System Administration Commands dig(1M)
NAME
dig - DNS lookup utility
SYNOPSIS
dig [@server] [-b address] [-c class] [-f filename]
[-k filename] [-m] [-p port#] [-t type] [-x addr]
[-y name:key] [-4] [-6] [name] [type] [class] [queryopt]...
dig [-h]
dig [global-queryopt...] [query...]
DESCRIPTION
The dig utility (domain information groper) is a flexible
tool for interrogating DNS name servers. It performs DNS
lookups and displays the answers that are returned from the
name server(s) that were queried. Most DNS administrators
use dig to troubleshoot DNS problems because of its flexi-
bility, ease of use and clarity of output. Other lookup
tools tend to have less functionality than dig.
Although dig is normally used with command-line arguments,
it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line
arguments and options is printed when the -h option is
specified. Unlike earlier versions, the BIND 9 implementa-
tion of dig allows multiple lookups to be issued from the
command line.
Unless it is told to query a specific name server, dig tries
each of the servers listed in /etc/resolv.conf.
When no command line arguments or options are given, dig
performs an NS query for "." (the root).
It is possible to set per-user defaults for dig with
${HOME}/.digrc. This file is read and any options in it are
applied before the command line arguments.
The IN and CH class names overlap with the IN and CH top
level domains names. Either use the -t and -c options to
specify the type and class, or use "IN." and "CH." when
looking up these top level domains.
SunOS 5.11 Last change: 24 Dec 2008 1
System Administration Commands dig(1M)
Simple Usage
The following is a typical invocation of dig:
dig @server name type
where:
server The name or IP address of the name server to
query. This can be an IPv4 address in dotted-
decimal notation or an IPv6 address in colon-
delimited notation. When the supplied server argu-
ment is a hostname, dig resolves that name before
querying that name server. If no server argument
is provided, dig consults /etc/resolv.conf and
queries the name servers listed there. The reply
from the name server that responds is displayed.
name The name of the resource record that is to be
looked up.
type Indicates what type of query is required (ANY, A,
MX, SIG, among others.) type can be any valid
query type. If no type argument is supplied, dig
performs a lookup for an A record.
OPTIONS
The following options are supported:
-4 Use only IPv4 transport. By default both IPv4
and IPv6 transports can be used. Options -4
and -6 are mutually exclusive.
-6 Use only IPv6 transport. By default both IPv4
and IPv6 transports can be used. Options -4
and -6 are mutually exclusive.
-b address Set the source IP address of the query to
address. This must be a valid address on one
of the host's network interfaces or 0.0.0.0
or ::. An optional port may be specified by
appending: #
SunOS 5.11 Last change: 24 Dec 2008 2
System Administration Commands dig(1M)
-c class Override the default query class (IN for
internet). The class argument is any valid
class, such as HS for Hesiod records or CH
for CHAOSNET records.
-f filename Operate in batch mode by reading a list of
lookup requests to process from the file
filename. The file contains a number of
queries, one per line. Each entry in the file
should be organized in the same way they
would be presented as queries to dig using
the command-line interface.
-h Print a brief summary of command-line argu-
ments and options.
-k filename Specify a transaction signature (TSIG) key
file to sign the DNS queries sent by dig and
their responses using TSIGs.
-m Enable memory usage debugging.
-p port# Query a non-standard port number. The port#
argument is the port number that dig sends
its queries instead of the standard DNS port
number 53. This option tests a name server
that has been configured to listen for
queries on a non-standard port number.
-t type Set the query type to type, which can be any
valid query type supported in BIND9. The
default query type "A", unless the -x option
is supplied to indicate a reverse lookup. A
zone transfer can be requested by specifying
a type of AXFR. When an incremental zone
transfer (IXFR) is required, type is set to
ixfr=N. The incremental zone transfer will
contain the changes made to the zone since
the serial number in the zone's SOA record
was N.
