1dig(1M) System Administration Commands dig(1M)
2
6 dig - DNS lookup utility
7
9 dig [@server] [-b address] [-c class] [-f filename]
10 [-k filename] [-m] [-p port#] [-t type] [-x addr]
11 [-y name:key] [-4] [-6] [name] [type] [class] [queryopt]...
12 dig [-h]
15 dig [global-queryopt...] [query...]
18
21 The dig utility (domain information groper) is a flexible tool for
22 interrogating DNS name servers. It performs DNS lookups and displays
23 the answers that are returned from the name server(s) that were
24 queried. Most DNS administrators use dig to troubleshoot DNS problems
25 because of its flexibility, ease of use and clarity of output. Other
26 lookup tools tend to have less functionality than dig.
27 Although dig is normally used with command-line arguments, it also has
30 a batch mode of operation for reading lookup requests from a file. A
31 brief summary of its command-line arguments and options is printed when
32 the -h option is specified. Unlike earlier versions, the BIND 9 imple‐
33 mentation of dig allows multiple lookups to be issued from the command
34 line.
35 Unless it is told to query a specific name server, dig tries each of
38 the servers listed in /etc/resolv.conf.
39 When no command line arguments or options are given, dig performs an NS
42 query for "." (the root).
43 It is possible to set per-user defaults for dig with ${HOME}/.digrc.
46 This file is read and any options in it are applied before the command
47 line arguments.
48 The IN and CH class names overlap with the IN and CH top level domains
51 names. Either use the -t and -c options to specify the type and class,
52 or use "IN." and "CH." when looking up these top level domains.
53 Simple Usage
55 The following is a typical invocation of dig:
56 dig @server name type
58 where:
63 server The name or IP address of the name server to query. This can
65 be an IPv4 address in dotted-decimal notation or an IPv6
66 address in colon-delimited notation. When the supplied server
67 argument is a hostname, dig resolves that name before query‐
68 ing that name server. If no server argument is provided, dig
69 consults /etc/resolv.conf and queries the name servers listed
70 there. The reply from the name server that responds is dis‐
71 played.
72 name The name of the resource record that is to be looked up.
75 type Indicates what type of query is required (ANY, A, MX, SIG,
78 among others.) type can be any valid query type. If no type
79 argument is supplied, dig performs a lookup for an A record.
80
83 The following options are supported:
84 -4 Use only IPv4 transport. By default both IPv4 and IPv6
86 transports can be used. Options -4 and -6 are mutually
87 exclusive.
88 -6 Use only IPv6 transport. By default both IPv4 and IPv6
91 transports can be used. Options -4 and -6 are mutually
92 exclusive.
93 -b address Set the source IP address of the query to address. This
96 must be a valid address on one of the host's network
97 interfaces or 0.0.0.0 or ::. An optional port may be
98 specified by appending: #<port>
99 -c class Override the default query class (IN for internet). The
102 class argument is any valid class, such as HS for Hesiod
103 records or CH for CHAOSNET records.
104 -f filename Operate in batch mode by reading a list of lookup
107 requests to process from the file filename. The file
108 contains a number of queries, one per line. Each entry
109 in the file should be organized in the same way they
110 would be presented as queries to dig using the command-
111 line interface.
112 -h Print a brief summary of command-line arguments and
115 options.
116 -k filename Specify a transaction signature (TSIG) key file to sign
119 the DNS queries sent by dig and their responses using
120 TSIGs.
121 -m Enable memory usage debugging.
124 -p port# Query a non-standard port number. The port# argument is
127 the port number that dig sends its queries instead of
128 the standard DNS port number 53. This option tests a
129 name server that has been configured to listen for
130 queries on a non-standard port number.
131 -t type Set the query type to type, which can be any valid query
134 type supported in BIND9. The default query type "A",
135 unless the -x option is supplied to indicate a reverse
136 lookup. A zone transfer can be requested by specifying a
137 type of AXFR. When an incremental zone transfer (IXFR)
138 is required, type is set to ixfr=N. The incremental zone
139 transfer will contain the changes made to the zone since
140 the serial number in the zone's SOA record was N.
141 -x addr Simplify reverse lookups (mapping addresses to names ).
144 The addr argument is an IPv4 address in dotted-decimal
145 notation, or a colon-delimited IPv6 address. When this
146 option is used, there is no need to provide the name,
147 class and type arguments. The dig utility automatically
148 performs a lookup for a name like 11.12.13.10.in-
149 addr.arpa and sets the query type and class to PTR and
150 IN, respectively. By default, IPv6 addresses are looked
151 up using nibble format under the IP6.ARPA domain. To use
152 the older RFC1886 method using the IP6.INT domain, spec‐
153 ify the -i option. Bit string labels (RFC 2874) are now
154 experimental and are not attempted.
