1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <refentry id="man.dig">
24 <date>February 19, 2014</date>
28 <refentrytitle>dig</refentrytitle>
29 <manvolnum>1</manvolnum>
30 <refmiscinfo>BIND9</refmiscinfo>
34 <refname>dig</refname>
35 <refpurpose>DNS lookup utility</refpurpose>
50 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
57 <holder>Internet Software Consortium.</holder>
63 <command>dig</command>
64 <arg choice="opt">@server</arg>
65 <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
66 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
67 <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
68 <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
69 <arg><option>-m</option></arg>
70 <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
71 <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
72 <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
73 <arg><option>-v</option></arg>
74 <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
75 <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
76 <arg><option>-4</option></arg>
77 <arg><option>-6</option></arg>
78 <arg choice="opt">name</arg>
79 <arg choice="opt">type</arg>
80 <arg choice="opt">class</arg>
81 <arg choice="opt" rep="repeat">queryopt</arg>
85 <command>dig</command>
86 <arg><option>-h</option></arg>
90 <command>dig</command>
91 <arg choice="opt" rep="repeat">global-queryopt</arg>
92 <arg choice="opt" rep="repeat">query</arg>
97 <title>DESCRIPTION</title>
98 <para><command>dig</command>
99 (domain information groper) is a flexible tool
100 for interrogating DNS name servers. It performs DNS lookups and
101 displays the answers that are returned from the name server(s) that
102 were queried. Most DNS administrators use <command>dig</command> to
103 troubleshoot DNS problems because of its flexibility, ease of use and
104 clarity of output. Other lookup tools tend to have less functionality
105 than <command>dig</command>.
109 Although <command>dig</command> is normally used with
111 arguments, it also has a batch mode of operation for reading lookup
112 requests from a file. A brief summary of its command-line arguments
113 and options is printed when the <option>-h</option> option is given.
114 Unlike earlier versions, the BIND 9 implementation of
115 <command>dig</command> allows multiple lookups to be issued
121 Unless it is told to query a specific name server,
122 <command>dig</command> will try each of the servers listed in
123 <filename>/etc/resolv.conf</filename>. If no usable server addresses
124 are found, <command>dig</command> will send the query to the local
129 When no command line arguments or options are given,
130 <command>dig</command> will perform an NS query for "." (the root).
134 It is possible to set per-user defaults for <command>dig</command> via
135 <filename>${HOME}/.digrc</filename>. This file is read and
137 are applied before the command line arguments.
141 The IN and CH class names overlap with the IN and CH top level
142 domain names. Either use the <option>-t</option> and
143 <option>-c</option> options to specify the type and class,
144 use the <option>-q</option> the specify the domain name, or
145 use "IN." and "CH." when looking up these top level domains.
151 <title>SIMPLE USAGE</title>
154 A typical invocation of <command>dig</command> looks like:
155 <programlisting> dig @server name type </programlisting>
161 <term><constant>server</constant></term>
164 is the name or IP address of the name server to query. This
165 can be an IPv4 address in dotted-decimal notation or an IPv6
166 address in colon-delimited notation. When the supplied
167 <parameter>server</parameter> argument is a hostname,
168 <command>dig</command> resolves that name before querying
172 If no <parameter>server</parameter> argument is
173 provided, <command>dig</command> consults
174 <filename>/etc/resolv.conf</filename>; if an
175 address is found there, it queries the name server at
176 that address. If either of the <option>-4</option> or
177 <option>-6</option> options are in use, then
178 only addresses for the corresponding transport
179 will be tried. If no usable addresses are found,
180 <command>dig</command> will send the query to the
181 local host. The reply from the name server that
182 responds is displayed.
188 <term><constant>name</constant></term>
191 is the name of the resource record that is to be looked up.
197 <term><constant>type</constant></term>
200 indicates what type of query is required —
201 ANY, A, MX, SIG, etc.
202 <parameter>type</parameter> can be any valid query
204 <parameter>type</parameter> argument is supplied,
205 <command>dig</command> will perform a lookup for an
217 <title>OPTIONS</title>
220 The <option>-b</option> option sets the source IP address of the query
221 to <parameter>address</parameter>. This must be a valid
223 one of the host's network interfaces or "0.0.0.0" or "::". An optional
225 may be specified by appending "#<port>"
229 The default query class (IN for internet) is overridden by the
230 <option>-c</option> option. <parameter>class</parameter> is
232 class, such as HS for Hesiod records or CH for Chaosnet records.
