dig DNS Queries

The primary DNS diagnostic tool. Record lookups, delegation tracing, DNSSEC validation, and scripting patterns.

Basic Queries

Standard lookup — full output with all sections
dig example.com

Returns QUESTION, ANSWER, AUTHORITY, and ADDITIONAL sections plus query statistics. The default record type is A.

Answer only — clean for scripting
dig example.com +short

Strips all section headers and metadata. Pipe-friendly: IP=$(dig +short example.com).

A record with clean output — suppress then re-enable answer section
dig example.com A +noall +answer

+noall suppresses everything, +answer re-enables just the answer section. Gives you record data with field alignment but no noise.

Record Type Queries

AAAA record — IPv6 address lookup
dig example.com AAAA +short

Returns AAAA records. Empty output means no IPv6 address configured.

MX record — mail server routing
dig example.com MX +short

Returns priority and hostname pairs. Lower preference value means higher priority server.

TXT records — SPF, DKIM, DMARC, domain verification
dig example.com TXT +short
NS records — authoritative nameservers for a zone
dig example.com NS +short

Which DNS servers are responsible for this zone.

SOA record — zone authority metadata
dig example.com SOA +short

Returns primary NS, admin email, serial number, and timers (refresh/retry/expire/minimum).

CNAME lookup — check if a name is an alias
dig example.com CNAME +short

Returns the canonical target name. Empty if the name is not an alias.

ALL record types — everything the server will share
dig example.com ANY +noall +answer

Some servers refuse ANY queries (RFC 8482). Not reliable for enumeration.

Active Directory Service Discovery

SRV record for AD domain controller locator
dig _ldap._tcp.dc._msdcs.inside.domusdigitalis.dev SRV +short

Finds domain controllers via DNS. Essential for domain join, Kerberos, and LDAP client configuration.

Kerberos KDC discovery
dig _kerberos._tcp.inside.domusdigitalis.dev SRV +short

Locates Kerberos Key Distribution Centers. Linux kinit and sssd use this for authentication.

Targeting Specific Servers

Query a specific nameserver — bypass system resolver
dig @10.50.1.50 inside.domusdigitalis.dev A +short

Test AD DNS directly. Proves whether the record exists on that server regardless of your resolver chain.

Query public DNS — compare with local resolver
dig @8.8.8.8 example.com A +short

Differences between local and public results reveal split-horizon configuration or cache poisoning.

Reverse Lookups

PTR lookup — IP to hostname
dig -x 10.50.1.20 +short

Reverse DNS. Critical for RADIUS authentication (ISE validates forward/reverse match) and SSH host verification.

Forward-then-reverse validation — confirm records match
dig +short example.com | while read ip; do dig -x "$ip" +short; done

RADIUS, SMTP, and Kerberos all require matching forward and PTR records. This pipeline validates both directions.

Tracing and Debugging

Full resolution trace — walk the entire delegation chain
dig example.com +trace

Shows root → TLD → authoritative resolution path. Reveals where delegation breaks or which server returns the answer.

Trace without DNSSEC noise — cleaner delegation view
dig example.com +trace +nodnssec

Suppresses RRSIG and DNSKEY records from trace output. Easier to read when you only care about delegation.

Non-recursive query — test authoritative knowledge only
dig example.com +norecurse @ns1.example.com

Asks the server what it knows directly without chasing referrals. Tests whether a server is actually authoritative.

DNSSEC Queries

DNSSEC validation — check for authenticated data
dig example.com +dnssec

Shows RRSIG records. The ad flag in the response header means the resolver validated the DNSSEC chain.

DNSSEC checking disabled — force answer despite validation failure
dig example.com +dnssec +cd

The +cd flag tells the resolver to return the answer even if DNSSEC validation fails. Diagnostic use only.

Zone Transfer and Replication

Attempt zone transfer — security audit
dig -t AXFR example.com @ns1.example.com

Pulls the entire zone if the server allows it. A successful AXFR from an unauthorized client means misconfigured allow-transfer.

Compare SOA serials across nameservers — detect replication lag
dig +nssearch example.com

Queries every NS record holder for the SOA. Serial number mismatches reveal replication delays or failed zone transfers.

TTL and Statistics

Show TTL values — watch cache countdown
dig example.com +noall +answer +ttlid

The TTL column shows seconds remaining in cache. Query repeatedly to watch it decrement — useful for confirming cache behavior during migrations.

Query statistics — response time and server used
dig example.com +stats +noall

Returns query time in milliseconds, responding server, and message size. Useful for latency benchmarking across resolvers.

Batch and Scripting Patterns

Batch query from file — one domain per line
dig +short -f domains.txt

Processes a file of domains. Pipe to awk for formatting or aggregation.

Loop with formatted output — bulk reverse lookups
for ip in 10.50.1.{1..254}; do
    result=$(dig -x "$ip" +short 2>/dev/null)
    [[ -n "$result" ]] && printf "%-16s %s\n" "$ip" "$result"
done

Scans a subnet for PTR records. printf aligns output for readability.

Email Security Lookups

DMARC policy lookup
dig +short txt _dmarc.example.com

Returns the DMARC policy string (v=DMARC1; p=reject; …​).

DKIM selector lookup — retrieve public signing key
dig +short txt default._domainkey.example.com

Retrieves the public key used for email signature verification. The selector (default) varies by provider.

See Also

  • nslookup — legacy cross-platform alternative

  • Troubleshooting — systematic DNS debugging

  • DNSSEC — validation and trust chain inspection