-x addr Simplify reverse lookups (mapping addresses
to names ). The addr argument is an IPv4
address in dotted-decimal notation, or a
colon-delimited IPv6 address. When this
SunOS 5.11 Last change: 24 Dec 2008 3
System Administration Commands dig(1M)
option is used, there is no need to provide
the name, class and type arguments. The dig
utility automatically performs a lookup for a
name like 11.12.13.10.in-addr.arpa and sets
the query type and class to PTR and IN,
respectively. By default, IPv6 addresses are
looked up using nibble format under the
IP6.ARPA domain. To use the older RFC1886
method using the IP6.INT domain, specify the
-i option. Bit string labels (RFC 2874) are
now experimental and are not attempted.
-y name:key Specify a transaction signature (TSIG) key on
the command line. This is done to sign the
DNS queries sent by dig, as well as their
responses. You can also specify the TSIG key
itself on the command line using the -y
option. The name argument is the name of the
TSIG key and the key argument is the actual
key. The key is a base-64 encoded string,
typically generated by dnssec-keygen(1M).
Caution should be taken when using the -y
option on multi-user systems, since the key
can be visible in the output from ps(1) or in
the shell's history file. When using TSIG
authentication with dig, the name server that
is queried needs to know the key and algo-
rithm that is being used. In BIND, this is
done by providing appropriate key and server
statements in named.conf.
QUERY OPTIONS
The dig utility provides a number of query options which
affect the way in which lookups are made and the results
displayed. Some of these set or reset flag bits in the query
header, some determine which sections of the answer get
printed, and others determine the timeout and retry stra-
tegies.
Each query option is identified by a keyword preceded by a
plus sign (]). Some keywords set or reset an option. These
may be preceded by the string no to negate the meaning of
that keyword. Other keywords assign values to options like
the timeout interval. They have the form ]keyword=value. The
query options are:
][no]tcp Use [do not use] TCP when querying name
servers. The default behaviour is to
use UDP unless an AXFR or IXFR query is
SunOS 5.11 Last change: 24 Dec 2008 4
System Administration Commands dig(1M)
requested, in which case a TCP connec-
tion is used.
][no]vc Use [do not use] TCP when querying name
servers. This alternate syntax to
][no]tcp is provided for backwards com-
patibility. The "vc" stands for "vir-
tual circuit".
][no]ignore Ignore truncation in UDP responses
instead of retrying with TCP. By
default, TCP retries are performed.
]domain=somename Set the search list to contain the sin-
gle domain somename, as if specified in
a domain directive in /etc/resolv.conf,
and enable search list processing as if
the ]search option were given.
][no]search Use [do not use] the search list
defined by the searchlist or domain
directive in resolv.conf (if any). The
search list is not used by default.
][no]defname Deprecated, treated as a synonym for
][no]search.
][no]aaonly Sets the aa flag in the query.
][no]aaflag A synonym for ][no]aaonly.
][no]adflag Set [do not set] the AD (authentic
data) bit in the query. The AD bit
currently has a standard meaning only
in responses, not in queries, but the
ability to set the bit in the query is
provided for completeness.
][no]cdflag Set [do not set] the CD (checking dis-
abled) bit in the query. This requests
the server to not perform DNSEC vali-
dation of responses.
SunOS 5.11 Last change: 24 Dec 2008 5
System Administration Commands dig(1M)
][no]cl Display [do not display] the CLAS when
printing the record.
][no]ttlid Display [do not display] the TL when
printing the record.
][no]recurse Toggle the setting of the RD (recursion
desired) bit in the query. This bit is
set by default, which means dig nor-
mally sends recursive queries. Recur-
sion is automatically disabled when the
]nssearch or ]trace query options are
used.
][no]nssearch When this option is set, dig attempts
to find the authoritative name servers
for the zone containing the name being
looked up and display the SOA record
that each name server has for the zone.
][no]trace Toggle tracing of the delegation path
from the root name servers for the name
being looked up. Tracing is disabled by
default. When tracing is enabled, dig
makes iterative queries to resolve the
name being looked up. It will follow
referrals from the root servers, show-
ing the answer from each server that
was used to resolve the lookup.
][no]cmd Toggle the printing of the initial com-
ment in the output identifying the ver-
sion of dig and the query options that
have been applied. This comment is
printed by default.
