1DIG(1) BIND 9 DIG(1)
2
6 dig - DNS lookup utility
7
9 dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
10 [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [
11 [-4] | [-6] ] [name] [type] [class] [queryopt...]
12 dig [-h]
14 dig [global-queryopt...] [query...]
16
18 dig is a flexible tool for interrogating DNS name servers. It performs
19 DNS lookups and displays the answers that are returned from the name
20 server(s) that were queried. Most DNS administrators use dig to trou‐
21 bleshoot DNS problems because of its flexibility, ease of use, and
22 clarity of output. Other lookup tools tend to have less functionality
23 than dig.
24 Although dig is normally used with command-line arguments, it also has
26 a batch mode of operation for reading lookup requests from a file. A
27 brief summary of its command-line arguments and options is printed when
28 the -h option is given. The BIND 9 implementation of dig allows multi‐
29 ple lookups to be issued from the command line.
30 Unless it is told to query a specific name server, dig tries each of
32 the servers listed in /etc/resolv.conf. If no usable server addresses
33 are found, dig sends the query to the local host.
34 When no command-line arguments or options are given, dig performs an NS
36 query for "." (the root).
37 It is possible to set per-user defaults for dig via ${HOME}/.digrc.
39 This file is read and any options in it are applied before the com‐
40 mand-line arguments. The -r option disables this feature, for scripts
41 that need predictable behavior.
42 The IN and CH class names overlap with the IN and CH top-level domain
44 names. Either use the -t and -c options to specify the type and class,
45 use the -q to specify the domain name, or use "IN." and "CH." when
46 looking up these top-level domains.
47
49 A typical invocation of dig looks like:
50 dig @server name type
52 where:
54 server is the name or IP address of the name server to query. This can
56 be an IPv4 address in dotted-decimal notation or an IPv6 address
57 in colon-delimited notation. When the supplied server argument
58 is a hostname, dig resolves that name before querying that name
59 server.
60 If no server argument is provided, dig consults /etc/re‐
62 solv.conf; if an address is found there, it queries the name
63 server at that address. If either of the -4 or -6 options are in
64 use, then only addresses for the corresponding transport are
65 tried. If no usable addresses are found, dig sends the query to
66 the local host. The reply from the name server that responds is
67 displayed.
68 name is the name of the resource record that is to be looked up.
70 type indicates what type of query is required - ANY, A, MX, SIG, etc.
72 type can be any valid query type. If no type argument is sup‐
73 plied, dig performs a lookup for an A record.
74
76 -4 This option indicates that only IPv4 should be used.
77 -6 This option indicates that only IPv6 should be used.
79 -b address[#port]
81 This option sets the source IP address of the query. The address
82 must be a valid address on one of the host's network interfaces,
83 or "0.0.0.0" or "::". An optional port may be specified by ap‐
84 pending #port.
85 -c class
87 This option sets the query class. The default class is IN; other
88 classes are HS for Hesiod records or CH for Chaosnet records.
89 -f file
91 This option sets batch mode, in which dig reads a list of lookup
92 requests to process from the given file. Each line in the file
93 should be organized in the same way it would be presented as a
94 query to dig using the command-line interface.
95 -k keyfile
97 This option tells named to sign queries using TSIG using a key
98 read from the given file. Key files can be generated using
99 tsig-keygen. When using TSIG authentication with dig, the name
100 server that is queried needs to know the key and algorithm that
101 is being used. In BIND, this is done by providing appropriate
102 key and server statements in named.conf.
103 -m This option enables memory usage debugging.
105 -p port
107 This option sends the query to a non-standard port on the
108 server, instead of the default port 53. This option is used to
109 test a name server that has been configured to listen for
110 queries on a non-standard port number.
111 -q name
113 This option specifies the domain name to query. This is useful
114 to distinguish the name from other arguments.
115 -r This option indicates that options from ${HOME}/.digrc should
117 not be read. This is useful for scripts that need predictable
118 behavior.
119 -t type
121 This option indicates the resource record type to query, which
122 can be any valid query type. If it is a resource record type
123 supported in BIND 9, it can be given by the type mnemonic (such
124 as NS or AAAA). The default query type is A, unless the -x op‐
125 tion is supplied to indicate a reverse lookup. A zone transfer
126 can be requested by specifying a type of AXFR. When an incremen‐
127 tal zone transfer (IXFR) is required, set the type to ixfr=N.
128 The incremental zone transfer contains all changes made to the
129 zone since the serial number in the zone's SOA record was N.
