1DIG(1)                              BIND 9                              DIG(1)
2
3
4

NAME

6       dig - DNS lookup utility
7

SYNOPSIS

9       dig  [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
10       [-p port#] [-q name] [-t type] [-v] [-x addr]  [-y  [hmac:]name:key]  [
11       [-4] | [-6] ] [name] [type] [class] [queryopt...]
12
13       dig [-h]
14
15       dig [global-queryopt...] [query...]
16

DESCRIPTION

18       dig  is a flexible tool for interrogating DNS name servers. It performs
19       DNS lookups and displays the answers that are returned  from  the  name
20       server(s)  that  were queried. Most DNS administrators use dig to trou‐
21       bleshoot DNS problems because of its  flexibility,  ease  of  use,  and
22       clarity  of  output. Other lookup tools tend to have less functionality
23       than dig.
24
25       Although dig is normally used with command-line arguments, it also  has
26       a  batch  mode  of operation for reading lookup requests from a file. A
27       brief summary of its command-line arguments and options is printed when
28       the  -h option is given. The BIND 9 implementation of dig allows multi‐
29       ple lookups to be issued from the command line.
30
31       Unless it is told to query a specific name server, dig  tries  each  of
32       the  servers  listed in /etc/resolv.conf. If no usable server addresses
33       are found, dig sends the query to the local host.
34
35       When no command-line arguments or options are given, dig performs an NS
36       query for "." (the root).
37
38       It  is  possible  to  set per-user defaults for dig via ${HOME}/.digrc.
39       This file is read and any options in it are  applied  before  the  com‐
40       mand-line  arguments.  The -r option disables this feature, for scripts
41       that need predictable behavior.
42
43       The IN and CH class names overlap with the IN and CH  top-level  domain
44       names.  Either use the -t and -c options to specify the type and class,
45       use the -q to specify the domain name, or  use  "IN."  and  "CH."  when
46       looking up these top-level domains.
47

SIMPLE USAGE

49       A typical invocation of dig looks like:
50
51          dig @server name type
52
53       where:
54
55       server is  the name or IP address of the name server to query. This can
56              be an IPv4 address in dotted-decimal notation or an IPv6 address
57              in  colon-delimited  notation. When the supplied server argument
58              is a hostname, dig resolves that name before querying that  name
59              server.
60
61              If  no  server  argument  is  provided,  dig  consults  /etc/re‐
62              solv.conf; if an address is found there,  it  queries  the  name
63              server at that address. If either of the -4 or -6 options are in
64              use, then only addresses for  the  corresponding  transport  are
65              tried.  If no usable addresses are found, dig sends the query to
66              the local host. The reply from the name server that responds  is
67              displayed.
68
69       name   is the name of the resource record that is to be looked up.
70
71       type   indicates what type of query is required - ANY, A, MX, SIG, etc.
72              type can be any valid query type. If no type  argument  is  sup‐
73              plied, dig performs a lookup for an A record.
74

