# dig — Query DNS Records from the Command Line

> Practical guide to dig — DNS lookups, record types, reverse lookup, DNSSEC and tracing on the command line, with examples for the most common diagnostic scenarios.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/dig/

<!-- PROSE:intro -->
`dig` is the go-to tool for DNS diagnostics on the command line: a single command lets you look up individual records, verify mail server configuration, trace the full delegation chain to the authoritative nameserver, or validate DNSSEC signatures. It ships as part of the BIND package and is pre-installed on virtually every Unix system. This guide covers the options you reach for most – from a quick A-record lookup to a full zone transfer.
<!-- PROSE:intro:end -->

## Basic Queries

`dig DOMAIN` — Query the A record (IPv4 address) of a domain using default DNS server.

```bash
dig example.com
```

`dig DOMAIN TYPE` — Query a specific record type (A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR, etc.).

```bash
dig example.com MX
```

`dig @SERVER DOMAIN` — Query a specific DNS server.

```bash
dig @8.8.8.8 example.com
```

`dig @SERVER DOMAIN TYPE` — Query a specific record type from a specific server.

```bash
dig @1.1.1.1 example.com AAAA
```

`dig DOMAIN ANY` — Query all available record types. Note: many servers restrict ANY queries.

```bash
dig example.com ANY
```

## Common Record Types

`dig DOMAIN A` — IPv4 address record.

```bash
dig example.com A
```

`dig DOMAIN AAAA` — IPv6 address record.

```bash
dig example.com AAAA
```

`dig DOMAIN MX` — Mail exchange records. Shows mail servers and priorities.

```bash
dig example.com MX
```

`dig DOMAIN NS` — Nameserver records. Shows authoritative DNS servers.

```bash
dig example.com NS
```

`dig DOMAIN TXT` — Text records. Often contains SPF, DKIM, DMARC, and verification records.

```bash
dig example.com TXT
```

`dig DOMAIN SOA` — Start of Authority. Shows primary nameserver, admin email, serial, and timers.

```bash
dig example.com SOA
```

`dig DOMAIN CNAME` — Canonical name (alias) record.

```bash
dig www.example.com CNAME
```

`dig DOMAIN SRV` — Service record. Used for service discovery (e.g., SIP, XMPP, LDAP).

```bash
dig _sip._tcp.example.com SRV
```

`dig DOMAIN CAA` — Certificate Authority Authorization. Shows which CAs can issue certificates.

```bash
dig example.com CAA
```

## Output Control

`dig +short DOMAIN` — Short output — only the answer, no headers or metadata.

```bash
dig +short example.com
```

`dig +short DOMAIN TYPE` — Short output for a specific record type.

```bash
dig +short example.com MX
```

`dig +noall +answer DOMAIN` — Show only the answer section. Clean but with field details.

```bash
dig +noall +answer example.com
```

`dig +noall +answer +authority DOMAIN` — Show answer and authority sections.

```bash
dig +noall +answer +authority example.com NS
```

`dig +nocomments +noquestion +noauthority +noadditional +nostats DOMAIN` — Suppress all sections except the answer.

```bash
dig +nocomments +noquestion +noauthority +noadditional +nostats example.com
```

`dig +multiline DOMAIN SOA` — Multi-line output with comments. Useful for SOA and DNSSEC records.

```bash
dig +multiline example.com SOA
```

`dig +yaml DOMAIN` — Output in YAML format (dig 9.18+).

```bash
dig +yaml example.com
```

`dig +json DOMAIN` — Output in JSON format (dig 9.18+).

```bash
dig +json example.com
```

## Reverse DNS Lookup

`dig -x IP` — Reverse DNS lookup — find the hostname for an IP address.

```bash
dig -x 8.8.8.8
```

`dig -x IP +short` — Short reverse lookup — hostname only.

```bash
dig -x 8.8.8.8 +short
```

`dig -x IPV6` — Reverse lookup for an IPv6 address.

```bash
dig -x 2001:4860:4860::8888
```

## Tracing & Debugging

`dig +trace DOMAIN` — Trace the full delegation path from root servers to the authoritative server.

```bash
dig +trace example.com
```

`dig +trace +nodnssec DOMAIN` — Trace without DNSSEC records for cleaner output.

```bash
dig +trace +nodnssec example.com
```

`dig +stats DOMAIN` — Show query statistics (time, server, message size).

```bash
dig +stats example.com
```

`dig +qr DOMAIN` — Show the outgoing query alongside the response.

```bash
dig +qr example.com
```

`dig +identify DOMAIN` — Show the responding server for +short queries.

```bash
dig +short +identify example.com
```

## DNSSEC

`dig +dnssec DOMAIN` — Request DNSSEC records (RRSIG, DNSKEY, DS, NSEC).

```bash
dig +dnssec example.com
```

