dig
SYNOPSIS
dig [ @server ] [ -b address ] [ -c class ] [ -f file
name ] [ -k filename ] [ -p port# ] [ -t type ] [ -x
addr ] [ -y name:key ] [ name ] [ type ] [ class ] [
queryopt... ]
dig [ -h ]
dig [ global-queryopt... ] [ query... ]
DESCRIPTION
dig (domain information groper) is a flexible tool for
interrogating DNS name servers. It performs DNS lookups
and displays the answers that are returned from the name
server(s) that were queried. Most DNS administrators use
dig to troubleshoot DNS problems because of its flexibil
ity, ease of use and clarity of output. Other lookup tools
tend to have less functionality than dig.
Although dig is normally used with command-line arguments,
it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line
arguments and options is printed when the -h option is
given. Unlike earlier versions, the BIND9 implementation
of dig allows multiple lookups to be issued from the com
mand line.
Unless it is told to query a specific name server, dig
will try each of the servers listed in /etc/resolv.conf.
When no command line arguments or options are given, will
perform an NS query for "." (the root).
SIMPLE USAGE
A typical invocation of dig looks like:
dig @server name type
where:
server is the name or IP address of the name server to
query. This can be an IPv4 address in dotted-deci
mal notation or an IPv6 address in colon-delimited
notation. When the supplied server argument is a
hostname, dig resolves that name before querying
that name server. If no server argument is pro
vided, dig consults /etc/resolv.conf and queries
the name servers listed there. The reply from the
name server that responds is displayed.
name is the name of the resource record that is to be
looked up.
The -f option makes dig operate in batch mode by reading
a list of lookup requests to process from the file file
name. The file contains a number of queries, one per line.
Each entry in the file should be organised in the same way
they would be presented as queries to dig using the com
mand-line interface.
If a non-standard port number is to be queried, the -p
option is used. port# is the port number that dig will
send its queries instead of the standard DNS port number
53. This option would be used to test a name server that
has been configured to listen for queries on a non-stan
dard port number.
The -t option sets the query type to type. It can be any
valid query type which is supported in BIND9. The default
query type "A", unless the -x option is supplied to indi
cate a reverse lookup. A zone transfer can be requested
by specifying a type of AXFR. When an incremental zone
transfer (IXFR) is required, type is set to ixfr=N. The
incremental zone transfer will contain the changes made to
the zone since the serial number in the zone's SOA record
was N.
Reverse lookups - mapping addresses to names - are simpli
fied by the -x option. addr is an IPv4 address in dotted-
decimal notation, or a colon-delimited IPv6 address. When
this option is used, there is no need to provide the name,
class and type arguments. dig automatically performs a
lookup for a name like 11.12.13.10.in-addr.arpa and sets
the query type and class to PTR and IN respectively. By
default, IPv6 addresses are looked up using the IP6.ARPA
domain and binary labels as defined in RFC2874. To use the
older RFC1886 method using the IP6.INT domain and "nibble"
labels, specify the -n (nibble) option.
To sign the DNS queries sent by dig and their responses
using transaction signatures (TSIG), specify a TSIG key
file using the -k option. You can also specify the TSIG
key itself on the command line using the -y option; name
is the name of the TSIG key and key is the actual key. The
key is a base-64 encoded string, typically generated by
dnssec-keygen(8). Caution should be taken when using the
-y option on multi-user systems as the key can be visible
in the output from ps(1) or in the shell's history file.
When using TSIG authentication with dig, the name server
that is queried needs to know the key and algorithm that
is being used. In BIND, this is done by providing appro
priate key and server statements in named.conf.
QUERY OPTIONS
Use [do not use] TCP when querying name servers.
The default behaviour is to use UDP unless an AXFR
or IXFR query is requested, in which case a TCP
connection is used.
+[no]vc
Use [do not use] TCP when querying name servers.
This alternate syntax to +[no]tcp is provided for
backwards compatibility. The "vc" stands for "vir
tual circuit".
+[no]ignore
Ignore truncation in UDP responses instead of
retrying with TCP. By default, TCP retries are per
formed.
