1DIG(1)                               BIND9                              DIG(1)
2
3
4

NAME

6       dig - DNS lookup utility
7

SYNOPSIS

9       dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
10           [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key]
11           [[-4] | [-6]] [name] [type] [class] [queryopt...]
12
13       dig [-h]
14
15       dig [global-queryopt...] [query...]
16

DESCRIPTION

18       dig is a flexible tool for interrogating DNS name servers. It performs
19       DNS lookups and displays the answers that are returned from the name
20       server(s) that were queried. Most DNS administrators use dig to
21       troubleshoot DNS problems because of its flexibility, ease of use and
22       clarity of output. Other lookup tools tend to have less functionality
23       than dig.
24
25       Although dig is normally used with command-line arguments, it also has
26       a batch mode of operation for reading lookup requests from a file. A
27       brief summary of its command-line arguments and options is printed when
28       the -h option is given. Unlike earlier versions, the BIND 9
29       implementation of dig allows multiple lookups to be issued from the
30       command line.
31
32       Unless it is told to query a specific name server, dig will try each of
33       the servers listed in /etc/resolv.conf. If no usable server addresses
34       are found, dig will send the query to the local host.
35
36       When no command line arguments or options are given, dig will perform
37       an NS query for "." (the root).
38
39       It is possible to set per-user defaults for dig via ${HOME}/.digrc.
40       This file is read and any options in it are applied before the command
41       line arguments. The -r option disables this feature, for scripts that
42       need predictable behaviour.
43
44       The IN and CH class names overlap with the IN and CH top level domain
45       names. Either use the -t and -c options to specify the type and class,
46       use the -q the specify the domain name, or use "IN." and "CH." when
47       looking up these top level domains.
48

SIMPLE USAGE

50       A typical invocation of dig looks like:
51
52            dig @server name type
53
54       where:
55
56       server
57           is the name or IP address of the name server to query. This can be
58           an IPv4 address in dotted-decimal notation or an IPv6 address in
59           colon-delimited notation. When the supplied server argument is a
60           hostname, dig resolves that name before querying that name server.
61
62           If no server argument is provided, dig consults /etc/resolv.conf;
63           if an address is found there, it queries the name server at that
64           address. If either of the -4 or -6 options are in use, then only
65           addresses for the corresponding transport will be tried. If no
66           usable addresses are found, dig will send the query to the local
67           host. The reply from the name server that responds is displayed.
68
69       name
70           is the name of the resource record that is to be looked up.
71
72       type
73           indicates what type of query is required — ANY, A, MX, SIG, etc.
74           type can be any valid query type. If no type argument is supplied,
75           dig will perform a lookup for an A record.
76

