MAN page from Trustix bind-utils-9.2.2-9tr.i586.rpm
Updated: Jun 30, 2000Index
dig - DNS lookup utility
dig [ @server ] [ -b address ] [ -c class ] [ -f filename ] [ -k filename ] [ -p port# ] [ -t type ] [ -x addr ] [ -y name:key ] [ name ] [ type ] [ class ] [ queryopt... ]
dig [ -h ]
dig [ global-queryopt... ] [ query... ]
dig (domain information groper) is a flexible toolfor interrogating DNS name servers. It performs DNS lookups anddisplays the answers that are returned from the name server(s) thatwere queried. Most DNS administrators use dig totroubleshoot DNS problems because of its flexibility, ease of use andclarity of output. Other lookup tools tend to have less functionalitythan dig.
Although dig is normally used with command-linearguments, it also has a batch mode of operation for reading lookuprequests from a file. A brief summary of its command-line argumentsand options is printed when the -h option is given.Unlike earlier versions, the BIND9 implementation ofdig allows multiple lookups to be issued from thecommand line.
Unless it is told to query a specific name server,dig will try each of the servers listed in/etc/resolv.conf.
When no command line arguments or options are given, will perform anNS query for "." (the root).
A typical invocation of dig looks like:
dig @server name type
- is the name or IP address of the name server to query. This can be an IPv4address in dotted-decimal notation or an IPv6address in colon-delimited notation. When the suppliedserver argument is a hostname,dig resolves that name before querying that nameserver. If no server argument is provided,dig consults /etc/resolv.confand queries the name servers listed there. The reply from the nameserver that responds is displayed.
- is the name of the resource record that is to be looked up.
- indicates what type of query is required ---ANY, A, MX, SIG, etc.type can be any valid query type. If notype argument is supplied,dig will perform a lookup for an A record.
The -b option sets the source IP address of the queryto address. This must be a valid address onone of the host's network interfaces.
The default query class (IN for internet) is overridden by the-c option. class is any validclass, such as HS for Hesiod records or CH for CHAOSNET records.
The -f option makes dig operatein batch mode by reading a list of lookup requests to process from thefile filename. The file contains a number ofqueries, one per line. Each entry in the file should be organised inthe same way they would be presented as queries todig using the command-line interface.
If a non-standard port number is to be queried, the-p option is used. port# isthe port number that dig will send its queriesinstead of the standard DNS port number 53. This option would be usedto test a name server that has been configured to listen for querieson a non-standard port number.
The -t option sets the query type totype. It can be any valid query type which issupported in BIND9. The default query type "A", unless the-x option is supplied to indicate a reverse lookup.A zone transfer can be requested by specifying a type of AXFR. Whenan incremental zone transfer (IXFR) is required,type is set to ixfr=N.The incremental zone transfer will contain the changes made to the zonesince the serial number in the zone's SOA record wasN.
Reverse lookups - mapping addresses to names - are simplified by the-x option. addr is an IPv4address in dotted-decimal notation, or a colon-delimited IPv6 address.When this option is used, there is no need to provide thename, class andtype arguments. digautomatically performs a lookup for a name like220.127.116.11.in-addr.arpa and sets the query type andclass to PTR and IN respectively. By default, IPv6 addresses arelooked up using the IP6.ARPA domain and binary labels as defined inRFC2874. To use the older RFC1886 method using the IP6.INT domain and"nibble" labels, specify the -n (nibble) option.
To sign the DNS queries sent by dig and theirresponses using transaction signatures (TSIG), specify a TSIG key fileusing the -k option. You can also specify the TSIGkey itself on the command line using the -y option;name is the name of the TSIG key andkey is the actual key. The key is a base-64encoded string, typically generated by dnssec-keygen(8).Caution should be taken when using the -y option onmulti-user systems as the key can be visible in the output fromps(1) or in the shell's history file. Whenusing TSIG authentication with dig, the nameserver that is queried needs to know the key and algorithm that isbeing used. In BIND, this is done by providing appropriatekey and server statements innamed.conf.
dig provides a number of query options which affectthe way in which lookups are made and the results displayed. Some ofthese set or reset flag bits in the query header, some determine whichsections of the answer get printed, and others determine the timeoutand retry strategies.
Each query option is identified by a keyword preceded by a plus sign(+). Some keywords set or reset an option. These may be precededby the string no to negate the meaning of that keyword. Otherkeywords assign values to options like the timeout interval. Theyhave the form +keyword=value.The query options are:
- Use [do not use] TCP when querying name servers. The defaultbehaviour is to use UDP unless an AXFR or IXFR query is requested, inwhich case a TCP connection is used.
- Use [do not use] TCP when querying name servers. This alternatesyntax to +[no]tcp is provided for backwardscompatibility. The "vc" stands for "virtual circuit".
