Developer

DNS querying with dig

Vincent Danen explains how to get the information you need from a DNS query using the command line-tool dig.

For a system administrator, having ready access to all kinds of information for troubleshooting or configuration of computers and networks is important. When diagnosing connectivity issues, or setting up a new Web site or server, being able to accurately get information from DNS can be critical; DNS provides a lot of information that can really help in this regard.

On Linux, the best tool for this job is dig, part of the BIND collection of utilities. On Red Hat Enterprise Linux, CentOS, and Fedora, dig is part of the bind-utils package; you don't need to actually have the BIND DNS server installed to make use of the utilities.

The dig command-line tool is used to query DNS name servers for information. It can be the default DNS server as defined for your system, or it can be any other DNS server you specify, including the root name servers. A typical invocation of dig would be as follows:

$ dig google.com
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29558
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 2
;; QUESTION SECTION:
;google.com.                    IN      A
;; ANSWER SECTION:
google.com.             226     IN      A       74.125.19.99
google.com.             226     IN      A       74.125.19.103
google.com.             226     IN      A       74.125.19.104
google.com.             226     IN      A       74.125.19.147
;; AUTHORITY SECTION:
.                       55953   IN      NS      c.root-servers.net.
.                       55953   IN      NS      d.root-servers.net.
.                       55953   IN      NS      e.root-servers.net.
.                       55953   IN      NS      f.root-servers.net.
.                       55953   IN      NS      g.root-servers.net.
.                       55953   IN      NS      h.root-servers.net.
.                       55953   IN      NS      i.root-servers.net.
.                       55953   IN      NS      j.root-servers.net.
.                       55953   IN      NS      k.root-servers.net.
.                       55953   IN      NS      l.root-servers.net.
.                       55953   IN      NS      m.root-servers.net.
.                       55953   IN      NS      a.root-servers.net.
.                       55953   IN      NS      b.root-servers.net.
;; ADDITIONAL SECTION:
i.root-servers.net.     604759  IN      A       192.36.148.17
l.root-servers.net.     208308  IN      AAAA    2001:500:3::42
;; Query time: 58 msec
;; SERVER: 192.168.250.12#53(192.168.250.12)
;; WHEN: Wed May 12 18:06:50 2010
;; MSG SIZE  rcvd: 347

Dig is quite verbose, so there is a lot of information here, and not all of it is useful. The important bits are the A records pointing to google.com, and the server that was queried (in this case 192.168.250.12). The information can be trimmed by specifying certain flags:

$ dig google.com +noauthority +noadditional
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> google.com +noauthority +noadditional
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55797
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 2
;; QUESTION SECTION:
;google.com.                    IN      A
;; ANSWER SECTION:
google.com.             42      IN      A       74.125.19.104
google.com.             42      IN      A       74.125.19.147
google.com.             42      IN      A       74.125.19.99
google.com.             42      IN      A       74.125.19.103
;; Query time: 0 msec
;; SERVER: 192.168.250.12#53(192.168.250.12)
;; WHEN: Wed May 12 18:09:54 2010
;; MSG SIZE  rcvd: 347

Knowing the A record, or authoritative IP address, is very useful information. But so is knowing what DNS server is authoritative for that domain name, or knowing which mail servers accept mail for that domain. This can be done by telling dig to get the NS or MX records; if you want all of them, use the ANY option:

$ dig MX google.com +short
200 google.com.s9a2.psmtp.com.
300 google.com.s9b1.psmtp.com.
400 google.com.s9b2.psmtp.com.
100 google.com.s9a1.psmtp.com.

The +short option is very useful to just provide the answers; in this case, we have the names of the MX records with their priority.

Want to do a reverse lookup? This can be done with the -x option and specifying an IP address instead of a domain name:

$ dig -x 74.125.148.13 +short
s9b1.psmtp.com.

And if you want to see the results from a different DNS server, use the @ prefix with the DNS server to use:

$ dig @ns.isp.com google.com

There is also the TXT record for domains that can be useful, especially if you wan to look up SPF (Sender Policy Framework, an email validation system) information. For instance:

$ dig TXT google.com +short
"v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"

The dig utility is very handy, especially when used with troubleshooting. It has a lot of options and a lot of different things it can do; take a look at the output of dig -h for an idea of the many options available.

Get the PDF version of this tip here.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks