CertTools Logo
CertTools

dig Commands Reference

Essential dig commands for DNS lookups and troubleshooting

🔍 Basic DNS Lookups

Simple A record lookup

dig example.com

Performs a basic DNS lookup for A records of the specified domain.

Short answer format

dig example.com +short

Returns only the IP address(es), without additional details.

Query with specific nameserver

dig @8.8.8.8 example.com

Query using Google's DNS server (8.8.8.8). Replace with any nameserver IP.

Query multiple domains

dig example.com google.com cloudflare.com

Performs multiple DNS queries in a single command, showing results for each domain.

📝 Querying Different Record Types

A record (IPv4 address)

dig example.com A

AAAA record (IPv6 address)

dig example.com AAAA

MX record (mail servers)

dig example.com MX

NS record (nameservers)

dig example.com NS

TXT record (text records)

dig example.com TXT

Commonly used for SPF, DKIM, and domain verification records.

CNAME record (canonical name)

dig www.example.com CNAME

SOA record (start of authority)

dig example.com SOA

PTR record (reverse DNS lookup)

dig -x 8.8.8.8

Looks up the domain name associated with an IP address.

ANY record (all available records)

dig example.com ANY

Note: Many DNS servers now limit or disable ANY queries for security reasons.

CAA record (Certificate Authority Authorization)

dig example.com CAA

Shows which Certificate Authorities are authorized to issue certificates for the domain. CAs must check CAA records before issuance (RFC 8659).

SRV record (service location)

dig _imaps._tcp.example.com SRV

Locates servers for specific services. Format is _service._proto.name.

HTTPS/SVCB record (service binding)

dig example.com HTTPS

Queries HTTPS service binding records (RFC 9460). Used for ALPN hints and ECH keys.

🔐 Certificate & TLS-Related Lookups

DANE/TLSA records

dig _443._tcp.example.com TLSA

DANE TLSA records bind TLS certificates to DNS names via DNSSEC.

SMTP DANE records

dig _25._tcp.mail.example.com TLSA

Check DANE TLSA records for SMTP servers.

ACME DNS-01 challenge verification

dig _acme-challenge.example.com TXT +short

Verify DNS-01 challenge TXT record before requesting ACME certificate.

MTA-STS policy records

dig _mta-sts.example.com TXT +short
dig _smtp._tls.example.com TXT +short

MTA-STS forces authenticated TLS for email delivery.

CAA authorization check

dig example.com CAA +short

Verify which CAs are authorized. Empty = any CA may issue.

🔄 Zone Transfers

Full zone transfer (AXFR)

dig @ns1.example.com example.com AXFR

Requests complete zone file copy. Most servers restrict this.

Incremental zone transfer (IXFR)

dig @ns1.example.com example.com IXFR=2024010100

Only changes since given serial.

🔒 DNSSEC Queries

Check DNSSEC validation

dig example.com +dnssec

Shows DNSSEC signatures if available. Look for RRSIG records in the answer and the ad (authenticated data) flag in the response header.

Query DNSKEY records

dig example.com DNSKEY +short

Query DS records (delegation signer)

dig example.com DS +short

Check with DNSSEC validation disabled

dig example.com +cd

The +cd flag disables DNSSEC validation checking.

🔧 Troubleshooting and Advanced Options

Trace DNS resolution path

dig example.com +trace

Shows the complete DNS resolution path from root servers to authoritative nameservers.

Disable recursion (query authoritative server only)

dig @ns1.example.com example.com +norecurse

Show query time and statistics

dig example.com +stats

Displays query statistics including response time and message size. Statistics are shown by default; use +nostats to hide them.

Set query timeout

dig example.com +time=5

Sets timeout to 5 seconds (default is 5 seconds per attempt).

Set number of retry attempts

dig example.com +tries=3

Use TCP instead of UDP

dig example.com +tcp

Useful for large responses or when UDP is blocked.

Show only the answer section

dig example.com +noall +answer

Check specific port

dig @8.8.8.8 -p 5353 example.com

Query DNS server on a non-standard port (default is 53).

Set EDNS buffer size

dig example.com +bufsize=1232

Recommended by DNS Flag Day 2020 to avoid fragmentation.

Identify responding server

dig example.com +short +identify

Shows which server responded to the query.

💡 Common Use Cases

Check if domain is using Cloudflare

dig example.com NS +short

Look for nameservers ending in cloudflare.com

Verify SPF records for email

dig example.com TXT +short | grep spf

Check DKIM record

dig default._domainkey.example.com TXT +short

Replace default with your DKIM selector.

Check DMARC policy

dig _dmarc.example.com TXT +short

Batch query from file

dig -f domains.txt +short

Query all domains listed in domains.txt (one domain per line).

Compare responses from different DNS servers

dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short

Compare Google DNS (8.8.8.8) with Cloudflare DNS (1.1.1.1).

🎨 Output Customization

Minimal output (question and answer only)

dig example.com +noall +answer

Show question section

dig example.com +noall +question +answer

Include comments in output

dig example.com +comments

Multiline output (easier to read)

dig example.com +multiline

Particularly useful for SOA and TXT records.