OPTIONS

78       -4
79           Use IPv4 only.
80
81       -6
82           Use IPv6 only.
83
84       -b address[#port]
85           Set the source IP address of the query. The address must be a valid
86           address on one of the host's network interfaces, or "0.0.0.0" or
87           "::". An optional port may be specified by appending "#<port>"
88
89       -c class
90           Set the query class. The default class is IN; other classes are HS
91           for Hesiod records or CH for Chaosnet records.
92
93       -f file
94           Batch mode: dig reads a list of lookup requests to process from the
95           given file. Each line in the file should be organized in the same
96           way they would be presented as queries to dig using the
97           command-line interface.
98
99       -i
100           Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT domain,
101           which is no longer in use. Obsolete bit string label queries (RFC
102           2874) are not attempted.
103
104       -k keyfile
105           Sign queries using TSIG using a key read from the given file. Key
106           files can be generated using tsig-keygen(8). When using TSIG
107           authentication with dig, the name server that is queried needs to
108           know the key and algorithm that is being used. In BIND, this is
109           done by providing appropriate key and server statements in
110           named.conf.
111
112       -m
113           Enable memory usage debugging.
114
115       -p port
116           Send the query to a non-standard port on the server, instead of the
117           default port 53. This option would be used to test a name server
118           that has been configured to listen for queries on a non-standard
119           port number.
120
121       -q name
122           The domain name to query. This is useful to distinguish the name
123           from other arguments.
124
125       -r
126           Do not read options from ${HOME}/.digrc. This is useful for scripts
127           that need predictable behaviour.
128
129       -t type
130           The resource record type to query. It can be any valid query type.
131           If it is a resource record type supported in BIND 9, it can be
132           given by the type mnemonic (such as "NS" or "AAAA"). The default
133           query type is "A", unless the -x option is supplied to indicate a
134           reverse lookup. A zone transfer can be requested by specifying a
135           type of AXFR. When an incremental zone transfer (IXFR) is required,
136           set the type to ixfr=N. The incremental zone transfer will contain
137           the changes made to the zone since the serial number in the zone's
138           SOA record was N.
139
140           All resource record types can be expressed as "TYPEnn", where "nn"
141           is the number of the type. If the resource record type is not
142           supported in BIND 9, the result will be displayed as described in
143           RFC 3597.
144
145       -u
146           Print query times in microseconds instead of milliseconds.
147
148       -v
149           Print the version number and exit.
150
151       -x addr
152           Simplified reverse lookups, for mapping addresses to names. The
153           addr is an IPv4 address in dotted-decimal notation, or a
154           colon-delimited IPv6 address. When the -x is used, there is no need
155           to provide the name, class and type arguments.  dig automatically
156           performs a lookup for a name like 94.2.0.192.in-addr.arpa and sets
157           the query type and class to PTR and IN respectively. IPv6 addresses
158           are looked up using nibble format under the IP6.ARPA domain (but
159           see also the -i option).
160
161       -y [hmac:]keyname:secret
162           Sign queries using TSIG with the given authentication key.  keyname
163           is the name of the key, and secret is the base64 encoded shared
164           secret.  hmac is the name of the key algorithm; valid choices are
165           hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, or
166           hmac-sha512. If hmac is not specified, the default is hmac-md5 or
167           if MD5 was disabled hmac-sha256.
168
169           NOTE: You should use the -k option and avoid the -y option, because
170           with -y the shared secret is supplied as a command line argument in
171           clear text. This may be visible in the output from ps(1) or in a
172           history file maintained by the user's shell.
173

