dig Command Cheat Sheet
dig (Domain Information Groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use, and clarity of output.
Synopsis
dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]
Basic Usage
Standard Lookup (A Record)
Performs a default lookup for the A record (IPv4 address).
dig google.com
Short Answer Only (+short)
Use +short to suppress verbose output and get just the answer. Perfect for scripts.
dig +short google.com
# Output: 142.250.185.78
Query Specific Record Types
MX (Mail Exchange)
Find mail servers for a domain.
dig google.com MX
NS (Name Server)
Find authoritative name servers.
dig google.com NS
TXT (Text Records / SPF / DKIM)
Often used for verification and email security.
dig google.com TXT
CNAME (Canonical Name)
Find the alias target.
dig www.google.com CNAME
AAAA (IPv6 Address)
dig google.com AAAA
SOA (Start of Authority)
dig google.com SOA
ANY (All Records)
Note: Many modern DNS servers block or limit ANY queries to prevent amplification attacks.
dig google.com ANY
Specify DNS Server (@server)
By default, dig uses the resolvers listed in /etc/resolv.conf. You can force it to query a specific server (e.g., Google 8.8.8.8 or Cloudflare 1.1.1.1).
dig @8.8.8.8 google.com
Reverse Lookup (-x)
Find the domain name associated with an IP address (PTR record).
dig -x 8.8.8.8
# Output should point to google-public-dns-a.google.com.
Output Control options
dig output is verbose. You can tune it with + options.
Disable Comments (+nocomments)
Hides the header and footer comments.
dig google.com +nocomments
Disable Question Section (+noquestion)
dig google.com +noquestion
Disable Authority/Additional Sections (+noauthority +noadditional)
dig google.com +noauthority +noadditional
Cleanest Output (+noall +answer)
The most popular combination to see only the answer section with full details (TTL, class, record).
dig google.com +noall +answer
Trace DNS Path (+trace)
Delegates the lookup starting from the root name servers (.) down to the TLD (.com) and finally the authoritative server for the domain. Great for debugging propagation issues.
dig google.com +trace
Bulk Queries (-f)
Read a list of domains from a file and query them one by one.
inside domains.txt:
google.com
example.com
github.com
Command:
dig -f domains.txt +short
Advanced Options
Specify Port (-p)
If the DNS server runs on a non-standard port (default is 53).
dig @127.0.0.1 -p 8053 google.com
TCP Mode (+tcp)
Force query over TCP instead of UDP (default). Useful if response is truncated or large (like zone transfers).
dig +tcp google.com
DNSSEC Validation (+dnssec)
Request DNSSEC records (RRSIG, NSEC).
dig google.com +dnssec
Understanding Output
A typical dig output:
- Header: Version, flags (qr, rd, ra), status (NOERROR, NXDOMAIN, etc.).
- Question Section: What you asked for.
- Answer Section: The result.
- Authority Section: Who knows the answer (Name Servers).
- Additional Section: IP addresses of those Name Servers (Glue records).
Common Status Codes:
- NOERROR: Successful query.
- NXDOMAIN: Domain does not exist.
- SERVFAIL: Server failed to answer (misconfiguration or timeout).
- REFUSED: Server refused query (ACL restriction).
Practical Examples
Check if Website is Down or DNS is Broken
dig +short google.com
Verify Email Security (SPF)
dig +short txt google.com | grep spf
Compare Propagation (Local vs Global)
Check what your local ISP sees vs what Google DNS sees.
# Local
dig +short mysite.com
# Google
dig @8.8.8.8 +short mysite.com
dig vs nslookup vs host
| Tool | Usage | Output | Status |
|---|---|---|---|
dig |
Best for debugging | Verbose & detailed | Standard |
nslookup |
Deprecated (mostly) | Simple | Available on Windows too |
host |
Simple lookups | Minimal | Handy for quick checks |
Exit Status
| Code | Meaning |
|---|---|
| 0 | Success (Lookup completed, even if NXDOMAIN) |
| 9 | No reply from server |
| 10 | Network I/O error |
Tips
- Create a
.digrcfile in your home directory with default options like+noall +answerif you prefer cleaner output permanently. - Use
man digto see the full list of+query options.