- Ignore truncation in UDP responses instead of retrying with TCP. Bydefault, TCP retries are performed.
- Set the search list to contain the single domainsomename, as if specified in adomain directive in/etc/resolv.conf, and enable search listprocessing as if the +search option were given.
- Use [do not use] the search list defined by the searchlist or domaindirective in resolv.conf (if any).The search list is not used by default.
- Deprecated, treated as a synonym for +[no]search
- This option does nothing. It is provided for compatibility with oldversions of dig where it set an unimplementedresolver flag.
- Set [do not set] the AD (authentic data) bit in the query. The AD bitcurrently has a standard meaning only in responses, not in queries,but the ability to set the bit in the query is provided forcompleteness.
- Set [do not set] the CD (checking disabled) bit in the query. Thisrequests the server to not perform DNSSEC validation of responses.
- Toggle the setting of the RD (recursion desired) bit in the query.This bit is set by default, which means dignormally sends recursive queries. Recursion is automatically disabledwhen the +nssearch or+trace query options are used.
- When this option is set, dig attempts to find theauthoritative name servers for the zone containing the name beinglooked up and display the SOA record that each name server has for thezone.
- Toggle tracing of the delegation path from the root name servers forthe name being looked up. Tracing is disabled by default. Whentracing is enabled, dig makes iterative queries toresolve the name being looked up. It will follow referrals from theroot servers, showing the answer from each server that was used toresolve the lookup.
- toggles the printing of the initial comment in the output identifyingthe version of dig and the query options that havebeen applied. This comment is printed by default.
- Provide a terse answer. The default is to print the answer in averbose form.
- Show [or do not show] the IP address and port number that supplied theanswer when the +short option is enabled. Ifshort form answers are requested, the default is not to show thesource address and port number of the server that provided the answer.
- Toggle the display of comment lines in the output. The default is toprint comments.
- This query option toggles the printing of statistics: when the querywas made, the size of the reply and so on. The default behaviour isto print the query statistics.
- Print [do not print] the query as it is sent.By default, the query is not printed.
- Print [do not print] the question section of a query when an answer isreturned. The default is to print the question section as a comment.
- Display [do not display] the answer section of a reply. The defaultis to display it.
- Display [do not display] the authority section of a reply. Thedefault is to display it.
- Display [do not display] the additional section of a reply.The default is to display it.
- Set or clear all display flags.
- Sets the timeout for a query toT seconds. The default time out is 5 seconds.An attempt to set T to less than 1 will resultin a query timeout of 1 second being applied.
- Sets the number of times to retry UDP queries to server toT instead of the default, 3. IfT is less than or equal to zero, the number ofretries is silently rounded up to 1.
- Set the number of dots that have to appear inname to D for it to beconsidered absolute. The default value is that defined using thendots statement in /etc/resolv.conf, or 1 if nondots statement is present. Names with fewer dots are interpreted asrelative names and will be searched for in the domains listed in thesearch or domain directive in/etc/resolv.conf.
- Set the UDP message buffer size advertised using EDNS0 toB bytes. The maximum and minimum sizes of thisbuffer are 65535 and 0 respectively. Values outside this range arerounded up or down appropriately.
- Print records like the SOA records in a verbose multi-lineformat with human-readable comments. The default is to printeach record on a single line, to facilitate machine parsing of the dig output.
- Do not try the next server if you receive a SERVFAIL. The default isto not try the next server which is the reverse of normal stub resolverbehaviour.
- Attempt to display the contents of messages which are malformed.The default is to not display malformed answers.
- Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)in the the OPT record in the additional section of the query.
The BIND 9 implementation of dig supportsspecifying multiple queries on the command line (in addition tosupporting the -f batch file option). Each of thosequeries can be supplied with its own set of flags, options and queryoptions.
In this case, each query argument represent anindividual query in the command-line syntax described above. Eachconsists of any of the standard options and flags, the name to belooked up, an optional query type and class and any query options thatshould be applied to that query.
A global set of query options, which should be applied to all queries,can also be supplied. These global query options must precede thefirst tuple of name, class, type, options, flags, and query optionssupplied on the command line. Any global query options (exceptthe +[no]cmd option) can beoverridden by a query-specific set of query options. For example:
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
shows how dig
could be used from the command lineto make three lookups: an ANY query for www.isc.org
, areverse lookup of 127.0.0.1 and a query for the NS records ofisc.org.A global query option of +qr
is applied, sothat dig
shows the initial query it made for eachlookup. The final query has a local query option of+noqr
which means that dig
will not print the initial query when it looks up the NS records forisc.org.
There are probably too many query options.
- SIMPLE USAGE
- QUERY OPTIONS
- MULTIPLE QUERIES
- SEE ALSO
This document was created byman2html,using the manual pages.