QUERY OPTIONS

175       dig provides a number of query options which affect the way in which
176       lookups are made and the results displayed. Some of these set or reset
177       flag bits in the query header, some determine which sections of the
178       answer get printed, and others determine the timeout and retry
179       strategies.
180
181       Each query option is identified by a keyword preceded by a plus sign
182       (+). Some keywords set or reset an option. These may be preceded by the
183       string no to negate the meaning of that keyword. Other keywords assign
184       values to options like the timeout interval. They have the form
185       +keyword=value. Keywords may be abbreviated, provided the abbreviation
186       is unambiguous; for example, +cd is equivalent to +cdflag. The query
187       options are:
188
189       +[no]aaflag
190           A synonym for +[no]aaonly.
191
192       +[no]aaonly
193           Sets the "aa" flag in the query.
194
195       +[no]additional
196           Display [do not display] the additional section of a reply. The
197           default is to display it.
198
199       +[no]adflag
200           Set [do not set] the AD (authentic data) bit in the query. This
201           requests the server to return whether all of the answer and
202           authority sections have all been validated as secure according to
203           the security policy of the server. AD=1 indicates that all records
204           have been validated as secure and the answer is not from a OPT-OUT
205           range. AD=0 indicate that some part of the answer was insecure or
206           not validated. This bit is set by default.
207
208       +[no]all
209           Set or clear all display flags.
210
211       +[no]answer
212           Display [do not display] the answer section of a reply. The default
213           is to display it.
214
215       +[no]authority
216           Display [do not display] the authority section of a reply. The
217           default is to display it.
218
219       +[no]badcookie
220           Retry lookup with the new server cookie if a BADCOOKIE response is
221           received.
222
223       +[no]besteffort
224           Attempt to display the contents of messages which are malformed.
225           The default is to not display malformed answers.
226
227       +bufsize=B
228           Set the UDP message buffer size advertised using EDNS0 to B bytes.
229           The maximum and minimum sizes of this buffer are 65535 and 0
230           respectively. Values outside this range are rounded up or down
231           appropriately. Values other than zero will cause a EDNS query to be
232           sent.
233
234       +[no]cdflag
235           Set [do not set] the CD (checking disabled) bit in the query. This
236           requests the server to not perform DNSSEC validation of responses.
237
238       +[no]class
239           Display [do not display] the CLASS when printing the record.
240
241       +[no]cmd
242           Toggles the printing of the initial comment in the output,
243           identifying the version of dig and the query options that have been
244           applied. This option always has global effect; it cannot be set
245           globally and then overridden on a per-lookup basis. The default is
246           to print this comment.
247
248       +[no]comments
249           Toggles the display of some comment lines in the output, containing
250           information about the packet header and OPT pseudosection, and the
251           names of the response section. The default is to print these
252           comments.
253
254           Other types of comments in the output are not affected by this
255           option, but can be controlled using other command line switches.
256           These include +[no]cmd, +[no]question, +[no]stats, and
257           +[no]rrcomments.
258
259       +[no]cookie[=####]
260           Send a COOKIE EDNS option, with optional value. Replaying a COOKIE
261           from a previous response will allow the server to identify a
262           previous client. The default is +cookie.
263
264           +cookie is also set when +trace is set to better emulate the
265           default queries from a nameserver.
266
267       +[no]crypto
268           Toggle the display of cryptographic fields in DNSSEC records. The
269           contents of these field are unnecessary to debug most DNSSEC
270           validation failures and removing them makes it easier to see the
271           common failures. The default is to display the fields. When omitted
272           they are replaced by the string "[omitted]" or in the DNSKEY case
273           the key id is displayed as the replacement, e.g. "[ key id = value
274           ]".
275
276       +[no]defname
277           Deprecated, treated as a synonym for +[no]search
278
279       +[no]dnssec
280           Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
281           in the OPT record in the additional section of the query.
282
283       +domain=somename
284           Set the search list to contain the single domain somename, as if
285           specified in a domain directive in /etc/resolv.conf, and enable
286           search list processing as if the +search option were given.
287
288       +dscp=value
289           Set the DSCP code point to be used when sending the query. Valid
290           DSCP code points are in the range [0..63]. By default no code point
291           is explicitly set.
292
293       +[no]edns[=#]
294           Specify the EDNS version to query with. Valid values are 0 to 255.
295           Setting the EDNS version will cause a EDNS query to be sent.
296           +noedns clears the remembered EDNS version. EDNS is set to 0 by
297           default.
298
299       +[no]ednsflags[=#]
300           Set the must-be-zero EDNS flags bits (Z bits) to the specified
301           value. Decimal, hex and octal encodings are accepted. Setting a
302           named flag (e.g. DO) will silently be ignored. By default, no Z
303           bits are set.
304
305       +[no]ednsnegotiation
306           Enable / disable EDNS version negotiation. By default EDNS version
307           negotiation is enabled.
308
309       +[no]ednsopt[=code[:value]]
310           Specify EDNS option with code point code and optionally payload of
311           value as a hexadecimal string.  code can be either an EDNS option
312           name (for example, NSID or ECS), or an arbitrary numeric value.
313           +noednsopt clears the EDNS options to be sent.
314
315       +[no]expire
316           Send an EDNS Expire option.
317
318       +[no]fail
319           Do not try the next server if you receive a SERVFAIL. The default
320           is to not try the next server which is the reverse of normal stub
321           resolver behavior.
322
323       +[no]header-only
324           Send a query with a DNS header without a question section. The
325           default is to add a question section. The query type and query name
326           are ignored when this is set.
327
328       +[no]identify
329           Show [or do not show] the IP address and port number that supplied
330           the answer when the +short option is enabled. If short form answers
331           are requested, the default is not to show the source address and
332           port number of the server that provided the answer.
333
334       +[no]idnin
335           Process [do not process] IDN domain names on input. This requires
336           IDN SUPPORT to have been enabled at compile time.
337
338           The default is to process IDN input when standard output is a tty.
339           The IDN processing on input is disabled when dig output is
340           redirected to files, pipes, and other non-tty file descriptors.
341
342       +[no]idnout
343           Convert [do not convert] puny code on output. This requires IDN
344           SUPPORT to have been enabled at compile time.
345
346           The default is to process puny code on output when standard output
347           is a tty. The puny code processing on output is disabled when dig
348           output is redirected to files, pipes, and other non-tty file
349           descriptors.
350
351       +[no]ignore