236 The <option>-f</option> option makes <command>dig </command>
238 in batch mode by reading a list of lookup requests to process from the
239 file <parameter>filename</parameter>. The file contains a
241 queries, one per line. Each entry in the file should be organized in
242 the same way they would be presented as queries to
243 <command>dig</command> using the command-line interface.
247 The <option>-m</option> option enables memory usage debugging.
248 <!-- It enables ISC_MEM_DEBUGTRACE and ISC_MEM_DEBUGRECORD
249 documented in include/isc/mem.h -->
253 If a non-standard port number is to be queried, the
254 <option>-p</option> option is used. <parameter>port#</parameter> is
255 the port number that <command>dig</command> will send its
257 instead of the standard DNS port number 53. This option would be used
258 to test a name server that has been configured to listen for queries
259 on a non-standard port number.
263 The <option>-4</option> option forces <command>dig</command>
265 use IPv4 query transport. The <option>-6</option> option forces
266 <command>dig</command> to only use IPv6 query transport.
270 The <option>-t</option> option sets the query type to
271 <parameter>type</parameter>. It can be any valid query type
273 supported in BIND 9. The default query type is "A", unless the
274 <option>-x</option> option is supplied to indicate a reverse lookup.
275 A zone transfer can be requested by specifying a type of AXFR. When
276 an incremental zone transfer (IXFR) is required,
277 <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
278 The incremental zone transfer will contain the changes made to the zone
279 since the serial number in the zone's SOA record was
280 <parameter>N</parameter>.
284 The <option>-q</option> option sets the query name to
285 <parameter>name</parameter>. This is useful to distinguish the
286 <parameter>name</parameter> from other arguments.
290 The <option>-v</option> causes <command>dig</command> to
291 print the version number and exit.
295 Reverse lookups — mapping addresses to names — are simplified by the
296 <option>-x</option> option. <parameter>addr</parameter> is
298 address in dotted-decimal notation, or a colon-delimited IPv6 address.
299 When this option is used, there is no need to provide the
300 <parameter>name</parameter>, <parameter>class</parameter> and
301 <parameter>type</parameter> arguments. <command>dig</command>
302 automatically performs a lookup for a name like
303 <literal>11.12.13.10.in-addr.arpa</literal> and sets the
305 class to PTR and IN respectively. By default, IPv6 addresses are
306 looked up using nibble format under the IP6.ARPA domain.
307 To use the older RFC1886 method using the IP6.INT domain
308 specify the <option>-i</option> option. Bit string labels (RFC2874)
309 are now experimental and are not attempted.
313 To sign the DNS queries sent by <command>dig</command> and
315 responses using transaction signatures (TSIG), specify a TSIG key file
316 using the <option>-k</option> option. You can also specify the TSIG
317 key itself on the command line using the <option>-y</option> option;
318 <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
319 <parameter>name</parameter> is the name of the TSIG key and
320 <parameter>key</parameter> is the actual key. The key is a
322 encoded string, typically generated by
324 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
327 Caution should be taken when using the <option>-y</option> option on
328 multi-user systems as the key can be visible in the output from
330 <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
332 or in the shell's history file. When
333 using TSIG authentication with <command>dig</command>, the name
334 server that is queried needs to know the key and algorithm that is
335 being used. In BIND, this is done by providing appropriate
336 <command>key</command> and <command>server</command> statements in
337 <filename>named.conf</filename>.
343 <title>QUERY OPTIONS</title>
345 <para><command>dig</command>
346 provides a number of query options which affect
347 the way in which lookups are made and the results displayed. Some of
348 these set or reset flag bits in the query header, some determine which
349 sections of the answer get printed, and others determine the timeout
350 and retry strategies.
354 Each query option is identified by a keyword preceded by a plus sign
355 (<literal>+</literal>). Some keywords set or reset an
356 option. These may be preceded
357 by the string <literal>no</literal> to negate the meaning of
359 keywords assign values to options like the timeout interval. They
360 have the form <option>+keyword=value</option>.
