CertTools Logo
CertTools

dig Commands Reference

Essential dig commands for DNS lookups and troubleshooting

🔍 Basic DNS Lookups

Simple A record lookup

dig example.com

Performs a basic DNS lookup for A records of the specified domain.

Short answer format

dig example.com +short

Returns only the IP address(es), without additional details.

Query with specific nameserver

dig @8.8.8.8 example.com

Query using Google's DNS server (8.8.8.8). Replace with any nameserver IP.

Query multiple domains

dig example.com google.com cloudflare.com

📝 Querying Different Record Types

A record (IPv4 address)

dig example.com A

AAAA record (IPv6 address)

dig example.com AAAA

MX record (mail servers)

dig example.com MX

NS record (nameservers)

dig example.com NS

TXT record (text records)

dig example.com TXT

Commonly used for SPF, DKIM, and domain verification records.

CNAME record (canonical name)

dig www.example.com CNAME

SOA record (start of authority)

dig example.com SOA

PTR record (reverse DNS lookup)

dig -x 8.8.8.8

Looks up the domain name associated with an IP address.

ANY record (all available records)

dig example.com ANY

Note: Many DNS servers now limit or disable ANY queries for security reasons.

🔒 DNSSEC Queries

Check DNSSEC validation

dig example.com +dnssec

Shows DNSSEC signatures if available. Look for RRSIG records in the answer.

Query DNSKEY records

dig example.com DNSKEY +short

Query DS records (delegation signer)

dig example.com DS +short

Check with DNSSEC validation disabled

dig example.com +cd

The +cd flag disables DNSSEC validation checking.

🔧 Troubleshooting and Advanced Options

Trace DNS resolution path

dig example.com +trace

Shows the complete DNS resolution path from root servers to authoritative nameservers.

Disable recursion (query authoritative server only)

dig @ns1.example.com example.com +norecurse

Show query time and statistics

dig example.com +stats

Set query timeout

dig example.com +time=5

Sets timeout to 5 seconds (default is 5 seconds per attempt).

Set number of retry attempts

dig example.com +tries=3

Use TCP instead of UDP

dig example.com +tcp

Useful for large responses or when UDP is blocked.

Show only the answer section

dig example.com +noall +answer

Check specific port

dig @8.8.8.8 -p 5353 example.com

Query DNS server on a non-standard port (default is 53).

💡 Common Use Cases

Check if domain is using Cloudflare

dig example.com NS +short

Look for nameservers ending in cloudflare.com

Verify SPF records for email

dig example.com TXT +short | grep spf

Check DKIM record

dig default._domainkey.example.com TXT +short

Replace default with your DKIM selector.

Check DMARC policy

dig _dmarc.example.com TXT +short

Batch query from file

dig -f domains.txt +short

Query all domains listed in domains.txt (one domain per line).

Compare responses from different DNS servers

dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short

Compare Google DNS (8.8.8.8) with Cloudflare DNS (1.1.1.1).

🎨 Output Customization

Minimal output (question and answer only)

dig example.com +noall +answer

Show question section

dig example.com +noall +question +answer

Include comments in output

dig example.com +comments

Multiline output (easier to read)

dig example.com +multiline

Particularly useful for SOA and TXT records.