130 All resource record types can be expressed as TYPEnn, where nn
132 is the number of the type. If the resource record type is not
133 supported in BIND 9, the result is displayed as described in RFC
134 3597.
135 -u This option indicates that print query times should be provided
137 in microseconds instead of milliseconds.
138 -v This option prints the version number and exits.
140 -x addr
142 This option sets simplified reverse lookups, for mapping ad‐
143 dresses to names. The addr is an IPv4 address in dotted-decimal
144 notation, or a colon-delimited IPv6 address. When the -x option
145 is used, there is no need to provide the name, class, and type
146 arguments. dig automatically performs a lookup for a name like
147 94.2.0.192.in-addr.arpa and sets the query type and class to PTR
148 and IN respectively. IPv6 addresses are looked up using nibble
149 format under the IP6.ARPA domain.
150 -y [hmac:]keyname:secret
152 This option signs queries using TSIG with the given authentica‐
153 tion key. keyname is the name of the key, and secret is the
154 base64-encoded shared secret. hmac is the name of the key algo‐
155 rithm; valid choices are hmac-md5, hmac-sha1, hmac-sha224,
156 hmac-sha256, hmac-sha384, or hmac-sha512. If hmac is not speci‐
157 fied, the default is hmac-md5; if MD5 was disabled, the default
158 is hmac-sha256.
159 NOTE:
161 Only the -k option should be used, rather than the -y option, be‐
162 cause with -y the shared secret is supplied as a command-line argu‐
163 ment in clear text. This may be visible in the output from ps1 or in
164 a history file maintained by the user's shell.
165
167 dig provides a number of query options which affect the way in which
168 lookups are made and the results displayed. Some of these set or reset
169 flag bits in the query header, some determine which sections of the an‐
170 swer get printed, and others determine the timeout and retry strate‐
171 gies.
172 Each query option is identified by a keyword preceded by a plus sign
174 (+). Some keywords set or reset an option; these may be preceded by the
175 string no to negate the meaning of that keyword. Other keywords assign
176 values to options, like the timeout interval. They have the form +key‐
177 word=value. Keywords may be abbreviated, provided the abbreviation is
178 unambiguous; for example, +cd is equivalent to +cdflag. The query op‐
179 tions are:
180 +[no]aaflag
182 This option is a synonym for +[no]aaonly.
183 +[no]aaonly
185 This option sets the aa flag in the query.
186 +[no]additional
188 This option displays [or does not display] the additional sec‐
189 tion of a reply. The default is to display it.
190 +[no]adflag
192 This option sets [or does not set] the AD (authentic data) bit
193 in the query. This requests the server to return whether all of
194 the answer and authority sections have been validated as secure,
195 according to the security policy of the server. AD=1 indicates
196 that all records have been validated as secure and the answer is
197 not from a OPT-OUT range. AD=0 indicates that some part of the
198 answer was insecure or not validated. This bit is set by de‐
199 fault.
200 +[no]all
202 This option sets or clears all display flags.
203 +[no]answer
205 This option displays [or does not display] the answer section of
206 a reply. The default is to display it.
207 +[no]authority
209 This option displays [or does not display] the authority section
210 of a reply. The default is to display it.
211 +[no]badcookie
213 This option retries the lookup with a new server cookie if a
214 BADCOOKIE response is received.
215 +[no]besteffort
217 This option attempts to display the contents of messages which
218 are malformed. The default is to not display malformed answers.
219 +bufsize[=B]
221 This option sets the UDP message buffer size advertised using
222 EDNS0 to B bytes. The maximum and minimum sizes of this buffer
223 are 65535 and 0, respectively. +bufsize=0 disables EDNS (use
224 +bufsize=0 +edns to send an EDNS message with an advertised size
225 of 0 bytes). +bufsize restores the default buffer size.
226 +[no]cdflag
228 This option sets [or does not set] the CD (checking disabled)
229 bit in the query. This requests the server to not perform DNSSEC
230 validation of responses.
231 +[no]class
233 This option displays [or does not display] the CLASS when print‐
234 ing the record.
235 +[no]cmd
237 This option toggles the printing of the initial comment in the
238 output, identifying the version of dig and the query options
239 that have been applied. This option always has a global effect;
240 it cannot be set globally and then overridden on a per-lookup
241 basis. The default is to print this comment.
242 +[no]comments
244 This option toggles the display of some comment lines in the
245 output, with information about the packet header and OPT pseudo‐
246 section, and the names of the response section. The default is
247 to print these comments.
248 Other types of comments in the output are not affected by this
250 option, but can be controlled using other command-line switches.