361 The query options are:
366 <term><option>+[no]aaflag</option></term>
369 A synonym for <parameter>+[no]aaonly</parameter>.
375 <term><option>+[no]aaonly</option></term>
378 Sets the "aa" flag in the query.
384 <term><option>+[no]additional</option></term>
387 Display [do not display] the additional section of a
388 reply. The default is to display it.
394 <term><option>+[no]adflag</option></term>
397 Set [do not set] the AD (authentic data) bit in the
398 query. This requests the server to return whether
399 all of the answer and authority sections have all
400 been validated as secure according to the security
401 policy of the server. AD=1 indicates that all records
402 have been validated as secure and the answer is not
403 from a OPT-OUT range. AD=0 indicate that some part
404 of the answer was insecure or not validated. This
405 bit is set by default.
411 <term><option>+[no]all</option></term>
414 Set or clear all display flags.
420 <term><option>+[no]answer</option></term>
423 Display [do not display] the answer section of a
424 reply. The default is to display it.
430 <term><option>+[no]authority</option></term>
433 Display [do not display] the authority section of a
434 reply. The default is to display it.
440 <term><option>+[no]besteffort</option></term>
443 Attempt to display the contents of messages which are
444 malformed. The default is to not display malformed
451 <term><option>+bufsize=B</option></term>
454 Set the UDP message buffer size advertised using EDNS0
455 to <parameter>B</parameter> bytes. The maximum and
456 minimum sizes of this buffer are 65535 and 0 respectively.
457 Values outside this range are rounded up or down
458 appropriately. Values other than zero will cause a
459 EDNS query to be sent.
465 <term><option>+[no]cdflag</option></term>
468 Set [do not set] the CD (checking disabled) bit in
469 the query. This requests the server to not perform
470 DNSSEC validation of responses.
476 <term><option>+[no]cl</option></term>
479 Display [do not display] the CLASS when printing the
486 <term><option>+[no]cmd</option></term>
489 Toggles the printing of the initial comment in the
490 output identifying the version of <command>dig</command>
491 and the query options that have been applied. This
492 comment is printed by default.
498 <term><option>+[no]comments</option></term>
501 Toggle the display of comment lines in the output.
502 The default is to print comments.
508 <term><option>+[no]crypto</option></term>
511 Toggle the display of cryptographic fields in DNSSEC
512 records. The contents of these field are unnecessary
513 to debug most DNSSEC validation failures and removing
514 them makes it easier to see the common failures. The
515 default is to display the fields. When omitted they
516 are replaced by the string "[omitted]" or in the
517 DNSKEY case the key id is displayed as the replacement,
518 e.g. "[ key id = value ]".
524 <term><option>+[no]defname</option></term>
527 Deprecated, treated as a synonym for
528 <parameter>+[no]search</parameter>
534 <term><option>+[no]dnssec</option></term>
537 Requests DNSSEC records be sent by setting the DNSSEC
538 OK bit (DO) in the OPT record in the additional section
545 <term><option>+domain=somename</option></term>
548 Set the search list to contain the single domain
549 <parameter>somename</parameter>, as if specified in
550 a <command>domain</command> directive in
551 <filename>/etc/resolv.conf</filename>, and enable
552 search list processing as if the
553 <parameter>+search</parameter> option were given.
559 <term><option>+[no]edns[=#]</option></term>
562 Specify the EDNS version to query with. Valid values
563 are 0 to 255. Setting the EDNS version will cause
564 a EDNS query to be sent. <option>+noedns</option>
565 clears the remembered EDNS version. EDNS is set to
572 <term><option>+[no]expire</option></term>
575 Send an EDNS Expire option.
581 <term><option>+[no]fail</option></term>
584 Do not try the next server if you receive a SERVFAIL.
585 The default is to not try the next server which is
586 the reverse of normal stub resolver behavior.
592 <term><option>+[no]identify</option></term>
595 Show [or do not show] the IP address and port number
596 that supplied the answer when the
597 <parameter>+short</parameter> option is enabled. If
598 short form answers are requested, the default is not
599 to show the source address and port number of the
600 server that provided the answer.
606 <term><option>+[no]ignore</option></term>
609 Ignore truncation in UDP responses instead of retrying
610 with TCP. By default, TCP retries are performed.
616 <term><option>+[no]keepopen</option></term>
619 Keep the TCP socket open between queries and reuse
620 it rather than creating a new TCP socket for each
621 lookup. The default is <option>+nokeepopen</option>.
