This is a draft cheat sheet. It is a work in progress and is not finished yet.
Syntax
dig [@server] name [type] [class] [options] |
List specific resource record types
Base Syntax: |
|
Authority Record |
|
IPv4 address(-es) |
|
IPv6 address(-es) |
|
Canonical Records |
|
Mail eXchangers |
|
Standard Reverse Lookup |
dig 2.69.219.91.in-addr.arpa PTR
|
Simple Reverse Lookup |
|
Caveat: If you forget to configure MX records for an object, most mail servers will try to deliver messages to the A record associated to the host.
Who do we talk to?
Local v4 resolver |
|
Local v6 resolver |
|
Defined v4 resolver |
dig -4 @<dnsserver> fhstp.ac.at
|
Defined v6 resolver |
dig -6 @<dnsserver> fhstp.ac.at
|
<dnsserver> - either a name or an IP address of an resolver or the DNS server who is authoritative for the query
|
|
Output sections
HEADER |
dig command version, options used, type of operation, status of the operation, message id. |
QUESTION |
This is your input - the query you sent to the DNS. |
ANSWER |
Column 2: TTL (cache time) in seconds; Column 3: Class (IN=Internet, CH=Chaos, HS=Hesiod); Column 4: Resource Record Type (A, NS, CNAME, MX, PTR...); Column 5: The content of the resource record (IP, Name, Text...). |
AUTHORITY |
The DNS servers that have the authority to answer the query (in form of NS records). |
ADDITIONAL |
This section carries resource records that are attached to help you avoid additional queries or even bootstrap certain zones (Glue records). |
Sneaky stuff
Request an AXFR zone transfer |
|
Request BIND version |
dig @farnsworth.lab version.bind CHAOS TXT
|
|
|
Output modifiers
Example: |
|
+dnssec |
Also request associated DNSSEC records |
+short |
Only show the "pure" answer |
+norecurse |
Don't ask the resolver to recurse (a.k.a.: "iterative query") |
+tcp / +notcp |
Use / do not use TCP for this query |
+multiline |
Display longer records in a more human-readable fashion |
Response Codes
0 |
|
No error :-) |
1 |
|
Unable to understand query |
2 |
|
Server problem |
3 |
|
Domain does not exist |
4 |
|
Query not implemented |
5 |
|
Query not allowed |
If the verification of a DNSSEC signed answer fails, this also results in SERVFAIL
Response Flags
|
Authoritative Answer |
|
Truncated |
|
Recursion Desired |
|
Recursion Available |
|
Authenticated Data (DNSSEC) |
|
Checking Disabled |
|