OPTIONS

76       -4     This option indicates that only IPv4 should be used.
77
78       -6     This option indicates that only IPv6 should be used.
79
80       -b address[#port]
81              This option sets the source IP address of the query. The address
82              must be a valid address on one of the host's network interfaces,
83              or  "0.0.0.0"  or "::". An optional port may be specified by ap‐
84              pending #port.
85
86       -c class
87              This option sets the query class. The default class is IN; other
88              classes are HS for Hesiod records or CH for Chaosnet records.
89
90       -f file
91              This option sets batch mode, in which dig reads a list of lookup
92              requests to process from the given file. Each line in  the  file
93              should  be  organized in the same way it would be presented as a
94              query to dig using the command-line interface.
95
96       -k keyfile
97              This option tells named to sign queries using TSIG using  a  key
98              read  from  the  given  file.  Key  files can be generated using
99              tsig-keygen. When using TSIG authentication with dig,  the  name
100              server  that is queried needs to know the key and algorithm that
101              is being used. In BIND, this is done  by  providing  appropriate
102              key and server statements in named.conf.
103
104       -m     This option enables memory usage debugging.
105
106       -p port
107              This  option  sends  the  query  to  a  non-standard port on the
108              server, instead of the default port 53. This option is  used  to
109              test  a  name  server  that  has  been  configured to listen for
110              queries on a non-standard port number.
111
112       -q name
113              This option specifies the domain name to query. This  is  useful
114              to distinguish the name from other arguments.
115
116       -r     This  option  indicates  that options from ${HOME}/.digrc should
117              not be read. This is useful for scripts  that  need  predictable
118              behavior.
119
120       -t type
121              This  option  indicates the resource record type to query, which
122              can be any valid query type. If it is  a  resource  record  type
123              supported  in BIND 9, it can be given by the type mnemonic (such
124              as NS or AAAA). The default query type is A, unless the  -x  op‐
125              tion  is  supplied to indicate a reverse lookup. A zone transfer
126              can be requested by specifying a type of AXFR. When an incremen‐
127              tal  zone  transfer  (IXFR) is required, set the type to ixfr=N.
128              The incremental zone transfer contains all changes made  to  the
129              zone since the serial number in the zone's SOA record was N.
130
131              All  resource  record types can be expressed as TYPEnn, where nn
132              is the number of the type. If the resource record  type  is  not
133              supported in BIND 9, the result is displayed as described in RFC
134              3597.
135
136       -u     This option indicates that print query times should be  provided
137              in microseconds instead of milliseconds.
138
139       -v     This option prints the version number and exits.
140
141       -x addr
142              This  option  sets  simplified  reverse lookups, for mapping ad‐
143              dresses to names. The addr is an IPv4 address in  dotted-decimal
144              notation,  or a colon-delimited IPv6 address. When the -x option
145              is used, there is no need to provide the name, class,  and  type
146              arguments.   dig automatically performs a lookup for a name like
147              94.2.0.192.in-addr.arpa and sets the query type and class to PTR
148              and  IN  respectively. IPv6 addresses are looked up using nibble
149              format under the IP6.ARPA domain.
150
151       -y [hmac:]keyname:secret
152              This option signs queries using TSIG with the given  authentica‐
153              tion  key.   keyname  is  the name of the key, and secret is the
154              base64-encoded shared secret. hmac is the name of the key  algo‐
155              rithm;  valid  choices  are  hmac-md5,  hmac-sha1,  hmac-sha224,
156              hmac-sha256, hmac-sha384, or hmac-sha512. If hmac is not  speci‐
157              fied,  the default is hmac-md5; if MD5 was disabled, the default
158              is hmac-sha256.
159
160       NOTE:
161          Only the -k option should be used, rather than the  -y  option,  be‐
162          cause  with -y the shared secret is supplied as a command-line argu‐
163          ment in clear text. This may be visible in the output from ps1 or in
164          a history file maintained by the user's shell.
165