352           Ignore truncation in UDP responses instead of retrying with TCP. By
353           default, TCP retries are performed.
354
355       +[no]keepopen
356           Keep the TCP socket open between queries and reuse it rather than
357           creating a new TCP socket for each lookup. The default is
358           +nokeepopen.
359
360       +[no]mapped
361           Allow mapped IPv4 over IPv6 addresses to be used. The default is
362           +mapped.
363
364       +[no]multiline
365           Print records like the SOA records in a verbose multi-line format
366           with human-readable comments. The default is to print each record
367           on a single line, to facilitate machine parsing of the dig output.
368
369       +ndots=D
370           Set the number of dots that have to appear in name to D for it to
371           be considered absolute. The default value is that defined using the
372           ndots statement in /etc/resolv.conf, or 1 if no ndots statement is
373           present. Names with fewer dots are interpreted as relative names
374           and will be searched for in the domains listed in the search or
375           domain directive in /etc/resolv.conf if +search is set.
376
377       +[no]nsid
378           Include an EDNS name server ID request when sending a query.
379
380       +[no]nssearch
381           When this option is set, dig attempts to find the authoritative
382           name servers for the zone containing the name being looked up and
383           display the SOA record that each name server has for the zone.
384
385       +[no]onesoa
386           Print only one (starting) SOA record when performing an AXFR. The
387           default is to print both the starting and ending SOA records.
388
389       +[no]opcode=value
390           Set [restore] the DNS message opcode to the specified value. The
391           default value is QUERY (0).
392
393       +[no]qr
394           Toggles the display of the query message as it is sent. By default,
395           the query is not printed.
396
397       +[no]question
398           Toggles the display of the question section of a query when an
399           answer is returned. The default is to print the question section as
400           a comment.
401
402       +[no]rdflag
403           A synonym for +[no]recurse.
404
405       +[no]recurse
406           Toggle the setting of the RD (recursion desired) bit in the query.
407           This bit is set by default, which means dig normally sends
408           recursive queries. Recursion is automatically disabled when using
409           the +nssearch option, and when using +trace except for an initial
410           recursive query to get the list of root servers.
411
412       +retry=T
413           Sets the number of times to retry UDP queries to server to T
414           instead of the default, 2. Unlike +tries, this does not include the
415           initial query.
416
417       +[no]rrcomments
418           Toggle the display of per-record comments in the output (for
419           example, human-readable key information about DNSKEY records). The
420           default is not to print record comments unless multiline mode is
421           active.
422
423       +[no]search
424           Use [do not use] the search list defined by the searchlist or
425           domain directive in resolv.conf (if any). The search list is not
426           used by default.
427
428           'ndots' from resolv.conf (default 1) which may be overridden by
429           +ndots determines if the name will be treated as relative or not
430           and hence whether a search is eventually performed or not.
431
432       +[no]short
433           Provide a terse answer. The default is to print the answer in a
434           verbose form. This option always has global effect; it cannot be
435           set globally and then overridden on a per-lookup basis.
436
437       +[no]showsearch
438           Perform [do not perform] a search showing intermediate results.
439
440       +[no]sigchase
441           Chase DNSSEC signature chains. Requires dig be compiled with
442           -DDIG_SIGCHASE. This feature is deprecated. Use delv instead.
443
444       +split=W
445           Split long hex- or base64-formatted fields in resource records into
446           chunks of W characters (where W is rounded up to the nearest
447           multiple of 4).  +nosplit or +split=0 causes fields not to be split
448           at all. The default is 56 characters, or 44 characters when
449           multiline mode is active.
450
451       +[no]stats
452           Toggles the printing of statistics: when the query was made, the
453           size of the reply and so on. The default behavior is to print the
454           query statistics as a comment after each lookup.
455
456       +[no]subnet=addr[/prefix-length]
457           Send (don't send) an EDNS Client Subnet option with the specified
458           IP address or network prefix.
459
460           dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends an
461           EDNS CLIENT-SUBNET option with an empty address and a source
462           prefix-length of zero, which signals a resolver that the client's
463           address information must not be used when resolving this query.
464
465       +[no]tcp
466           Use [do not use] TCP when querying name servers. The default
467           behavior is to use UDP unless a type any or ixfr=N query is
468           requested, in which case the default is TCP. AXFR queries always
469           use TCP.
470
471       +timeout=T
472           Sets the timeout for a query to T seconds. The default timeout is 5
473           seconds. An attempt to set T to less than 1 will result in a query
474           timeout of 1 second being applied.
475
476       +[no]topdown
477           When chasing DNSSEC signature chains perform a top-down validation.
478           Requires dig be compiled with -DDIG_SIGCHASE. This feature is
479           deprecated. Use delv instead.
480
481       +[no]trace
482           Toggle tracing of the delegation path from the root name servers
483           for the name being looked up. Tracing is disabled by default. When
484           tracing is enabled, dig makes iterative queries to resolve the name
485           being looked up. It will follow referrals from the root servers,
486           showing the answer from each server that was used to resolve the
487           lookup.
488
489           If @server is also specified, it affects only the initial query for
490           the root zone name servers.
491
492           +dnssec is also set when +trace is set to better emulate the
493           default queries from a nameserver.
494
495       +tries=T
496           Sets the number of times to try UDP queries to server to T instead
497           of the default, 3. If T is less than or equal to zero, the number
498           of tries is silently rounded up to 1.
499
500       +trusted-key=####
501           Specifies a file containing trusted keys to be used with +sigchase.
502           Each DNSKEY record must be on its own line.
503
504           If not specified, dig will look for /etc/trusted-key.key then
505           trusted-key.key in the current directory.
506
507           Requires dig be compiled with -DDIG_SIGCHASE. This feature is
508           deprecated. Use delv instead.
509
510       +[no]ttlid
511           Display [do not display] the TTL when printing the record.
512
513       +[no]ttlunits
514           Display [do not display] the TTL in friendly human-readable time
515           units of "s", "m", "h", "d", and "w", representing seconds,
516           minutes, hours, days and weeks. Implies +ttlid.
517
518       +[no]unknownformat
519           Print all RDATA in unknown RR type presentation format (RFC 3597).
520           The default is to print RDATA for known types in the type's
521           presentation format.
522
523       +[no]vc
524           Use [do not use] TCP when querying name servers. This alternate
525           syntax to +[no]tcp is provided for backwards compatibility. The
526           "vc" stands for "virtual circuit".
527
528       +[no]zflag
529           Set [do not set] the last unassigned DNS header flag in a DNS
530           query. This flag is off by default.
531

