dig — Query DNS Records from the Command Line
Practical guide to dig — DNS lookups, record types, reverse lookup, DNSSEC and tracing on the command line, with examples for the most common diagnostic scenarios.
dig is the go-to tool for DNS diagnostics on the command line: a single command lets you look up individual records, verify mail server configuration, trace the full delegation chain to the authoritative nameserver, or validate DNSSEC signatures. It ships as part of the BIND package and is pre-installed on virtually every Unix system. This guide covers the options you reach for most – from a quick A-record lookup to a full zone transfer.
Basic Queries
dig DOMAIN — Query the A record (IPv4 address) of a domain using default DNS server.
dig example.comdig DOMAIN TYPE — Query a specific record type (A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR, etc.).
dig example.com MXdig @SERVER DOMAIN — Query a specific DNS server.
dig @8.8.8.8 example.comdig @SERVER DOMAIN TYPE — Query a specific record type from a specific server.
dig @1.1.1.1 example.com AAAAdig DOMAIN ANY — Query all available record types. Note: many servers restrict ANY queries.
dig example.com ANYCommon Record Types
dig DOMAIN A — IPv4 address record.
dig example.com Adig DOMAIN AAAA — IPv6 address record.
dig example.com AAAAdig DOMAIN MX — Mail exchange records. Shows mail servers and priorities.
dig example.com MXdig DOMAIN NS — Nameserver records. Shows authoritative DNS servers.
dig example.com NSdig DOMAIN TXT — Text records. Often contains SPF, DKIM, DMARC, and verification records.
dig example.com TXTdig DOMAIN SOA — Start of Authority. Shows primary nameserver, admin email, serial, and timers.
dig example.com SOAdig DOMAIN CNAME — Canonical name (alias) record.
dig www.example.com CNAMEdig DOMAIN SRV — Service record. Used for service discovery (e.g., SIP, XMPP, LDAP).
dig _sip._tcp.example.com SRVdig DOMAIN CAA — Certificate Authority Authorization. Shows which CAs can issue certificates.
dig example.com CAAOutput Control
dig +short DOMAIN — Short output — only the answer, no headers or metadata.
dig +short example.comdig +short DOMAIN TYPE — Short output for a specific record type.
dig +short example.com MXdig +noall +answer DOMAIN — Show only the answer section. Clean but with field details.
dig +noall +answer example.comdig +noall +answer +authority DOMAIN — Show answer and authority sections.
dig +noall +answer +authority example.com NSdig +nocomments +noquestion +noauthority +noadditional +nostats DOMAIN — Suppress all sections except the answer.
dig +nocomments +noquestion +noauthority +noadditional +nostats example.comdig +multiline DOMAIN SOA — Multi-line output with comments. Useful for SOA and DNSSEC records.
dig +multiline example.com SOAdig +yaml DOMAIN — Output in YAML format (dig 9.18+).
dig +yaml example.comdig +json DOMAIN — Output in JSON format (dig 9.18+).
dig +json example.comReverse DNS Lookup
dig -x IP — Reverse DNS lookup — find the hostname for an IP address.
dig -x 8.8.8.8dig -x IP +short — Short reverse lookup — hostname only.
dig -x 8.8.8.8 +shortdig -x IPV6 — Reverse lookup for an IPv6 address.
dig -x 2001:4860:4860::8888Tracing & Debugging
dig +trace DOMAIN — Trace the full delegation path from root servers to the authoritative server.
dig +trace example.comdig +trace +nodnssec DOMAIN — Trace without DNSSEC records for cleaner output.
dig +trace +nodnssec example.comdig +stats DOMAIN — Show query statistics (time, server, message size).
dig +stats example.comdig +qr DOMAIN — Show the outgoing query alongside the response.
dig +qr example.comdig +identify DOMAIN — Show the responding server for +short queries.
dig +short +identify example.comDNSSEC
dig +dnssec DOMAIN — Request DNSSEC records (RRSIG, DNSKEY, DS, NSEC).
dig +dnssec example.comdig DOMAIN DNSKEY — Query DNSSEC public keys for a domain.
dig example.com DNSKEYdig DOMAIN DS — Query Delegation Signer records (links child to parent zone).
dig example.com DSdig +dnssec +multiline DOMAIN DNSKEY — Show DNSSEC keys with multi-line formatting and key IDs.
dig +dnssec +multiline example.com DNSKEYdig +cd DOMAIN — Disable DNSSEC checking (CD flag). Get answer even if validation fails.
dig +cd example.comdig +sigchase DOMAIN — Chase DNSSEC signature chain (if supported by your dig version).
dig +sigchase example.comNetwork Options
dig +tcp DOMAIN — Use TCP instead of UDP for the query.
dig +tcp example.comdig +notcp DOMAIN — Force UDP (default).
dig +notcp example.comdig -4 DOMAIN — Force IPv4 transport only.
dig -4 example.comdig -6 DOMAIN — Force IPv6 transport only.
dig -6 example.comdig -p PORT @SERVER DOMAIN — Use a non-standard DNS port.
dig -p 5353 @127.0.0.1 example.comdig +time=SECONDS DOMAIN — Set the query timeout in seconds (default: 5).
dig +time=10 example.comdig +retry=N DOMAIN — Set the number of retries (default: 2).
dig +retry=5 example.comdig +bufsize=N DOMAIN — Set the EDNS UDP buffer size (for large responses).
dig +bufsize=4096 example.comBatch & Multi-Query
dig DOMAIN1 DOMAIN2 DOMAIN3 — Query multiple domains in a single invocation.
dig google.com github.com example.comdig -f FILE — Read domains from a file (one per line) and query each.
dig -f domains.txtdig +short DOMAIN A DOMAIN AAAA DOMAIN MX — Query multiple record types for a domain.
dig +short example.com A example.com AAAA example.com MXZone Transfer
dig @NS DOMAIN AXFR — Request a full zone transfer (requires authorization).
dig @ns1.example.com example.com AXFRdig @NS DOMAIN IXFR=SERIAL — Request an incremental zone transfer from a given serial number.
dig @ns1.example.com example.com IXFR=2024010101Common Patterns
dig +short DOMAIN NS | while read ns; do echo "$ns:"; dig +short @$ns DOMAIN; done — Check if all nameservers return the same answer.
dig +short example.com NS | while read ns; do echo "$ns:"; dig +short @$ns example.com; donedig +short DOMAIN TXT | grep 'v=spf' — Check SPF record for a domain.
dig +short example.com TXT | grep 'v=spf'dig +short _dmarc.DOMAIN TXT — Check DMARC policy for a domain.
dig +short _dmarc.example.com TXTdig +short SELECTOR._domainkey.DOMAIN TXT — Check a DKIM record.
dig +short google._domainkey.example.com TXTdig +noall +answer +ttlid DOMAIN — Check the remaining TTL of a cached record.
dig +noall +answer example.comdig @ns1.DOMAIN DOMAIN SOA +short — Get the zone serial number directly from the authoritative server.
dig @ns1.example.com example.com SOA +shortConclusion
dig is indispensable for anyone who needs to diagnose DNS issues quickly or verify configurations. Combined with +short for scripts and +trace for the full delegation chain, it covers virtually every DNS diagnostic scenario – no GUI, no unnecessary dependencies.
Further Reading
- dig – BIND 9 documentation – official reference
- dig(1) – manual page – every option at a glance
- Domain Name System – Wikipedia – background and how DNS works