251 These include +[no]cmd, +[no]question, +[no]stats, and
252 +[no]rrcomments.
253 +[no]cookie=####
255 This option sends [or does not send] a COOKIE EDNS option, with
256 an optional value. Replaying a COOKIE from a previous response
257 allows the server to identify a previous client. The default is
258 +cookie.
259 +cookie is also set when +trace is set to better emulate the de‐
261 fault queries from a nameserver.
262 +[no]crypto
264 This option toggles the display of cryptographic fields in
265 DNSSEC records. The contents of these fields are unnecessary for
266 debugging most DNSSEC validation failures and removing them
267 makes it easier to see the common failures. The default is to
268 display the fields. When omitted, they are replaced by the
269 string [omitted] or, in the DNSKEY case, the key ID is displayed
270 as the replacement, e.g. [ key id = value ].
271 +[no]defname
273 This option, which is deprecated, is treated as a synonym for
274 +[no]search.
275 +[no]dnssec
277 This option requests that DNSSEC records be sent by setting the
278 DNSSEC OK (DO) bit in the OPT record in the additional section
279 of the query.
280 +domain=somename
282 This option sets the search list to contain the single domain
283 somename, as if specified in a domain directive in /etc/re‐
284 solv.conf, and enables search list processing as if the +search
285 option were given.
286 +dscp=value
288 This option sets the DSCP code point to be used when sending the
289 query. Valid DSCP code points are in the range [0...63]. By de‐
290 fault no code point is explicitly set.
291 +[no]edns[=#]
293 This option specifies the EDNS version to query with. Valid val‐
294 ues are 0 to 255. Setting the EDNS version causes an EDNS query
295 to be sent. +noedns clears the remembered EDNS version. EDNS is
296 set to 0 by default.
297 +[no]ednsflags[=#]
299 This option sets the must-be-zero EDNS flags bits (Z bits) to
300 the specified value. Decimal, hex, and octal encodings are ac‐
301 cepted. Setting a named flag (e.g., DO) is silently ignored. By
302 default, no Z bits are set.
303 +[no]ednsnegotiation
305 This option enables/disables EDNS version negotiation. By de‐
306 fault, EDNS version negotiation is enabled.
307 +[no]ednsopt[=code[:value]]
309 This option specifies the EDNS option with code point code and
310 an optional payload of value as a hexadecimal string. code can
311 be either an EDNS option name (for example, NSID or ECS) or an
312 arbitrary numeric value. +noednsopt clears the EDNS options to
313 be sent.
314 +[no]expire
316 This option sends an EDNS Expire option.
317 +[no]fail
319 This option indicates that named should try [or not try] the
320 next server if a SERVFAIL is received. The default is to not try
321 the next server, which is the reverse of normal stub resolver
322 behavior.
323 +[no]header-only
325 This option sends a query with a DNS header without a question
326 section. The default is to add a question section. The query
327 type and query name are ignored when this is set.
328 +[no]identify
330 This option shows [or does not show] the IP address and port
331 number that supplied the answer, when the +short option is en‐
332 abled. If short form answers are requested, the default is not
333 to show the source address and port number of the server that
334 provided the answer.
335 +[no]idnin
337 This option processes [or does not process] IDN domain names on
338 input. This requires IDN SUPPORT to have been enabled at compile
339 time.
340 The default is to process IDN input when standard output is a
342 tty. The IDN processing on input is disabled when dig output is
343 redirected to files, pipes, and other non-tty file descriptors.
344 +[no]idnout
346 This option converts [or does not convert] puny code on output.
347 This requires IDN SUPPORT to have been enabled at compile time.
348 The default is to process puny code on output when standard out‐
350 put is a tty. The puny code processing on output is disabled
351 when dig output is redirected to files, pipes, and other non-tty
352 file descriptors.
353 +[no]ignore
355 This option ignores [or does not ignore] truncation in UDP re‐
356 sponses instead of retrying with TCP. By default, TCP retries
357 are performed.
358 +[no]keepalive
360 This option sends [or does not send] an EDNS Keepalive option.
361 +[no]keepopen
363 This option keeps [or does not keep] the TCP socket open between
364 queries, and reuses it rather than creating a new TCP socket for
365 each lookup. The default is +nokeepopen.
366 +[no]mapped
368 This option allows [or does not allow] mapped IPv4-over-IPv6 ad‐
369 dresses to be used. The default is +mapped.
370 +[no]multiline
372 This option prints [or does not print] records, like the SOA
373 records, in a verbose multi-line format with human-readable com‐
374 ments. The default is to print each record on a single line to
375 facilitate machine parsing of the dig output.
376 +ndots=D
378 This option sets the number of dots (D) that must appear in name
379 for it to be considered absolute. The default value is that de‐
380 fined using the ndots statement in /etc/resolv.conf, or 1 if no
381 ndots statement is present. Names with fewer dots are inter‐
382 preted as relative names, and are searched for in the domains
383 listed in the search or domain directive in /etc/resolv.conf if
384 +search is set.
385 +[no]nsid
387 When enabled, this option includes an EDNS name server ID re‐
388 quest when sending a query.
389 +[no]nssearch
391 When this option is set, dig attempts to find the authoritative
392 name servers for the zone containing the name being looked up,
393 and display the SOA record that each name server has for the
394 zone. Addresses of servers that did not respond are also
395 printed.
396 +[no]onesoa
398 When enabled, this option prints only one (starting) SOA record
399 when performing an AXFR. The default is to print both the start‐
400 ing and ending SOA records.
401 +[no]opcode=value
403 When enabled, this option sets (restores) the DNS message opcode
404 to the specified value. The default value is QUERY (0).
405 +padding=value
407 This option pads the size of the query packet using the EDNS
408 Padding option to blocks of value bytes. For example, +pad‐
409 ding=32 causes a 48-byte query to be padded to 64 bytes. The de‐
410 fault block size is 0, which disables padding; the maximum is
411 512. Values are ordinarily expected to be powers of two, such as
412 128; however, this is not mandatory. Responses to padded queries
413 may also be padded, but only if the query uses TCP or DNS
414 COOKIE.
415 +[no]qr
417 This option toggles the display of the query message as it is
418 sent. By default, the query is not printed.
419 +[no]question
421 This option toggles the display of the question section of a
422 query when an answer is returned. The default is to print the
423 question section as a comment.
424 +[no]raflag
426 This option sets [or does not set] the RA (Recursion Available)
427 bit in the query. The default is +noraflag. This bit is ignored
428 by the server for QUERY.
429 +[no]rdflag
431 This option is a synonym for +[no]recurse.
432 +[no]recurse
434 This option toggles the setting of the RD (recursion desired)
435 bit in the query. This bit is set by default, which means dig
436 normally sends recursive queries. Recursion is automatically
437 disabled when the +nssearch or +trace query option is used.
438 +retry=T
440 This option sets the number of times to retry UDP and TCP
441 queries to server to T instead of the default, 2. Unlike
442 +tries, this does not include the initial query.
443 +[no]rrcomments
445 This option toggles the display of per-record comments in the
446 output (for example, human-readable key information about DNSKEY
447 records). The default is not to print record comments unless
448 multiline mode is active.
449 +[no]search
451 This option uses [or does not use] the search list defined by
452 the searchlist or domain directive in resolv.conf, if any. The
453 search list is not used by default.
454 ndots from resolv.conf (default 1), which may be overridden by
456 +ndots, determines whether the name is treated as relative and
457 hence whether a search is eventually performed.
458 +[no]short
460 This option toggles whether a terse answer is provided. The de‐
461 fault is to print the answer in a verbose form. This option al‐
462 ways has a global effect; it cannot be set globally and then
463 overridden on a per-lookup basis.
464 +[no]showsearch
466 This option performs [or does not perform] a search showing in‐
467 termediate results.
468 +[no]sigchase
470 This feature is now obsolete and has been removed; use delv in‐
471 stead.
472 +split=W
474 This option splits long hex- or base64-formatted fields in re‐
475 source records into chunks of W characters (where W is rounded
476 up to the nearest multiple of 4). +nosplit or +split=0 causes
477 fields not to be split at all. The default is 56 characters, or
478 44 characters when multiline mode is active.
479 +[no]stats
481 This option toggles the printing of statistics: when the query
482 was made, the size of the reply, etc. The default behavior is to
483 print the query statistics as a comment after each lookup.
484 +[no]subnet=addr[/prefix-length]
486 This option sends [or does not send] an EDNS CLIENT-SUBNET op‐
487 tion with the specified IP address or network prefix.
488 dig +subnet=0.0.0.0/0, or simply dig +subnet=0 for short, sends
490 an EDNS CLIENT-SUBNET option with an empty address and a source
491 prefix-length of zero, which signals a resolver that the
492 client's address information must not be used when resolving
493 this query.
494 +[no]tcflag
496 This option sets [or does not set] the TC (TrunCation) bit in
497 the query. The default is +notcflag. This bit is ignored by the
498 server for QUERY.
