Use Linux Dig Command to Query DNS
This quick tutorial will show you how to use dig (domain information groper) tool to get DNS related info
By Fahad USman
dig is useful for network troubleshooting and for educational purposes. dig can operate in interactive command line mode or in batch mode by reading requests from an operating system file.
When a specific name server is not specified in the command invocation, it will use the operating system’s default resolver, usually configured via the resolv.conf file. This means that dig will use the
/etc/resolve.conf file to cycle through your
nameservers unless a
nameserver is specified.
It queries the the DNS root zone if no arguments were provided.
dig is part of the BIND domain name server software suite.
You can start using dig straight away in Mac terminal or Kali linux.
Now Let’s start off with a simple dig command looking for my website details:
and here is the response:
The Header section:
Let’s dissect the response:
The first part of the response shows the DiG version number used and the global option we used is +cmd
opcode: QUERY means its a query.
status: NOERROR means it executed the query without errors.
other options could be:
Response code: 0 = NOERR, no error 1 = FORMERR, format error (unable to understand the query) 2 = SERVFAIL, name server problem 3= NXDOMAIN, domain name does not exist 4 = NOTIMPL, not implemented 5 = REFUSED (e.g., refused zone transfer requests)
Now notice the
"flags: qr rd ra"on the second line.
These flags indicate:
- QR: Query Response: specifies whether this message is a query (0), or a response (1)
- RD: Recursion Desired: If the querying server doesn’t know the answer to the query, go find from other servers unless you set the
+norecursecommand line flag.
+norecursemeans that tell me if you know where fahadusman.com is but don’t ask anyone else if you don’t know where it is.
This flag might return no ANSWER if it doesn’t know where fahadusman.com is. However, if you run the same query without the
+norecurseit will return the ANSWER because it will ask others to tell it where fahadusman.com is. Once you got the answer where fahadusman.com is and if you try again with
+norecurseyou will get the answer this time, why?? because it will be cached answer. and if you keep re-running the command
dig +norecurse @18.104.22.168 fahadusman.comyou can watch the TTL to go down before the cached record in
- RA: Recursion Available: bit is the diagnostic test for recursive query support
- AA: if this flag is set then the answer came from the Authoritative server which holds the records for the queried domain. The absence of an “aa” flag indicates that this is not an authoritative response
- AD: Authenticated Data (for DNSSEC only; indicates that the data was authenticated)
Finding an “Authoritative” Server for a domain: Use “soa” flag.
SOA is the primary
dns server holding information and everyone else like google etc. keep a copy of this server.
You can see the authoritative nameservers for fahadusman.com which are buck.ns.cloudflare.com and dns.cloudflare.com
If you query using these nameservers, you will get an authoratative answer i.e. the flags: will show “aa” as shown below:
This section shows what “information” was requested. In the above picture, you can see three columns with information
- The domain name (
fahadusman.com) you need info for
"IN", indicating that these are Internet records. DNS has the capacity to carry other types of data, but it’s almost never used.
"A", indicating that these are IPv4 records for the looked up domain.
This section shows the information you asked for. Here is what each section means:
The TTL value above should be a large number.
If you are using
VMware, you might see a lot of “5” values. That is a defect of
THE FINAL SECTION:
NOTE: My DNS response came from 192.168.1.254 on port 53. This is my router gateway address. I am using my ISP’s DNS servers for DNS resolutions.
You could change it to use other services providers such as cloudflare’s 22.214.171.124 or google DNS 126.96.36.199
Dig using a specific DNS resolver:
dig @188.8.131.52 fahadusman.com
Now if I hit
dig @184.108.40.206 fahadusman.com again and again, you will see different TTL like 300,299,295,300 again etc. this means that the google DNS server is actually a cluster of dns servers.
OTHER TYPE OF DNS LOOKUPS:
You could use the following DNS lookup types such as MX for mail exchange records. NS for name servers etc.
TXT record: you can put anything you want. Some specialised software require you put something in the TXT record. the most common one is SPF which is used to block spam. So when you send someone an email and don’t have SPF record set, then your email can be considered as spam and the recipient will through it away.
As mentioned above… you have
SOA which is the main record holder and all the other servers make a copy of
SOA server. The way they do it is called
Zone transfers. You can put up a
DNS server and connect it as a
slave to the master DNS and the master server sends all the records over by
TCPand this is called the
You can do
Zone transfers by connecting to the master DNS server using the dig:
dig zonetransfer.me soa
dig axfr zonetransfer.me @nsztm1.digi.ninja
You can do this by the
host command as well:
host -l zonetransfer.me nsztm1.digi.ninja
You can also use
fierce -dns zonetransfer.me
This is a security risk as alot of people have hidden servers and this way you can get all the addresses of those. In windows domain system, they can find every machine in your domain.
Reducing the DiG Output:
dig +nocmd +noall +answer example.com
This will produce:
example.com. 5 IN A 220.127.116.11
This makes it easy to pipe the output to tools such as awk and grep to further manipulate
Which path did the dig take to resolve the query?
dig +trace example.com
Reverse DNS Queries
To perform reverse DNS queries, use the “-x” switch, as shown below:
dig @ns3.ccsf.edu -x 18.104.22.168
The “any” query finds all records on the server:
dig @22.214.171.124 ccsf.edu any
The RRSIG record finds DNSSEC signatures. For example, this query finds the signature of the .com top-level domain:
dig @126.96.36.199 com rrsig
Note: some networks block DNS over TCP. You may need to use this Web-based Dig tool:
Do bulk lookups using a text file:
we can put the hostnames or domains into a text file. Then use -f option to include the file.
dig -f hostnames.txt +noall +answer
If you want to find out more then type: man dig or dig -h to explore other command parameters.
How to install Dig on Windows?
- Dig is pre-installed on Linux and Mac
- You can use Web-based online Dig tool below if your network limits DNS queries
- To install on Windows:
- Go to bind9 site
- Scroll down to your region and select one of the ftp servers to download from
- Find 9.9.6 folder and click it
- In the next page, Find & click BIND9.9.6.x86.zip
- Extract file BIND9.9.6.x86.zip
- In the “BIND9.9.6.x86” folder, find the vcredist_x86.exe file, and double-click it
- If a User Account Control box pops up, approve the elevation to administrative privileges.
- Next, In the “BIND9.9.6.x86” folder, highlight all the DLL files
- Right-click one of the highlighted files and click Copy.
- Navigate to C:\Windows\System32\ and paste the files there. (You may have to approve another elevation to Administrator permissions.)
- In the “BIND9.9.6.x86” folder, find the dig.exe file
- Right-click the dig.exe file and click Copy. Navigate to C:\Windows\System32\ and paste the files there. (You may have to approve another elevation to Administrator permissions.)
- Open a Command Prompt and execute the dig command. It should run, showing the root servers
Now you will be able to use dig from your command prompt in Windows. It is faster and more sophisticated than nslookup.
Get the quick help options with “dig -h”.