.key in the current directory.
506 Requires dig be compiled with -DDIG_SIGCHASE. This feature is
508 deprecated. Use delv instead.
509 +[no]ttlid
511 Display [do not display] the TTL when printing the record.
512 +[no]ttlunits
514 Display [do not display] the TTL in friendly human-readable time
515 units of "s", "m", "h", "d", and "w", representing seconds,
516 minutes, hours, days and weeks. Implies +ttlid.
517 +[no]unknownformat
519 Print all RDATA in unknown RR type presentation format (RFC 3597).
520 The default is to print RDATA for known types in the type's
521 presentation format.
522 +[no]vc
524 Use [do not use] TCP when querying name servers. This alternate
525 syntax to +[no]tcp is provided for backwards compatibility. The
526 "vc" stands for "virtual circuit".
527 +[no]zflag
529 Set [do not set] the last unassigned DNS header flag in a DNS
530 query. This flag is off by default.
531
533 The BIND 9 implementation of dig supports specifying multiple queries
534 on the command line (in addition to supporting the -f batch file
535 option). Each of those queries can be supplied with its own set of
536 flags, options and query options.
537 In this case, each query argument represent an individual query in the
539 command-line syntax described above. Each consists of any of the
540 standard options and flags, the name to be looked up, an optional query
541 type and class and any query options that should be applied to that
542 query.
543 A global set of query options, which should be applied to all queries,
545 can also be supplied. These global query options must precede the first
546 tuple of name, class, type, options, flags, and query options supplied
547 on the command line. Any global query options (except the +[no]cmd
548 option) can be overridden by a query-specific set of query options. For
549 example:
550 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
552 shows how dig could be used from the command line to make three
554 lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1
555 and a query for the NS records of isc.org. A global query option of +qr
556 is applied, so that dig shows the initial query it made for each
557 lookup. The final query has a local query option of +noqr which means
558 that dig will not print the initial query when it looks up the NS
559 records for isc.org.
560
562 If dig has been built with IDN (internationalized domain name) support,
563 it can accept and display non-ASCII domain names. dig appropriately
564 converts character encoding of domain name before sending a request to
565 DNS server or displaying a reply from the server. If you'd like to turn
566 off the IDN support for some reason, use parameters +noidnin and
567 +noidnout or define the IDN_DISABLE environment variable.
568
570 Dig return codes are:
571 0: Everything went well, including things like NXDOMAIN
573 1: Usage error
575 8: Couldn't open batch file
577 9: No reply from server
579 10: Internal error
581
583 /etc/resolv.conf
584 ${HOME}/.digrc
586
588 delv(1), host(1), named(8), dnssec-keygen(8), RFC 1035.
589
591 There are probably too many query options.
592
594 Internet Systems Consortium, Inc.
595
597 Copyright © 2000-2011, 2013-2019 Internet Systems Consortium, Inc.
598 ("ISC")
599ISC 2014-02-19 DIG(1)