QUERY OPTIONS

167       dig  provides  a  number of query options which affect the way in which
168       lookups are made and the results displayed. Some of these set or  reset
169       flag bits in the query header, some determine which sections of the an‐
170       swer get printed, and others determine the timeout  and  retry  strate‐
171       gies.
172
173       Each  query  option  is identified by a keyword preceded by a plus sign
174       (+). Some keywords set or reset an option; these may be preceded by the
175       string  no to negate the meaning of that keyword. Other keywords assign
176       values to options, like the timeout interval. They have the form  +key‐
177       word=value.  Keywords  may be abbreviated, provided the abbreviation is
178       unambiguous; for example, +cd is equivalent to +cdflag. The  query  op‐
179       tions are:
180
181       +[no]aaflag
182              This option is a synonym for +[no]aaonly.
183
184       +[no]aaonly
185              This option sets the aa flag in the query.
186
187       +[no]additional
188              This  option  displays [or does not display] the additional sec‐
189              tion of a reply. The default is to display it.
190
191       +[no]adflag
192              This option sets [or does not set] the AD (authentic  data)  bit
193              in  the query. This requests the server to return whether all of
194              the answer and authority sections have been validated as secure,
195              according  to  the security policy of the server. AD=1 indicates
196              that all records have been validated as secure and the answer is
197              not  from  a OPT-OUT range. AD=0 indicates that some part of the
198              answer was insecure or not validated.  This bit is  set  by  de‐
199              fault.
200
201       +[no]all
202              This option sets or clears all display flags.
203
204       +[no]answer
205              This option displays [or does not display] the answer section of
206              a reply. The default is to display it.
207
208       +[no]authority
209              This option displays [or does not display] the authority section
210              of a reply. The default is to display it.
211
212       +[no]badcookie
213              This  option  retries  the  lookup with a new server cookie if a
214              BADCOOKIE response is received.
215
216       +[no]besteffort
217              This option attempts to display the contents of  messages  which
218              are malformed. The default is to not display malformed answers.
219
220       +bufsize[=B]
221              This  option  sets  the UDP message buffer size advertised using
222              EDNS0 to B bytes.  The maximum and minimum sizes of this  buffer
223              are  65535  and  0, respectively.  +bufsize=0 disables EDNS (use
224              +bufsize=0 +edns to send an EDNS message with an advertised size
225              of 0 bytes). +bufsize restores the default buffer size.
226
227       +[no]cdflag
228              This  option  sets  [or does not set] the CD (checking disabled)
229              bit in the query. This requests the server to not perform DNSSEC
230              validation of responses.
231
232       +[no]class
233              This option displays [or does not display] the CLASS when print‐
234              ing the record.
235
236       +[no]cmd
237              This option toggles the printing of the initial comment  in  the
238              output,  identifying  the  version  of dig and the query options
239              that have been applied. This option always has a global  effect;
240              it  cannot  be  set globally and then overridden on a per-lookup
241              basis. The default is to print this comment.
242
243       +[no]comments
244              This option toggles the display of some  comment  lines  in  the
245              output, with information about the packet header and OPT pseudo‐
246              section, and the names of the response section. The  default  is
247              to print these comments.
248
249              Other  types  of comments in the output are not affected by this
250              option, but can be controlled using other command-line switches.
251              These   include   +[no]cmd,   +[no]question,   +[no]stats,   and
252              +[no]rrcomments.
253
254       +[no]cookie=####
255              This option sends [or does not send] a COOKIE EDNS option,  with
256              an  optional  value. Replaying a COOKIE from a previous response
257              allows the server to identify a previous client. The default  is
258              +cookie.
259
260              +cookie is also set when +trace is set to better emulate the de‐
261              fault queries from a nameserver.
262
263       +[no]crypto
264              This option toggles  the  display  of  cryptographic  fields  in
265              DNSSEC records. The contents of these fields are unnecessary for
266              debugging most DNSSEC  validation  failures  and  removing  them
267              makes  it  easier  to see the common failures. The default is to
268              display the fields. When  omitted,  they  are  replaced  by  the
269              string [omitted] or, in the DNSKEY case, the key ID is displayed
270              as the replacement, e.g. [ key id = value ].
271
272       +[no]defname
273              This option, which is deprecated, is treated as  a  synonym  for
274              +[no]search.
275
276       +[no]dnssec
277              This  option requests that DNSSEC records be sent by setting the
278              DNSSEC OK (DO) bit in the OPT record in the  additional  section
279              of the query.
280
281       +domain=somename
282              This  option  sets  the search list to contain the single domain
283              somename, as if specified in  a  domain  directive  in  /etc/re‐
284              solv.conf,  and enables search list processing as if the +search
285              option were given.
286
287       +dscp=value
288              This option sets the DSCP code point to be used when sending the
289              query.  Valid DSCP code points are in the range [0...63]. By de‐
290              fault no code point is explicitly set.
291
292       +[no]edns[=#]
293              This option specifies the EDNS version to query with. Valid val‐
294              ues are 0 to 255.  Setting the EDNS version causes an EDNS query
295              to be sent.  +noedns clears the remembered EDNS version. EDNS is
296              set to 0 by default.
297
298       +[no]ednsflags[=#]
299              This  option  sets  the must-be-zero EDNS flags bits (Z bits) to