627 <term><option>+[no]multiline</option></term>
630 Print records like the SOA records in a verbose
631 multi-line format with human-readable comments. The
632 default is to print each record on a single line, to
633 facilitate machine parsing of the <command>dig</command>
640 <term><option>+ndots=D</option></term>
643 Set the number of dots that have to appear in
644 <parameter>name</parameter> to <parameter>D</parameter>
645 for it to be considered absolute. The default value
646 is that defined using the ndots statement in
647 <filename>/etc/resolv.conf</filename>, or 1 if no
648 ndots statement is present. Names with fewer dots
649 are interpreted as relative names and will be searched
650 for in the domains listed in the <option>search</option>
651 or <option>domain</option> directive in
652 <filename>/etc/resolv.conf</filename> if
653 <option>+search</option> is set.
659 <term><option>+[no]nsid</option></term>
662 Include an EDNS name server ID request when sending
669 <term><option>+[no]nssearch</option></term>
672 When this option is set, <command>dig</command>
673 attempts to find the authoritative name servers for
674 the zone containing the name being looked up and
675 display the SOA record that each name server has for
682 <term><option>+[no]onesoa</option></term>
685 Print only one (starting) SOA record when performing
686 an AXFR. The default is to print both the starting
687 and ending SOA records.
693 <term><option>+[no]qr</option></term>
696 Print [do not print] the query as it is sent. By
697 default, the query is not printed.
703 <term><option>+[no]question</option></term>
706 Print [do not print] the question section of a query
707 when an answer is returned. The default is to print
708 the question section as a comment.
714 <term><option>+[no]recurse</option></term>
717 Toggle the setting of the RD (recursion desired) bit
718 in the query. This bit is set by default, which means
719 <command>dig</command> normally sends recursive
720 queries. Recursion is automatically disabled when
721 the <parameter>+nssearch</parameter> or
722 <parameter>+trace</parameter> query options are used.
728 <term><option>+retry=T</option></term>
731 Sets the number of times to retry UDP queries to
732 server to <parameter>T</parameter> instead of the
733 default, 2. Unlike <parameter>+tries</parameter>,
734 this does not include the initial query.
740 <term><option>+[no]rrcomments</option></term>
743 Toggle the display of per-record comments in the
744 output (for example, human-readable key information
745 about DNSKEY records). The default is not to print
746 record comments unless multiline mode is active.
752 <term><option>+[no]search</option></term>
755 Use [do not use] the search list defined by the
756 searchlist or domain directive in
757 <filename>resolv.conf</filename> (if any). The search
758 list is not used by default.
761 'ndots' from <filename>resolv.conf</filename> (default 1)
762 which may be overridden by <parameter>+ndots</parameter>
763 determines if the name will be treated as relative
764 or not and hence whether a search is eventually
771 <term><option>+[no]short</option></term>
774 Provide a terse answer. The default is to print the
775 answer in a verbose form.
781 <term><option>+[no]showsearch</option></term>
784 Perform [do not perform] a search showing intermediate
791 <term><option>+[no]sigchase</option></term>
794 Chase DNSSEC signature chains. Requires dig be
795 compiled with -DDIG_SIGCHASE.
801 <term><option>+[no]sit<optional>=####</optional></option></term>
804 Send a Source Identity Token EDNS option, with optional
805 value. Replaying a SIT from a previous response will
806 allow the server to identify a previous client. The
807 default is <option>+nosit</option>. Currently using
808 experimental value 65001 for the option code.
814 <term><option>+split=W</option></term>
817 Split long hex- or base64-formatted fields in resource
818 records into chunks of <parameter>W</parameter>
819 characters (where <parameter>W</parameter> is rounded
820 up to the nearest multiple of 4).
821 <parameter>+nosplit</parameter> or
822 <parameter>+split=0</parameter> causes fields not to
823 be split at all. The default is 56 characters, or
824 44 characters when multiline mode is active.
830 <term><option>+[no]stats</option></term>
833 This query option toggles the printing of statistics:
834 when the query was made, the size of the reply and
835 so on. The default behavior is to print the query
842 <term><option>+[no]subnet=addr/prefix</option></term>
845 Send an EDNS Client Subnet option with the specified
846 IP address or network prefix.
852 <term><option>+[no]tcp</option></term>
855 Use [do not use] TCP when querying name servers. The
856 default behavior is to use UDP unless an
857 <literal>ixfr=N</literal> query is requested, in which
858 case the default is TCP. AXFR queries always use
865 <term><option>+time=T</option></term>
869 Sets the timeout for a query to
870 <parameter>T</parameter> seconds. The default
871 timeout is 5 seconds.
