Thursday, 17 January 2019 .::. Your IP: 54.205.211.87 
Home Internet & Networking Using DIG to check DNS

Using DIG to check DNS


About DIG

DIG is a command-line utility used for making DNS queries and displaying their results. It is a much better tool than nslookup. DIG runs on Linux and Windows equally well, and is probably available for most other operating systems too. If you have Linux, DIG is probably already there.

Installation of DIG on Windows is simple. I recommend putting all of the files in c:\dig and putting that on your PATH. There is a resolv.conf file in the dig directory; you can add a nameserver directive to specify a default nameserver so you don't always have to type the nameserver in every DIG command. You can also specify a search directive; this will only be used if in your DIG command you add +search.

DIG usage

Here are some common usage scenarios for DIG. In these examples, 1.1.1.1 will be the nameserver we are querying.

Looking up an A RR

Success

dig @1.1.1.1 www.amazon.com

; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.amazon.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1605 <-- look here for status
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.amazon.com. IN A

;; ANSWER SECTION:
www.amazon.com. 54 IN A 72.21.210.11 <-- the answer

;; AUTHORITY SECTION:
www.amazon.com. 317 IN NS ns-911.amazon.com.
www.amazon.com. 317 IN NS ns-912.amazon.com.
www.amazon.com. 317 IN NS ns-921.amazon.com.
www.amazon.com. 317 IN NS ns-923.amazon.com.

;; ADDITIONAL SECTION:
ns-923.amazon.com. 420 IN A 72.21.204.208
ns-921.amazon.com. 420 IN A 72.21.192.209
ns-912.amazon.com. 52 IN A 207.171.191.123
ns-911.amazon.com. 420 IN A 207.171.178.13

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 07:52:15 2008
;; MSG SIZE rcvd: 196

In the answer for www.amazon.com above, note that the remaining TTL is 54 seconds. If you repeat this query over and over this number will change. It looks like it starts at 60. Whenever you see a value like this that changes, it means that the DNS server answering you has the RR in cache. Once the TTL expires, the DNS server will have to refresh the cache, doing another lookup, and the TTL will jump back up to the max.

Failure

dig @1.1.1.1 www.arthgen.com

; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.arthgen.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1996 <-- status is NXDOMAIN
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.arthgen.com. IN A
<-- no ANSWER SECTION
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1217591762 1800 900
604800 900

;; Query time: 90 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 07:56:14 2008
;; MSG SIZE rcvd: 106

Looking up a host, getting only the IP back

Success

dig @1.1.1.1 www.amazon.com +short
72.21.210.11

Failure

dig @1.1.1.1 www.arthgen.com +short


Reverse lookup

dig @1.1.1.1 -x 12.127.16.68

; <<>> DiG 9.3.2 <<>> @1.1.1.1 -x 12.127.16.68
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;68.16.127.12.in-addr.arpa. IN PTR

;; ANSWER SECTION:
68.16.127.12.in-addr.arpa. 3600 IN PTR smtu.mt.rs.els-gms.att.net.

;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 08:04:00 2008
;; MSG SIZE rcvd: 83

Looking up an MX RR

C:\Documents and Settings\runyons>dig @1.1.1.1 godaddy.com mx

; <<>> DiG 9.3.2 <<>> @1.1.1.1 godaddy.com mx
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1922
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;godaddy.com. IN MX

;; ANSWER SECTION:
godaddy.com. 313 IN MX 0 smtp.secureserver.net.
godaddy.com. 313 IN MX 10 mailstore1.secureserver.net.

;; AUTHORITY SECTION:
godaddy.com. 2619 IN NS cns3.secureserver.net.
godaddy.com. 2619 IN NS cns2.secureserver.net.
godaddy.com. 2619 IN NS cns1.secureserver.net.

;; ADDITIONAL SECTION:
mailstore1.secureserver.net. 2056 IN A 64.202.166.11
cns3.secureserver.net. 3133 IN A 216.69.160.22
cns1.secureserver.net. 20747 IN A 64.202.167.31
cns2.secureserver.net. 656 IN A 216.69.185.100

;; Query time: 30 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 08:10:04 2008
;; MSG SIZE rcvd: 214

Checking to see if a DNS server has a particular RR in its cache

If you want to infer whether anyone using a particular DNS server has visited a host recently, you can specify a "non-recursive" query. Most DNS servers will obey this request, although this in not required. For security reasons a few better DNS servers can be configured to intentionally ignore requests not to recurse.

If you see an output like the one below, with no answer section and a list of root servers, you know that the RR you looked up is not in the cache.

C:\Documents and Settings\runyons>dig @1.1.1.1 www.competitor.com +norecurse

; <<>> DiG 9.3.2 <<>> @1.1.1.1 www.competitor.com +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 677
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;www.competitor.com. IN A

;; AUTHORITY SECTION:
com. 16002 IN NS a.gtld-servers.net.
com. 16002 IN NS k.gtld-servers.net.
com. 16002 IN NS e.gtld-servers.net.
com. 16002 IN NS l.gtld-servers.net.
com. 16002 IN NS c.gtld-servers.net.
com. 16002 IN NS i.gtld-servers.net.
com. 16002 IN NS d.gtld-servers.net.
com. 16002 IN NS m.gtld-servers.net.
com. 16002 IN NS h.gtld-servers.net.
com. 16002 IN NS f.gtld-servers.net.
com. 16002 IN NS b.gtld-servers.net.
com. 16002 IN NS g.gtld-servers.net.
com. 16002 IN NS j.gtld-servers.net.

;; ADDITIONAL SECTION:
f.gtld-servers.net. 103822 IN A 192.35.51.30
d.gtld-servers.net. 113177 IN A 192.31.80.30
j.gtld-servers.net. 16151 IN A 192.48.79.30
i.gtld-servers.net. 112995 IN A 192.43.172.30
l.gtld-servers.net. 103644 IN A 192.41.162.30
c.gtld-servers.net. 91839 IN A 192.26.92.30
g.gtld-servers.net. 91851 IN A 192.42.93.30
m.gtld-servers.net. 112995 IN A 192.55.83.30
k.gtld-servers.net. 91668 IN A 192.52.178.30
b.gtld-servers.net. 18001 IN A 192.33.14.30
b.gtld-servers.net. 21877 IN AAAA 2001:503:231d::2:30
e.gtld-servers.net. 103729 IN A 192.12.94.30
a.gtld-servers.net. 91759 IN A 192.5.6.30
a.gtld-servers.net. 92620 IN AAAA 2001:503:a83e::2:30

;; Query time: 30 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Aug 01 08:14:02 2008
;; MSG SIZE rcvd: 507

More options

There are so many options for DIG that some start with "-" and some start with "+". Use dig -h to see a list of them.


Reddit! Del.icio.us! Mixx! Free and Open Source Software News Google! Facebook! Slashdot! StumbleUpon! TwitThis Joomla Free PHP