499 +[no]tcp
501 This option uses [or does not use] TCP when querying name
502 servers. The default behavior is to use UDP unless a type any or
503 ixfr=N query is requested, in which case the default is TCP.
504 AXFR queries always use TCP.
505 +timeout=T
507 This option sets the timeout for a query to T seconds. The de‐
508 fault timeout is 5 seconds. An attempt to set T to less than 1
509 is silently set to 1.
510 +[no]topdown
512 This feature is related to dig +sigchase, which is obsolete and
513 has been removed. Use delv instead.
514 +[no]trace
516 This option toggles tracing of the delegation path from the root
517 name servers for the name being looked up. Tracing is disabled
518 by default. When tracing is enabled, dig makes iterative queries
519 to resolve the name being looked up. It follows referrals from
520 the root servers, showing the answer from each server that was
521 used to resolve the lookup.
522 If @server is also specified, it affects only the initial query
524 for the root zone name servers.
525 +dnssec is also set when +trace is set, to better emulate the
527 default queries from a name server.
528 +tries=T
530 This option sets the number of times to try UDP and TCP queries
531 to server to T instead of the default, 3. If T is less than or
532 equal to zero, the number of tries is silently rounded up to 1.
533 +trusted-key=####
535 This option formerly specified trusted keys for use with dig
536 +sigchase. This feature is now obsolete and has been removed;
537 use delv instead.
538 +[no]ttlid
540 This option displays [or does not display] the TTL when printing
541 the record.
542 +[no]ttlunits
544 This option displays [or does not display] the TTL in friendly
545 human-readable time units of s, m, h, d, and w, representing
546 seconds, minutes, hours, days, and weeks. This implies +ttlid.
547 +[no]unexpected
549 This option accepts [or does not accept] answers from unexpected
550 sources. By default, dig will not accept a reply from a source
551 other than the one to which it sent the query.
552 +[no]unknownformat
554 This option prints all RDATA in unknown RR type presentation
555 format (RFC 3597). The default is to print RDATA for known
556 types in the type's presentation format.
557 +[no]vc
559 This option uses [or does not use] TCP when querying name
560 servers. This alternate syntax to +[no]tcp is provided for back‐
561 wards compatibility. The vc stands for "virtual circuit."
562 +[no]yaml
564 When enabled, this option prints the responses (and, if +qr is
565 in use, also the outgoing queries) in a detailed YAML format.
566 +[no]zflag
568 This option sets [or does not set] the last unassigned DNS
569 header flag in a DNS query. This flag is off by default.
570
572 The BIND 9 implementation of dig supports specifying multiple queries
573 on the command line (in addition to supporting the -f batch file op‐
574 tion). Each of those queries can be supplied with its own set of flags,
575 options, and query options.
576 In this case, each query argument represents an individual query in the
578 command-line syntax described above. Each consists of any of the stan‐
579 dard options and flags, the name to be looked up, an optional query
580 type and class, and any query options that should be applied to that
581 query.
582 A global set of query options, which should be applied to all queries,
584 can also be supplied. These global query options must precede the first
585 tuple of name, class, type, options, flags, and query options supplied
586 on the command line. Any global query options (except +[no]cmd and
587 +[no]short options) can be overridden by a query-specific set of query
588 options. For example:
589 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
591 shows how dig can be used from the command line to make three lookups:
593 an ANY query for www.isc.org, a reverse lookup of 127.0.0.1, and a
594 query for the NS records of isc.org. A global query option of +qr is
595 applied, so that dig shows the initial query it made for each lookup.
596 The final query has a local query option of +noqr which means that dig
597 does not print the initial query when it looks up the NS records for
598 isc.org.
599
601 If dig has been built with IDN (internationalized domain name) support,
602 it can accept and display non-ASCII domain names. dig appropriately
603 converts character encoding of a domain name before sending a request
604 to a DNS server or displaying a reply from the server. To turn off IDN
605 support, use the parameters +noidnin and +noidnout, or define the
606 IDN_DISABLE environment variable.
607
609 dig return codes are:
610 0 DNS response received, including NXDOMAIN status
612 1 Usage error
614 8 Couldn't open batch file
616 9 No reply from server
618 10 Internal error
620
622 /etc/resolv.conf
623 ${HOME}/.digrc
625
627 delv(1), host(1), named(8), dnssec-keygen(8), RFC 1035.
628
630 There are probably too many query options.
631
633 Internet Systems Consortium
634
636 2021, Internet Systems Consortium
6379.16.23-RH DIG(1)