872 An attempt to set <parameter>T</parameter> to less
874 in a query timeout of 1 second being applied.
880 <term><option>+[no]topdown</option></term>
883 When chasing DNSSEC signature chains perform a top-down
884 validation. Requires dig be compiled with -DDIG_SIGCHASE.
890 <term><option>+[no]trace</option></term>
893 Toggle tracing of the delegation path from the root
894 name servers for the name being looked up. Tracing
895 is disabled by default. When tracing is enabled,
896 <command>dig</command> makes iterative queries to
897 resolve the name being looked up. It will follow
898 referrals from the root servers, showing the answer
899 from each server that was used to resolve the lookup.
901 <command>+dnssec</command> is also set when +trace
902 is set to better emulate the default queries from a
909 <term><option>+tries=T</option></term>
912 Sets the number of times to try UDP queries to server
913 to <parameter>T</parameter> instead of the default,
914 3. If <parameter>T</parameter> is less than or equal
915 to zero, the number of tries is silently rounded up
922 <term><option>+trusted-key=####</option></term>
925 Specifies a file containing trusted keys to be used
926 with <option>+sigchase</option>. Each DNSKEY record
927 must be on its own line.
929 If not specified, <command>dig</command> will look
930 for <filename>/etc/trusted-key.key</filename> then
931 <filename>trusted-key.key</filename> in the current
934 Requires dig be compiled with -DDIG_SIGCHASE.
940 <term><option>+[no]ttlid</option></term>
943 Display [do not display] the TTL when printing the
950 <term><option>+[no]vc</option></term>
953 Use [do not use] TCP when querying name servers. This
954 alternate syntax to <parameter>+[no]tcp</parameter>
955 is provided for backwards compatibility. The "vc"
956 stands for "virtual circuit".
967 <title>MULTIPLE QUERIES</title>
970 The BIND 9 implementation of <command>dig </command>
972 specifying multiple queries on the command line (in addition to
973 supporting the <option>-f</option> batch file option). Each of those
974 queries can be supplied with its own set of flags, options and query
979 In this case, each <parameter>query</parameter> argument
981 individual query in the command-line syntax described above. Each
982 consists of any of the standard options and flags, the name to be
983 looked up, an optional query type and class and any query options that
984 should be applied to that query.
988 A global set of query options, which should be applied to all queries,
989 can also be supplied. These global query options must precede the
990 first tuple of name, class, type, options, flags, and query options
991 supplied on the command line. Any global query options (except
992 the <option>+[no]cmd</option> option) can be
993 overridden by a query-specific set of query options. For example:
995 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
997 shows how <command>dig</command> could be used from the
999 to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
1000 reverse lookup of 127.0.0.1 and a query for the NS records of
1001 <literal>isc.org</literal>.
1003 A global query option of <parameter>+qr</parameter> is
1005 that <command>dig</command> shows the initial query it made
1007 lookup. The final query has a local query option of
1008 <parameter>+noqr</parameter> which means that <command>dig</command>
1009 will not print the initial query when it looks up the NS records for
1010 <literal>isc.org</literal>.
1016 <title>IDN SUPPORT</title>
1018 If <command>dig</command> has been built with IDN (internationalized
1019 domain name) support, it can accept and display non-ASCII domain names.
1020 <command>dig</command> appropriately converts character encoding of
1021 domain name before sending a request to DNS server or displaying a
1022 reply from the server.
1023 If you'd like to turn off the IDN support for some reason, defines
1024 the <envar>IDN_DISABLE</envar> environment variable.
1025 The IDN support is disabled if the variable is set when
1026 <command>dig</command> runs.
1031 <title>FILES</title>
1032 <para><filename>/etc/resolv.conf</filename>
1034 <para><filename>${HOME}/.digrc</filename>
1039 <title>SEE ALSO</title>
1040 <para><citerefentry>
1041 <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
1044 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
1047 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
1049 <citetitle>RFC1035</citetitle>.
1056 There are probably too many query options.