MULTIPLE QUERIES

533       The BIND 9 implementation of dig supports specifying multiple queries
534       on the command line (in addition to supporting the -f batch file
535       option). Each of those queries can be supplied with its own set of
536       flags, options and query options.
537
538       In this case, each query argument represent an individual query in the
539       command-line syntax described above. Each consists of any of the
540       standard options and flags, the name to be looked up, an optional query
541       type and class and any query options that should be applied to that
542       query.
543
544       A global set of query options, which should be applied to all queries,
545       can also be supplied. These global query options must precede the first
546       tuple of name, class, type, options, flags, and query options supplied
547       on the command line. Any global query options (except the +[no]cmd
548       option) can be overridden by a query-specific set of query options. For
549       example:
550
551           dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
552
553       shows how dig could be used from the command line to make three
554       lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1
555       and a query for the NS records of isc.org. A global query option of +qr
556       is applied, so that dig shows the initial query it made for each
557       lookup. The final query has a local query option of +noqr which means
558       that dig will not print the initial query when it looks up the NS
559       records for isc.org.
560

IDN SUPPORT

562       If dig has been built with IDN (internationalized domain name) support,
563       it can accept and display non-ASCII domain names.  dig appropriately
564       converts character encoding of domain name before sending a request to
565       DNS server or displaying a reply from the server. If you'd like to turn
566       off the IDN support for some reason, use parameters +noidnin and
567       +noidnout or define the IDN_DISABLE environment variable.
568

RETURN CODES

570       Dig return codes are:
571
572           0: Everything went well, including things like NXDOMAIN
573
574           1: Usage error
575
576           8: Couldn't open batch file
577
578           9: No reply from server
579
580           10: Internal error
581

FILES

583       /etc/resolv.conf
584
585       ${HOME}/.digrc
586

SEE ALSO

588       delv(1), host(1), named(8), dnssec-keygen(8), RFC 1035.
589

BUGS

591       There are probably too many query options.
592

AUTHOR

594       Internet Systems Consortium, Inc.
595
597       Copyright © 2000-2011, 2013-2020 Internet Systems Consortium, Inc.
598       ("ISC")
599
600
601
602ISC                               2014-02-19                            DIG(1)
Impressum