155 -y name:key Specify a transaction signature (TSIG) key on the com‐
158 mand line. This is done to sign the DNS queries sent by
159 dig, as well as their responses. You can also specify
160 the TSIG key itself on the command line using the -y
161 option. The name argument is the name of the TSIG key
162 and the key argument is the actual key. The key is a
163 base-64 encoded string, typically generated by dnssec-
164 keygen(1M). Caution should be taken when using the -y
165 option on multi-user systems, since the key can be visi‐
166 ble in the output from ps(1) or in the shell's history
167 file. When using TSIG authentication with dig, the name
168 server that is queried needs to know the key and algo‐
169 rithm that is being used. In BIND, this is done by pro‐
170 viding appropriate key and server statements in
171 named.conf.
172
175 The dig utility provides a number of query options which affect the way
176 in which lookups are made and the results displayed. Some of these set
177 or reset flag bits in the query header, some determine which sections
178 of the answer get printed, and others determine the timeout and retry
179 strategies.
180 Each query option is identified by a keyword preceded by a plus sign
183 (+). Some keywords set or reset an option. These may be preceded by the
184 string no to negate the meaning of that keyword. Other keywords assign
185 values to options like the timeout interval. They have the form +key‐
186 word=value. The query options are:
187 +[no]tcp Use [do not use] TCP when querying name servers.
189 The default behaviour is to use UDP unless an AXFR
190 or IXFR query is requested, in which case a TCP
191 connection is used.
192 +[no]vc Use [do not use] TCP when querying name servers.
195 This alternate syntax to +[no]tcp is provided for
196 backwards compatibility. The "vc" stands for "vir‐
197 tual circuit".
198 +[no]ignore Ignore truncation in UDP responses instead of
201 retrying with TCP. By default, TCP retries are
202 performed.
203 +domain=somename Set the search list to contain the single domain
206 somename, as if specified in a domain directive in
207 /etc/resolv.conf, and enable search list process‐
208 ing as if the +search option were given.
209 +[no]search Use [do not use] the search list defined by the
212 searchlist or domain directive in resolv.conf (if
213 any). The search list is not used by default.
214 +[no]defname Deprecated, treated as a synonym for +[no]search.
217 +[no]aaonly Sets the aa flag in the query.
220 +[no]aaflag A synonym for +[no]aaonly.
223 +[no]adflag Set [do not set] the AD (authentic data) bit in
226 the query. The AD bit currently has a standard
227 meaning only in responses, not in queries, but the
228 ability to set the bit in the query is provided
229 for completeness.
230 +[no]cdflag Set [do not set] the CD (checking disabled) bit in
233 the query. This requests the server to not perform
234 DNSSEC validation of responses.
235 +[no]cl Display [do not display] the CLASS when printing
238 the record.
239 +[no]ttlid Display [do not display] the TTL when printing the
242 record.
243 +[no]recurse Toggle the setting of the RD (recursion desired)
246 bit in the query. This bit is set by default,
247 which means dig normally sends recursive queries.
248 Recursion is automatically disabled when the
249 +nssearch or +trace query options are used.
250 +[no]nssearch When this option is set, dig attempts to find the
253 authoritative name servers for the zone containing
254 the name being looked up and display the SOA
255 record that each name server has for the zone.
256 +[no]trace Toggle tracing of the delegation path from the
259 root name servers for the name being looked up.
260 Tracing is disabled by default. When tracing is
261 enabled, dig makes iterative queries to resolve
262 the name being looked up. It will follow referrals
263 from the root servers, showing the answer from
264 each server that was used to resolve the lookup.
265 +[no]cmd Toggle the printing of the initial comment in the
268 output identifying the version of dig and the
269 query options that have been applied. This comment
270 is printed by default.
271 +[no]short Provide a terse answer. The default is to print
274 the answer in a verbose form.
275 +[no]identify Show [or do not show] the IP address and port num‐
278 ber that supplied the answer when the +short
279 option is enabled. If short form answers are
280 requested, the default is not to show the source
281 address and port number of the server that pro‐
282 vided the answer.
283 +[no]comments Toggle the display of comment lines in the output.
286 The default is to print comments.
287 +[no]stats Toggle the printing of statistics: when the query
290 was made, the size of the reply and so on. The
291 default behaviour is to print the query statis‐
292 tics.
293 +[no]qr Print [do not print] the query as it is sent. By
296 default, the query is not printed.
297 +[no]question Print [do not print] the question section of a
300 query when an answer is returned. The default is
301 to print the question section as a comment.