300              the specified value.  Decimal, hex, and octal encodings are  ac‐
301              cepted.  Setting a named flag (e.g., DO) is silently ignored. By
302              default, no Z bits are set.
303
304       +[no]ednsnegotiation
305              This option enables/disables EDNS version  negotiation.  By  de‐
306              fault, EDNS version negotiation is enabled.
307
308       +[no]ednsopt[=code[:value]]
309              This  option  specifies the EDNS option with code point code and
310              an optional payload of value as a hexadecimal string.  code  can
311              be  either  an EDNS option name (for example, NSID or ECS) or an
312              arbitrary numeric value. +noednsopt clears the EDNS  options  to
313              be sent.
314
315       +[no]expire
316              This option sends an EDNS Expire option.
317
318       +[no]fail
319              This  option  indicates  that  named should try [or not try] the
320              next server if a SERVFAIL is received. The default is to not try
321              the  next  server,  which is the reverse of normal stub resolver
322              behavior.
323
324       +[no]header-only
325              This option sends a query with a DNS header without  a  question
326              section.  The  default  is  to add a question section. The query
327              type and query name are ignored when this is set.
328
329       +[no]identify
330              This option shows [or does not show] the  IP  address  and  port
331              number  that  supplied the answer, when the +short option is en‐
332              abled. If short form answers are requested, the default  is  not
333              to  show  the  source address and port number of the server that
334              provided the answer.
335
336       +[no]idnin
337              This option processes [or does not process] IDN domain names  on
338              input. This requires IDN SUPPORT to have been enabled at compile
339              time.
340
341              The default is to process IDN input when standard  output  is  a
342              tty.  The IDN processing on input is disabled when dig output is
343              redirected to files, pipes, and other non-tty file descriptors.
344
345       +[no]idnout
346              This option converts [or does not convert] puny code on  output.
347              This requires IDN SUPPORT to have been enabled at compile time.
348
349              The default is to process puny code on output when standard out‐
350              put is a tty. The puny code processing  on  output  is  disabled
351              when dig output is redirected to files, pipes, and other non-tty
352              file descriptors.
353
354       +[no]ignore
355              This option ignores [or does not ignore] truncation in  UDP  re‐
356              sponses  instead  of  retrying with TCP. By default, TCP retries
357              are performed.
358
359       +[no]keepalive
360              This option sends [or does not send] an EDNS Keepalive option.
361
362       +[no]keepopen
363              This option keeps [or does not keep] the TCP socket open between
364              queries, and reuses it rather than creating a new TCP socket for
365              each lookup. The default is +nokeepopen.
366
367       +[no]mapped
368              This option allows [or does not allow] mapped IPv4-over-IPv6 ad‐
369              dresses to be used. The default is +mapped.
370
371       +[no]multiline
372              This  option  prints  [or  does not print] records, like the SOA
373              records, in a verbose multi-line format with human-readable com‐
374              ments.  The  default is to print each record on a single line to
375              facilitate machine parsing of the dig output.
376
377       +ndots=D
378              This option sets the number of dots (D) that must appear in name
379              for  it to be considered absolute. The default value is that de‐
380              fined using the ndots statement in /etc/resolv.conf, or 1 if  no
381              ndots  statement  is  present.  Names with fewer dots are inter‐
382              preted as relative names, and are searched for  in  the  domains
383              listed  in the search or domain directive in /etc/resolv.conf if
384              +search is set.
385
386       +[no]nsid
387              When enabled, this option includes an EDNS name  server  ID  re‐
388              quest when sending a query.
389
390       +[no]nssearch
391              When  this option is set, dig attempts to find the authoritative
392              name servers for the zone containing the name being  looked  up,
393              and  display  the  SOA  record that each name server has for the
394              zone.  Addresses of  servers  that  did  not  respond  are  also
395              printed.
396
397       +[no]onesoa
398              When  enabled, this option prints only one (starting) SOA record
399              when performing an AXFR. The default is to print both the start‐
400              ing and ending SOA records.
401
402       +[no]opcode=value
403              When enabled, this option sets (restores) the DNS message opcode
404              to the specified value. The default value is QUERY (0).
405
406       +padding=value
407              This option pads the size of the query  packet  using  the  EDNS
408              Padding  option  to  blocks  of  value bytes. For example, +pad‐
409              ding=32 causes a 48-byte query to be padded to 64 bytes. The de‐
410              fault  block  size  is 0, which disables padding; the maximum is
411              512. Values are ordinarily expected to be powers of two, such as
412              128; however, this is not mandatory. Responses to padded queries
413              may also be padded, but only  if  the  query  uses  TCP  or  DNS
414              COOKIE.
415
416       +[no]qr
417              This  option  toggles  the display of the query message as it is
418              sent. By default, the query is not printed.
419
420       +[no]question
421              This option toggles the display of the  question  section  of  a
422              query  when  an  answer is returned. The default is to print the
423              question section as a comment.
424
425       +[no]raflag
426              This option sets [or does not set] the RA (Recursion  Available)
427              bit  in the query. The default is +noraflag. This bit is ignored
428              by the server for QUERY.
429
430       +[no]rdflag
431              This option is a synonym for +[no]recurse.
432
433       +[no]recurse
434              This option toggles the setting of the  RD  (recursion  desired)
435              bit  in  the query.  This bit is set by default, which means dig
