DNS Client

DNS client tools — dig, nslookup, host, and resolution chain debugging.

A/AAAA Records

Basic A record query — returns full DNS response with question, answer, authority, additional sections
dig example.com
Short output — returns only the answer (IP address), ideal for scripting and pipelines
dig example.com +short
Query IPv6 address record — returns AAAA records only
dig example.com AAAA +short
CNAME lookup — check if a name is an alias and what it points to
dig example.com CNAME +short
Show TTL values — reveals caching duration, important for understanding propagation delay
dig example.com +noall +answer +ttlid

MX/TXT/NS/SOA

Mail exchanger lookup — returns priority and mail server, lower priority = preferred
dig example.com MX +short
TXT record query — reveals SPF, DKIM, DMARC, domain verification tokens
dig example.com TXT +short
Nameserver query — shows authoritative nameservers for the domain
dig example.com NS +short
Start of Authority — shows primary NS, admin email, serial, refresh/retry/expire/minimum TTL
dig example.com SOA +short
SRV record query — find Kerberos/LDAP/SIP service locations, critical for AD domain joins
dig _kerberos._tcp.inside.domusdigitalis.dev SRV +short
AD domain controller locator — DNS-based DC discovery, verifies AD DNS is functioning
dig _ldap._tcp.dc._msdcs.inside.domusdigitalis.dev SRV +short
Query all record types — +noall +answer strips noise, shows only answer section
dig example.com ANY +noall +answer

Reverse Lookup

Reverse DNS lookup — resolve IP to PTR record (hostname), critical for RADIUS/ISE
dig -x 10.50.1.20 +short

Specific Server

Query specific DNS server — bypass local resolver, test against Google Public DNS
dig @8.8.8.8 example.com
Query internal AD DNS — verify records on domain controller directly
dig @10.50.1.50 inside.domusdigitalis.dev A +short
Non-recursive query — ask the server directly without allowing upstream queries (test authoritative)
dig +norecurse @ns1.example.com example.com
SOA from all nameservers — query every NS for SOA, reveals replication lag by comparing serials
dig example.com +nssearch

Debugging

Full delegation trace — walk from root servers through TLD to authoritative, show entire resolution chain
dig example.com +trace
DNSSEC validation — show RRSIG records and AD (Authenticated Data) flag if DNSSEC is valid
dig example.com +dnssec
Zone transfer request — pull entire zone if allowed (test for misconfigured zone transfer ACLs)
dig -t AXFR example.com @ns1.example.com
Query statistics only — show query time, server used, response size for latency measurement
dig example.com +stats +noall
Quick lookup with host — simpler output than dig, good for quick checks
host -t A example.com
nslookup SRV query — legacy tool but still required for some troubleshooting workflows
nslookup -type=SRV _sip._tcp.example.com
systemd-resolved status — show current DNS servers, search domains, DNSSEC mode per interface
resolvectl status

Scripting Patterns

Forward then reverse — resolve domain to IPs, then verify each IP has matching PTR record
dig +short example.com | while read ip; do dig -x "$ip" +short; done

See Also

  • dig — detailed dig usage

  • DNS Server — BIND9 server-side configuration