Dig command (Domain Information Groper) is one of the most popular DNS testing tools. You can use it to troubleshoot your DNS and make sure everything works fine. You can try it on Linux, Mac OS, and Windows. For this demonstration, we will use a random old laptop with the latest version of Linux Mint (19.1). Linux Mint is based on Ubuntu Linux. Many old laptops can get a new life as a diagnostic tool.
How does Dig Command work?
Dig Command works the same way as a typical DNS query. Let’s take an A record request. If you want to see the A record, you want to know the IP address of a particular domain. The request will first check if your router has the information of many sites’ addresses in its cache. If it doesn’t have it, the request must be answered from another recursive server. The common solution is that your query will be responded from the recursive servers of your internet provider. It is possible that it doesn’t know it either. No problem, your query will go on a search for the root server. The request will go to the top-level domain like .COM or .EU, and in the end you will get the IP address from the authoritative server for the domain you were checking.
How to install the dig command on Linux?
First, let’s check if you already have the dig command installed. You can do that by opening the terminal and writing dig -v. If you have it, your computer will show a message similar to this one:
Many new Linux distros have it pre-installed. In case you don’t have it, you will get the following message:
dig command not found
For Linux Mint, Ubuntu and other Ubuntu-based Linux distributions you can use the following command:
sudo apt install dnsutils
If you are using Fedora or CentOS you should use:
sudo yum install bind-utils
And for Arch Linux users:
sudo pacman -S bind-tools
Understanding the dig command
Let’s start with a simple example to understand it. We will use google.com for the testing. You can try it directly with your domain, by simply replacing google.com with your domain.
The first line will inform you about the version of the dig command and the second about the global option.
After that, you will get technical information provided by the DNS nameserver. The header shows you what did you do and was it successful. If there is “NOERROR” that there was no problem.
You will see the answer for the EDNS.
Following line shows that by default you are requesting the A record.
You will get the answer for the A record – the correspondent IP address and you will get statistic about the query.
More dig command examples:
dig google.com +short
This will show you just the IP address without any additional information. Quick and easy to use the answer that is basically the answer of an A record.
dig google.com MX
You can query different types of records like the mail exchanger ones. MX records show the responsible mail server for accepting emails. You can see if all of the servers are working the right way and if they are responding too slowly.
dig google.com SOA
SOA – the start of authority, shows the authoritative DNS server. In this record, you see valuable information about the zone. There is only one SOA per zone.
dig google.com TTL
TTL – time to live. It shows how long the data should be kept. You can read more about TTL HERE. People usually leave longer TTL, and that way, they lower the DNS servers’ load. When you are creating records, you can set it to a low value, if you like. Also, it is possible to set different TTL for different DNS records.
dig google.com +nocomments +noquestion +noauthority +noadditional +nostats
Only answer query. Use it if you don’t want to receive extra information. A clear and short answer that will evade the extra statistics that you might want to skip.
dig google.com ANY +noall +answer
Query all types of DNS records. It will show all the different types of DNS records. This will give you an overview of the domain. Later you can use the dig command for the exact DNS records that you want.
dig -x 220.127.116.11
Reverse DNS lookup. You can also do the opposite and check the IP address. The rDNS is used for verification. The result will be a PTR record that verifies the nameserver. It is needed that a PTR record exists. Otherwise, this revers checking can’t give an answer.
dig @18.104.22.168 +trace google.com
Trace DNS Path. It will show the whole route that a DNS query takes. Every hop from a server to server. It can show you where exactly server is not working. You might be surprised how far does your query travels. Check it from different locations, and you might see where in the world you need a new point of presence to reduce the latency for the users there.
11 dig -p 5300 google.com
Specify Port Number. If you have changed the standard port 53 to another for increased security, you can make a dig command to check if it is working correctly. And of course, you can check if you have closed the standard ports, and you don’t have any “open doors” for attackers.
dig _sip._udp.YOURDOMAIN.com SRV
Another record that you can check with this command is the SRV. The SRV records are often used in VoIP. In this example, we are checking the SIP service, and we will use the UDP protocol. The answer will show you the time for response and the server’s IP responsible for the SIP service.
dig google.com TXT
To see all of the TXT records, use this command. TXT records can be used for verifications and can have different variations. For example, it can be a DMARC record. To see a particular one, you can use the following command and change the “dmarc” with the one you need.
dig _dmarc.google.com TXT
Now you know the basics of the dig command on Linux. You can start experimenting by yourself.
You can get some additional information about the dig command and a few more options to try in our Wiki.