Dig

Use Linux Dig Command to Query DNS

This quick tutorial will show you how to use dig (domain information groper) tool to get DNS related info

By Fahad USman

dig (domain information groper) is a command-line tool for querying Domain Name System (DNS) name servers.

dig is useful for network troubleshooting and for educational purposes. dig can operate in interactive command line mode or in batch mode by reading requests from an operating system file.

When a specific name server is not specified in the command invocation, it will use the operating system’s default resolver, usually configured via the resolv.conf file. This means that dig will use the /etc/resolve.conf file to cycle through your nameservers unless a nameserver is specified.

It queries the the DNS root zone if no arguments were provided.

dig is part of the BIND domain name server software suite.

“dig was initially planned to supersede older tools such as nslookup and the host program; however, it has instead become a complementary tool”

You can start using dig straight away in Mac terminal or Kali linux. 

Now Let’s start off with a simple dig command looking for my website details:

dig fahadusman.com

and here is the response:

The Header section:

Let’s dissect the response:

The first part of the response shows the DiG version number used and the global option we used is +cmd

opcode: QUERY means its a query.

status: NOERROR means it executed the query without errors.

other options could be:

Response code:

0 = NOERR, no error

1 = FORMERR, format error (unable to understand the query)

2 = SERVFAIL, name server problem

3= NXDOMAIN, domain name does not exist

4 = NOTIMPL, not implemented

5 = REFUSED (e.g., refused zone transfer requests)

Now notice the "flags: qr rd ra"on the second line.

These flags indicate:

  • QR: Query Response: specifies whether this message is a query (0), or a response (1)
  • RD: Recursion Desired: If the querying server doesn’t know the answer to the query, go find from other servers unless you set the +norecurse command line flag.

    +norecurse means that tell me if you know where fahadusman.com is but don’t ask anyone else if you don’t know where it is.

    This flag might return no ANSWER if it doesn’t know where fahadusman.com is. However, if you run the same query without the +norecurse it will return the ANSWER because it will ask others to tell it where fahadusman.com is. Once you got the answer where fahadusman.com is and if you try again with +norecurse you will get the answer this time, why?? because it will be cached answer. and if you keep re-running the command dig +norecurse @109.69.8.51 fahadusman.com you can watch the TTL to go down before the cached record in 109.69.8.51 expires.

  • RA: Recursion Available: bit is the diagnostic test for recursive query support
  • AA: if this flag is set then the answer came from the Authoritative server which holds the records for the queried domain. The absence of an “aa” flag indicates that this is not an authoritative response
  • AD: Authenticated Data (for DNSSEC only; indicates that the data was authenticated)

Finding an “Authoritative” Server for a domain: Use “soa” flag.

SOA is the primary dns server holding information and everyone else like google etc. keep a copy of this server.

You can see the authoritative nameservers for fahadusman.com which are buck.ns.cloudflare.com and dns.cloudflare.com

If you query using these nameservers, you will get an authoratative answer i.e. the flags: will show “aa” as shown below:

QUESTION SECTION:

This section shows what “information” was requested. In the above picture, you can see three columns with information

  1. The domain name (fahadusman.com) you need info for
  2. "IN", indicating that these are Internet records. DNS has the capacity to carry other types of data, but it’s almost never used.
  3. "A", indicating that these are IPv4 records for the looked up domain.

ANSWER SECTION:

This section shows the information you asked for. Here is what each section means:

The TTL value above should be a large number.

If you are using VMware,  you might see a lot of “5” values. That is a defect of VMware.

THE FINAL SECTION:

NOTE: My DNS response came from 192.168.1.254 on port 53. This is my router gateway address. I am using my ISP’s DNS servers for DNS resolutions.

You could change it to use other services providers such as cloudflare’s 1.1.1.1 or google DNS 8.8.8.8

Dig using a specific DNS resolver:

dig @8.8.8.8 fahadusman.com

Now if I hit dig @8.8.8.8 fahadusman.com again and again, you will see different TTL like 300,299,295,300 again etc. this means that the google DNS server is actually a cluster of dns servers.

OTHER TYPE OF DNS LOOKUPS:

You could use the following DNS lookup types such as MX for mail exchange records. NS for name servers etc.

TXT Record:

TXT record: you can put anything you want. Some specialised software require you put something in the TXT record. the most common one is SPF which is used to block spam. So when you send someone an email and don’t have SPF record set, then your email can be considered as spam and the recipient will through it away.

Zone Transfers

As mentioned above… you have SOA which is the main record holder and all the other servers make a copy ofSOA server. The way they do it is called Zone transfers. You can put up a DNS server and connect it as a slave to the master DNS and the master server sends all the records over by TCPand this is called theZone transfers.

You can doZone transfers by connecting to the master DNS server using the dig:

dig zonetransfer.me soa
dig axfr zonetransfer.me @nsztm1.digi.ninja

You can do this by the host command as well:

host -l zonetransfer.me nsztm1.digi.ninja

You can also use FIERCE:
fierce -dns zonetransfer.me

This is a security risk as alot of people have hidden servers and this way you can get all the addresses of those. In windows domain system, they can find every machine in your domain.

Reducing the DiG Output:

dig +nocmd +noall +answer example.com

This will produce:

example.com.        5    IN    A    93.184.216.34

This makes it easy to pipe the output to tools such as awk and grep to further manipulate
your results.

Which path did the dig take to resolve the query?

dig +trace example.com

Reverse DNS Queries

To perform reverse DNS queries, use the “-x” switch, as shown below:

dig @ns3.ccsf.edu -x 147.144.1.212

The “any” query finds all records on the server:

dig @8.8.8.8 ccsf.edu any

RRSIG Records:

The RRSIG record finds DNSSEC signatures. For example, this query finds the signature of the .com top-level domain:

dig @8.8.8.8 com rrsig

Note: some networks block DNS over TCP. You may need to use this Web-based Dig tool:

http://networking.ringofsaturn.com/Tools/dig.php

Do bulk lookups using a text file:

we can put the hostnames or domains into a text file. Then use -f option to include the file.

dig -f hostnames.txt +noall +answer

If you want to find out more then type: man dig or dig -h to explore other command parameters.

How to install Dig on Windows?

  • Dig is pre-installed on Linux and Mac
  • You can use Web-based online Dig tool below if your network limits DNS queries
  • To install on Windows:
    1. Go to bind9 site
    2. Scroll down to your region and select one of the ftp servers to download from
    3. Find 9.9.6 folder and click it
    4. In the next page, Find & click BIND9.9.6.x86.zip
    5. Extract file BIND9.9.6.x86.zip
    6. In the “BIND9.9.6.x86” folder, find the vcredist_x86.exe file, and double-click it
    7. If a User Account Control box pops up, approve the elevation to administrative privileges.
    8. Next, In the “BIND9.9.6.x86” folder, highlight all the DLL files
    9. Right-click one of the highlighted files and click Copy.
    10. Navigate to C:\Windows\System32\ and paste the files there. (You may have to approve another elevation to Administrator permissions.)
    11. In the “BIND9.9.6.x86” folder, find the dig.exe file
    12. Right-click the dig.exe file and click Copy. Navigate to C:\Windows\System32\ and paste the files there. (You may have to approve another elevation to Administrator permissions.)
    13. Open a Command Prompt and execute the dig command. It should run, showing the root servers

      Now you will be able to use dig from your command prompt in Windows. It is faster and more sophisticated than nslookup.

      Get the quick help options with “dig -h”.

Leave a Reply

Close Menu