436              normally sends recursive  queries.  Recursion  is  automatically
437              disabled when the +nssearch or +trace query option is used.
438
439       +retry=T
440              This  option  sets  the  number  of  times  to retry UDP and TCP
441              queries to server to  T  instead  of  the  default,  2.   Unlike
442              +tries, this does not include the initial query.
443
444       +[no]rrcomments
445              This  option  toggles  the display of per-record comments in the
446              output (for example, human-readable key information about DNSKEY
447              records).  The  default  is  not to print record comments unless
448              multiline mode is active.
449
450       +[no]search
451              This option uses [or does not use] the search  list  defined  by
452              the  searchlist  or domain directive in resolv.conf, if any. The
453              search list is not used by default.
454
455              ndots from resolv.conf (default 1), which may be  overridden  by
456              +ndots,  determines  whether the name is treated as relative and
457              hence whether a search is eventually performed.
458
459       +[no]short
460              This option toggles whether a terse answer is provided. The  de‐
461              fault  is to print the answer in a verbose form. This option al‐
462              ways has a global effect; it cannot be  set  globally  and  then
463              overridden on a per-lookup basis.
464
465       +[no]showsearch
466              This  option performs [or does not perform] a search showing in‐
467              termediate results.
468
469       +[no]sigchase
470              This feature is now obsolete and has been removed; use delv  in‐
471              stead.
472
473       +split=W
474              This  option  splits long hex- or base64-formatted fields in re‐
475              source records into chunks of W characters (where W  is  rounded
476              up  to  the  nearest multiple of 4). +nosplit or +split=0 causes
477              fields not to be split at all. The default is 56 characters,  or
478              44 characters when multiline mode is active.
479
480       +[no]stats
481              This  option  toggles the printing of statistics: when the query
482              was made, the size of the reply, etc. The default behavior is to
483              print the query statistics as a comment after each lookup.
484
485       +[no]subnet=addr[/prefix-length]
486              This  option  sends [or does not send] an EDNS CLIENT-SUBNET op‐
487              tion with the specified IP address or network prefix.
488
489              dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short,  sends
490              an  EDNS CLIENT-SUBNET option with an empty address and a source
491              prefix-length  of  zero,  which  signals  a  resolver  that  the
492              client's  address  information  must  not be used when resolving
493              this query.
494
495       +[no]tcflag
496              This option sets [or does not set] the TC  (TrunCation)  bit  in
497              the  query. The default is +notcflag. This bit is ignored by the
498              server for QUERY.
499
500       +[no]tcp
501              This option uses [or  does  not  use]  TCP  when  querying  name
502              servers. The default behavior is to use UDP unless a type any or
503              ixfr=N query is requested, in which case  the  default  is  TCP.
504              AXFR queries always use TCP.
505
506       +timeout=T
507              This  option  sets the timeout for a query to T seconds. The de‐
508              fault timeout is 5 seconds. An attempt to set T to less  than  1
509              is silently set to 1.
510
511       +[no]topdown
512              This  feature is related to dig +sigchase, which is obsolete and
513              has been removed. Use delv instead.
514
515       +[no]trace
516              This option toggles tracing of the delegation path from the root
517              name  servers  for the name being looked up. Tracing is disabled
518              by default. When tracing is enabled, dig makes iterative queries
519              to  resolve  the name being looked up. It follows referrals from
520              the root servers, showing the answer from each server  that  was
521              used to resolve the lookup.
522
523              If  @server is also specified, it affects only the initial query
524              for the root zone name servers.
525
526              +dnssec is also set when +trace is set, to  better  emulate  the
527              default queries from a name server.
528
529       +tries=T
530              This  option sets the number of times to try UDP and TCP queries
531              to server to T instead of the default, 3. If T is less  than  or
532              equal to zero, the number of tries is silently rounded up to 1.
533
534       +trusted-key=####
535              This  option  formerly  specified  trusted keys for use with dig
536              +sigchase. This feature is now obsolete and  has  been  removed;
537              use delv instead.
538
539       +[no]ttlid
540              This option displays [or does not display] the TTL when printing
541              the record.
542
543       +[no]ttlunits
544              This option displays [or does not display] the TTL  in  friendly
545              human-readable  time  units  of  s, m, h, d, and w, representing
546              seconds, minutes, hours, days, and weeks. This implies +ttlid.
547
548       +[no]unexpected
549              This option accepts [or does not accept] answers from unexpected
550              sources.   By default, dig will not accept a reply from a source
551              other than the one to which it sent the query.
552
553       +[no]unknownformat
554              This option prints all RDATA in  unknown  RR  type  presentation
555              format  (RFC  3597).   The  default  is to print RDATA for known
556              types in the type's presentation format.
557
558       +[no]vc
559              This option uses [or  does  not  use]  TCP  when  querying  name
560              servers. This alternate syntax to +[no]tcp is provided for back‐
561              wards compatibility. The vc stands for "virtual circuit."
562
563       +[no]yaml
564              When enabled, this option prints the responses (and, if  +qr  is
565              in use, also the outgoing queries) in a detailed YAML format.
566
567       +[no]zflag
568              This  option  sets  [or  does  not  set] the last unassigned DNS
569              header flag in a DNS query.  This flag is off by default.
570