`dig DOMAIN DNSKEY` — Query DNSSEC public keys for a domain.

```bash
dig example.com DNSKEY
```

`dig DOMAIN DS` — Query Delegation Signer records (links child to parent zone).

```bash
dig example.com DS
```

`dig +dnssec +multiline DOMAIN DNSKEY` — Show DNSSEC keys with multi-line formatting and key IDs.

```bash
dig +dnssec +multiline example.com DNSKEY
```

`dig +cd DOMAIN` — Disable DNSSEC checking (CD flag). Get answer even if validation fails.

```bash
dig +cd example.com
```

`dig +sigchase DOMAIN` — Chase DNSSEC signature chain (if supported by your dig version).

```bash
dig +sigchase example.com
```

## Network Options

`dig +tcp DOMAIN` — Use TCP instead of UDP for the query.

```bash
dig +tcp example.com
```

`dig +notcp DOMAIN` — Force UDP (default).

```bash
dig +notcp example.com
```

`dig -4 DOMAIN` — Force IPv4 transport only.

```bash
dig -4 example.com
```

`dig -6 DOMAIN` — Force IPv6 transport only.

```bash
dig -6 example.com
```

`dig -p PORT @SERVER DOMAIN` — Use a non-standard DNS port.

```bash
dig -p 5353 @127.0.0.1 example.com
```

`dig +time=SECONDS DOMAIN` — Set the query timeout in seconds (default: 5).

```bash
dig +time=10 example.com
```

`dig +retry=N DOMAIN` — Set the number of retries (default: 2).

```bash
dig +retry=5 example.com
```

`dig +bufsize=N DOMAIN` — Set the EDNS UDP buffer size (for large responses).

```bash
dig +bufsize=4096 example.com
```

## Batch & Multi-Query

`dig DOMAIN1 DOMAIN2 DOMAIN3` — Query multiple domains in a single invocation.

```bash
dig google.com github.com example.com
```

`dig -f FILE` — Read domains from a file (one per line) and query each.

```bash
dig -f domains.txt
```

`dig +short DOMAIN A DOMAIN AAAA DOMAIN MX` — Query multiple record types for a domain.

```bash
dig +short example.com A example.com AAAA example.com MX
```

## Zone Transfer

`dig @NS DOMAIN AXFR` — Request a full zone transfer (requires authorization).

```bash
dig @ns1.example.com example.com AXFR
```

`dig @NS DOMAIN IXFR=SERIAL` — Request an incremental zone transfer from a given serial number.

```bash
dig @ns1.example.com example.com IXFR=2024010101
```

## Common Patterns

`dig +short DOMAIN NS | while read ns; do echo "$ns:"; dig +short @$ns DOMAIN; done` — Check if all nameservers return the same answer.

```bash
dig +short example.com NS | while read ns; do echo "$ns:"; dig +short @$ns example.com; done
```

`dig +short DOMAIN TXT | grep 'v=spf'` — Check SPF record for a domain.

```bash
dig +short example.com TXT | grep 'v=spf'
```

`dig +short _dmarc.DOMAIN TXT` — Check DMARC policy for a domain.

```bash
dig +short _dmarc.example.com TXT
```

`dig +short SELECTOR._domainkey.DOMAIN TXT` — Check a DKIM record.

```bash
dig +short google._domainkey.example.com TXT
```

`dig +noall +answer +ttlid DOMAIN` — Check the remaining TTL of a cached record.

```bash
dig +noall +answer example.com
```

`dig @ns1.DOMAIN DOMAIN SOA +short` — Get the zone serial number directly from the authoritative server.

```bash
dig @ns1.example.com example.com SOA +short
```

<!-- PROSE:outro -->
## Conclusion

`dig` is indispensable for anyone who needs to diagnose DNS issues quickly or verify configurations. Combined with `+short` for scripts and `+trace` for the full delegation chain, it covers virtually every DNS diagnostic scenario – no GUI, no unnecessary dependencies.

## Further Reading

- [dig – BIND 9 documentation](https://bind9.readthedocs.io/en/latest/manpages.html#dig-dns-lookup-utility) – official reference
- [dig(1) – manual page](https://linux.die.net/man/1/dig) – every option at a glance
- [Domain Name System – Wikipedia](https://en.wikipedia.org/wiki/Domain_Name_System) – background and how DNS works
<!-- PROSE:outro:end -->

## Related Commands

- [nslookup](https://www.jpkc.com/db/en/cheatsheets/networking/nslookup/) – simple DNS queries, interactive or one-shot
- [host](https://www.jpkc.com/db/en/cheatsheets/networking/host/) – compact DNS lookup tool for quick answers
- [ping](https://www.jpkc.com/db/en/cheatsheets/networking/ping/) – check reachability once DNS has resolved