302 +[no]answer Display [do not display] the answer section of a
305 reply. The default is to display it.
306 +[no]authority Display [do not display] the authority section of
309 a reply. The default is to display it.
310 +[no]additional Display [do not display] the additional section of
313 a reply. The default is to display it.
314 +[no]all Set or clear all display flags.
317 +time=T Sets the timeout for a query to T seconds. The
320 default time out is 5 seconds. An attempt to set T
321 to less than 1 will result in a query timeout of 1
322 second being applied.
323 +tries=T Sets the maximum number of UDP attempts to T. The
326 default number is 3 (1 initial attempt followed by
327 2 retries). If T is less than or equal to zero,
328 the number of retries is silently rounded up to 1.
329 +retry=T Sets the number of UDP retries to T. The default
332 is 2.
333 +ndots=D Set the number of dots that have to appear in name
336 to D for it to be considered absolute. The default
337 value is that defined using the ndots statement in
338 /etc/resolv.conf, or 1 if no ndots statement is
339 present. Names with fewer dots are interpreted as
340 relative names and will be searched for in the
341 domains listed in the search or domain directive
342 in /etc/resolv.conf.
343 +bufsize=B Set the UDP message buffer size advertised using
346 EDNS0 to B bytes. The maximum and minimum sizes of
347 this buffer are 65535 and 0 respectively. Values
348 outside this range are rounded up or down appro‐
349 priately.
350 +[no]multiline Print records like the SOA records in a verbose
353 multi-line format with human-readable comments.
354 The default is to print each record on a single
355 line, to facilitate machine parsing of the dig
356 output.
357 +[no]fail Do not try the next server if you receive a SERV‐
360 FAIL. The default is to not try the next server
361 which is the reverse of normal stub resolver
362 behavior.
363 +[no]besteffort Attempt to display the contents of messages which
366 are malformed. The default is to not display mal‐
367 formed answers.
368 +[no]dnssec Request DNSSEC records be sent by setting the
371 DNSSEC OK bit (DO) in the OPT record in the addi‐
372 tional section of the query.
373 +[no]sigchase Chase DNSSEC signature chains. Requires dig be
376 compiled with -DDIG_SIGCHASE.
377 +trusted-key=#### Specifies a file containing trusted keys to be
380 used with +sigchase. Each DNSKEY record must be on
381 its own line.
382 If not specified dig will look for /etc/trusted-
384 key.key then trusted-key.key in the current direc‐
385 tory.
386 Requires dig be compiled with -DDIG_SIGCHASE.
388 +[no]topdown When chasing DNSSEC signature chains, perform a
391 top-down validation. Requires dig be compiled with
392 -DDIG_SIGCHASE.
393
396 The BIND 9 implementation of dig supports specifying multiple queries
397 on the command line (in addition to supporting the -f batch file
398 option). Each of those queries can be supplied with its own set of
399 flags, options and query options.
400 In this case, each query argument represent an individual query in the
403 command-line syntax described above. Each consists of any of the stan‐
404 dard options and flags, the name to be looked up, an optional query
405 type, and class and any query options that should be applied to that
406 query.
407 A global set of query options, which should be applied to all queries,
410 can also be supplied. These global query options must precede the first
411 tuple of name, class, type, options, flags, and query options supplied
412 on the command line. Any global query options (except the +[no]cmd
413 option) can be overridden by a query-specific set of query options. For
414 example:
415 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
417 ...shows how dig could be used from the command line to make three
422 lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1
423 and a query for the NS records of isc.org. A global query option of +qr
424 is applied, so that dig shows the initial query it made for each
425 lookup. The final query has a local query option of +noqr which means
426 that dig will not print the initial query when it looks up the NS
427 records for isc.org.
428
430 /etc/resolv.conf Resolver configuration file
431 ${HOME}/.digrc User-defined configuration file
434
437 See attributes(5) for descriptions of the following attributes:
438 ┌─────────────────────────────┬─────────────────────────────┐
443 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
444 ├─────────────────────────────┼─────────────────────────────┤
445 │Availability │SUNWbind │
446 ├─────────────────────────────┼─────────────────────────────┤
447 │Interface Stability │External │
448 └─────────────────────────────┴─────────────────────────────┘
449
451 dnssec-keygen(1M), host(1M), named(1M), nslookup(1M), attributes(5)
452 RFC 1035
455
457 There are probably too many query options.
458
460 nslookup(1M) and dig now report "Not Implemented" as NOTIMP rather
461 than NOTIMPL. This will have impact on scripts that are looking for
462 NOTIMPL.
463SunOS 5.11 24 Dec 2008 dig(1M)