MULTIPLE QUERIES

572       The BIND 9 implementation of dig supports specifying  multiple  queries
573       on  the  command  line (in addition to supporting the -f batch file op‐
574       tion). Each of those queries can be supplied with its own set of flags,
575       options, and query options.
576
577       In this case, each query argument represents an individual query in the
578       command-line syntax described above. Each consists of any of the  stan‐
579       dard  options  and  flags,  the name to be looked up, an optional query
580       type and class, and any query options that should be  applied  to  that
581       query.
582
583       A  global set of query options, which should be applied to all queries,
584       can also be supplied. These global query options must precede the first
585       tuple  of name, class, type, options, flags, and query options supplied
586       on the command line. Any global  query  options  (except  +[no]cmd  and
587       +[no]short  options) can be overridden by a query-specific set of query
588       options. For example:
589
590          dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
591
592       shows how dig can be used from the command line to make three  lookups:
593       an  ANY  query  for  www.isc.org,  a reverse lookup of 127.0.0.1, and a
594       query for the NS records of isc.org. A global query option  of  +qr  is
595       applied,  so  that dig shows the initial query it made for each lookup.
596       The final query has a local query option of +noqr which means that  dig
597       does  not  print  the initial query when it looks up the NS records for
598       isc.org.
599

IDN SUPPORT

601       If dig has been built with IDN (internationalized domain name) support,
602       it  can  accept  and  display non-ASCII domain names. dig appropriately
603       converts character encoding of a domain name before sending  a  request
604       to a DNS server or displaying a reply from the server.  To turn off IDN
605       support, use the parameters  +noidnin  and  +noidnout,  or  define  the
606       IDN_DISABLE environment variable.
607

RETURN CODES

609       dig return codes are:
610
611       0      DNS response received, including NXDOMAIN status
612
613       1      Usage error
614
615       8      Couldn't open batch file
616
617       9      No reply from server
618
619       10     Internal error
620

FILES

622       /etc/resolv.conf
623
624       ${HOME}/.digrc
625

SEE ALSO

627       delv(1), host(1), named(8), dnssec-keygen(8), RFC 1035.
628

BUGS

630       There are probably too many query options.
631

AUTHOR

633       Internet Systems Consortium
634
636       2021, Internet Systems Consortium
637
638
639
640
6419.16.23-RH                                                              DIG(1)
Impressum