The dig utility (Domain Information Groper) is a powerful command-line tool used in Unix and Linux systems to query DNS servers. It is designed to retrieve information about DNS records and diagnose DNS-related problems. Dig allows users to perform queries to specific DNS servers, obtaining detailed information about various types of DNS records, including A records (addresses), MX records (mail servers), NS records (name servers), and others.
In Ubuntu, the dig utility is part of the dnsutils package. To install it, run the command:
apt install dnsutilsdig Parameters
The dig utility uses a standard command line to form domain queries for DNS servers. The dig command format is as follows:
dig [@server] domain [query-type] [query-class] [+query-option] [-dig-otion] [%comment]Here, server is an optional name of a DNS server. By default, dig will use the DNS server specified in the /etc/resolv.conf file. You can specify the server option either by its hostname or via its IP address. If a hostname is used for the server option, dig will utilize the default DNS server to resolve it into an IP address and then use that IP to retrieve information about the domain. The query-type parameter is the type of the source record that can be specified in the query (A, SOA, NS, and MX). To get all information about a domain, you can specify query-type any. The query-class parameter is the network information class, which can also be specified in the query. By default, this parameter is always IN for the Internet network.
The +query-option parameter is used to change the value of a parameter in the DNS packet or to modify the output format of the dig results. Most of these parameters overlap with the parameters of the nslookup program. Below are the parameters that can be used in a dig query.
- Dig Utility Parameters
| Parameter | Description |
|---|---|
| [no]debug | Enables/disables debug mode |
| [no]d2 | Enables/disables full debug mode |
| [no]recurse | Use/do not use recursive chains |
| retry=# | Sets the number of query retries |
| time=# | Sets the timeout interval length |
| [no]ko | Leaves the option open (implements vc) |
| [no]vc | Use/do not use a virtual circuit |
| [no]defname | Use/do not use the default domain name |
| [no]search | Use/do not use the search list |
| domain=NAME | Sets the default domain name to NAME |
| [no]ignore | Ignore/do not ignore truncation errors |
| [no]primary | Use/do not use the primary server |
| [no]aaonly | Flag for an authoritative query |
| [no]trace | Show query trace |
| [no]cmd | Display arguments during analysis |
| [no]stats | Output query statistics |
| [no]Header | Output basic header |
| [no]header | Output header flags |
| [no]ttlid | Display TTL |
| [no]cl | Output class information |
| [no]qr | Display outgoing query |
| [no]reply | Output response |
| [no]ques | Output question field |
| [no]answer | Output answer field |
| [no]author | Output authority field |
| [no]addit | Output additional information field |
| pfdef | Sets default flag output |
| pfmin | Sets minimal flag output |
| pfset=# | Sets the number of output flags to # |
| pfand=# | Output # flags bitwise via AND operation |
| pfor=# | Output # flags bitwise via OR operation |
The -dig-option parameter is used to specify other options that affect how dig operates.
- Parameters Affecting dig Operation
| Parameter | Description |
|---|---|
| -x | Specifies inverse address resolution in normal notation |
| -f | Reads a file for further batch processing |
| -T | Time in seconds before turning on batch processing mode |
| -p | Port number to use |
| -P | Issue a ping command after receiving a response |
| -t | Specifies query type |
| -c | Specifies query class |
| -envsav | dig parameters should be saved for future default use |
Examples of using dig
Success: In dig, to display only the answer section, use the keys +noall +answer
#dig dieg.info +noall +answerdieg.info. 891 IN A 185.253.219.218
- How to check if zones have updated on slave DNS servers? To do this, you need to query the SOA records for the master and slave DNS servers. The DNS server being queried is specified after the ‘@’ sign:
dig @195.x.x.254 your.domen SOA
dig @195.x.x.164 your.domen SOA- Is jabber working?
Is jabber working?
dig @195.x.x.254 srv _jabber._tcp.your.domen
dig @195.x.x.164 srv _jabber._tcp.your.domen- Reverse DNS query:
Reverse DNS query:
$ dig -x 209.85.210.2
; <<>> DiG 9.6.1-P2 <<>> -x 209.85.210.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31663
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;2.210.85.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.210.85.209.in-addr.arpa. 86400 IN PTR mail-yx0-f2.google.com.- Zone transfer – if permitted from your IP, of course:
dig @195.x.x.254 YourDomen.net axfr- Create a file containing root server addresses:
dig @f.root-servers.net . ns >> root.cache- any:
# dig news.kh.ua any @8.8.8.8- To find out the SPF record of a specific domain, you need to request TXT records:
dig example.com txt @8.8.8.8How to display only the IP address in dig without additional lines
Using the +short option, the output of the dig command will be strictly limited to the IP address. Below are examples for A and MX records:
# dig dieg.info +short
185.253.219.218
# dig dieg.info mx +short
0 mail.dieg.info.How to view MX records for a domain
The dig program allows you to query and display information for various types of DNS resources. To show which MX records a domain has, run the command:
dig dieg.info mxTo reduce the displayed information, the requested record type (as well as other options) can be combined with the +short option:
dig dieg.info mx +shortDomain Ownership Verification in Google Console using a DNS TXT Record
Domain ownership verification in Google Console using the provider Namecheap as an example.
By verifying domain ownership, you can use your Google service, such as G Suite, Drive Enterprise, or Cloud Identity. A G Suite account provides access to Gmail, Google Drive, and other services.
When registering for a Google service, you will receive a verification record that needs to be copied and added to your domain settings (usually found at your domain registrar).
The Google verification record has the following format: google-site-verification=[unique alphanumeric string].
On the Namecheap website, click Manage. Open the Advanced DNS tab on the toolbar. Select TXT Record from the drop-down list. Paste the verification record text into the Value field. Specify the value @ in the Host field. Select Automatic for the TTL parameter. Click the checkmark to save the record.
Verify the correctness of the configuration using the dig utility:
dig example.com txt @8.8.8.8Output all TXT records, including the Google verification record:
dig dieg.info txt +short
"v=spf1 include:zoho.eu mx a ~all"
"v=DMARC1; p=none; rua=mailto:[email protected]"
"google-site-verification=sm5d51AVXlIwW5ODgl6ookFgezviNuMfY4kBNkfm6fk"
"zoho-verification=zb69704592.zmverify.zoho.eu"
"google-site-verification=1Vnvx7hF8QBHyu7G5S-q2rNf6z5R4cbcW13jflMqmMQ"DIG: Output DNS Query Trace for the Requested Domain
- Output DNS query trace for the requested domain:
# dig +trace man.com
DIG: DNSSEC Validation
dig allows you to see a detailed picture of name resolution. To ensure that the server or resolver is working correctly, you can use the following commands, after first adding the domain key as trusted to the configuration file:
dig @xx.xx.xx.xx www.m-system.net +dnssecxx.xx.xx.xx — the IP address of your resolver that supports GOST. After executing this command, the ad flag should be present in the response — meaning the data is authenticated.
If the ad flag is missing, but you are requesting the address of a name from a domain whose key you added to the trusted ones, something is wrong.
A SERVFAIL response means that the signature does not match the trusted key, or it is missing.