+domain=somename
Set the search list to contain the single domain
somename, as if specified in a domain directive in
/etc/resolv.conf, and enable search list processing
as if the +search option were given.
+[no]search
Use [do not use] the search list defined by the
searchlist or domain directive in resolv.conf (if
any). The search list is not used by default.
+[no]defname
Deprecated, treated as a synonym for +[no]search
+[no]aaonly
This option does nothing. It is provided for com
patibility with old versions of dig where it set an
unimplemented resolver flag.
+[no]adflag
Set [do not set] the AD (authentic data) bit in the
query. The AD bit currently has a standard meaning
only in responses, not in queries, but the ability
to set the bit in the query is provided for com
pleteness.
+[no]cdflag
Set [do not set] the CD (checking disabled) bit in
the query. This requests the server to not perform
DNSSEC validation of responses.
+[no]recursive
Toggle the setting of the RD (recursion desired)
bit in the query. This bit is set by default,
which means dig normally sends recursive queries.
Recursion is automatically disabled when the
root servers, showing the answer from each server
that was used to resolve the lookup.
+[no]cmd
toggles the printing of the initial comment in the
output identifying the version of dig and the query
options that have been applied. This comment is
printed by default.
+[no]short
Provide a terse answer. The default is to print the
answer in a verbose form.
+[no]identify
Show [or do not show] the IP address and port num
ber that supplied the answer when the +short option
is enabled. If short form answers are requested,
the default is not to show the source address and
port number of the server that provided the answer.
+[no]comments
Toggle the display of comment lines in the output.
The default is to print comments.
+[no]stats
This query option toggles the printing of statis
tics: when the query was made, the size of the
reply and so on. The default behaviour is to print
the query statistics.
+[no]qr
Print [do not print] the query as it is sent. By
default, the query is not printed.
+[no]question
Print [do not print] the question section of a
query when an answer is returned. The default is to
print the question section as a comment.
+[no]answer
Display [do not display] the answer section of a
reply. The default is to display it.
+[no]authority
Display [do not display] the authority section of a
reply. The default is to display it.
+[no]additional
Display [do not display] the additional section of
a reply. The default is to display it.
+[no]all
+ndots=D
Set the number of dots that have to appear in name
to D for it to be considered absolute. The default
value is that defined using the ndots statement in
/etc/resolv.conf, or 1 if no ndots statement is
present. Names with fewer dots are interpreted as
relative names and will be searched for in the
domains listed in the search or domain directive in
/etc/resolv.conf.
+bufsize=B
Set the UDP message buffer size advertised using
EDNS0 to B bytes. The maximum and minimum sizes of
this buffer are 65535 and 0 respectively. Values
outside this range are rounded up or down appropri
ately.
+[no]multiline
Print records like the SOA records in a verbose
multi-line format with human-readable comments. The
default is to print each record on a single line,
to facilitate machine parsing of the dig output.
+[no]fail
Do not try the next server if you receive a SERV
FAIL. The default is to not try the next server
which is the reverse of normal stub resolver
behaviour.
+[no]besteffort
Attempt to display the contents of messages which
are malformed. The default is to not display mal
formed answers.
+[no]dnssec
Requests DNSSEC records be sent by setting the
DNSSEC OK bit (DO) in the the OPT record in the
additional section of the query.
MULTIPLE QUERIES
The BIND 9 implementation of dig supports specifying mul
tiple queries on the command line (in addition to support
ing the -f batch file option). Each of those queries can
be supplied with its own set of flags, options and query
options.
In this case, each query argument represent an individual
query in the command-line syntax described above. Each
consists of any of the standard options and flags, the
name to be looked up, an optional query type and class and
any query options that should be applied to that query.
dig shows the initial query it made for each lookup. The
final query has a local query option of +noqr which means
that dig will not print the initial query when it looks up
the NS records for isc.org.
FILES
/etc/resolv.conf
SEE ALSO
host(1), named(8), dnssec-keygen(8), RFC1035.
BUGS
There are probably too many query options.
BIND9 Jun 30, 2000 DIG(1)
|