][no]short Provide a terse answer. The default is
to print the answer in a verbose form.
][no]identify Show [or do not show] the IP address
and port number that supplied the
answer when the ]short option is
enabled. If short form answers are
requested, the default is not to show
the source address and port number of
SunOS 5.11 Last change: 24 Dec 2008 6
System Administration Commands dig(1M)
the server that provided the answer.
][no]comments Toggle the display of comment lines in
the output. The default is to print
comments.
][no]stats Toggle the printing of statistics: when
the query was made, the size of the
reply and so on. The default behaviour
is to print the query statistics.
][no]qr Print [do not print] the query as it is
sent. By default, the query is not
printed.
][no]question Print [do not print] the question sec-
tion of a query when an answer is
returned. The default is to print the
question section as a comment.
][no]answer Display [do not display] the answer
section of a reply. The default is to
display it.
][no]authority Display [do not display] the authority
section of a reply. The default is to
display it.
][no]additional Display [do not display] the additional
section of a reply. The default is to
display it.
][no]all Set or clear all display flags.
]time=T Sets the timeout for a query to T
seconds. The default time out is 5
seconds. An attempt to set T to less
than 1 will result in a query timeout
of 1 second being applied.
]tries=T Sets the maximum number of UDP attempts
to T. The default number is 3 (1
SunOS 5.11 Last change: 24 Dec 2008 7
System Administration Commands dig(1M)
initial attempt followed by 2 retries).
If T is less than or equal to zero, the
number of retries is silently rounded
up to 1.
]retry=T Sets the number of UDP retries to T.
The default is 2.
]ndots=D Set the number of dots that have to
appear in name to D for it to be con-
sidered absolute. The default value is
that defined using the ndots statement
in /etc/resolv.conf, or 1 if no ndots
statement is present. Names with fewer
dots are interpreted as relative names
and will be searched for in the domains
listed in the search or domain direc-
tive in /etc/resolv.conf.
]bufsize=B Set the UDP message buffer size adver-
tised using EDNS0 to B bytes. The max-
imum and minimum sizes of this buffer
are 65535 and 0 respectively. Values
outside this range are rounded up or
down appropriately.
][no]multiline Print records like the SOA records in a
verbose multi-line format with human-
readable comments. The default is to
print each record on a single line, to
facilitate machine parsing of the dig
output.
][no]fail Do not try the next server if you
receive a SERVFAIL. The default is to
not try the next server which is the
reverse of normal stub resolver
behavior.
][no]besteffort Attempt to display the contents of mes-
sages which are malformed. The default
is to not display malformed answers.
][no]dnssec Request DNSEC records be sent by set-
ting the DNSEC OK bit (DO) in the OPT
SunOS 5.11 Last change: 24 Dec 2008 8
System Administration Commands dig(1M)
record in the additional section of the
query.
][no]sigchase Chase DNSEC signature chains. Requires
dig be compiled with -DIGSIGCHASE.
]trusted-key=#### Specifies a file containing trusted
keys to be used with ]sigchase. Each
DNSKEY record must be on its own line.
If not specified dig will look for
/etc/trusted-key.key then trusted-
key.key in the current directory.
Requires dig be compiled with
-DIGSIGCHASE.
][no]topdown When chasing DNSEC signature chains,
perform a top-down validation. Requires
dig be compiled with -DIGSIGCHASE.
MULTIPLE QUERIES
The BIND 9 implementation of dig supports specifying multi-
ple queries on the command line (in addition to supporting
the -f batch file option). Each of those queries can be sup-
plied with its own set of flags, options and query options.
In this case, each query argument represent an individual
query in the command-line syntax described above. Each con-
sists of any of the standard options and flags, the name to
be looked up, an optional query type, and class and any
query options that should be applied to that query.
A global set of query options, which should be applied to
all queries, can also be supplied. These global query
options must precede the first tuple of name, class, type,
options, flags, and query options supplied on the command
line. Any global query options (except the ][no]cmd option)
can be overridden by a query-specific set of query options.
For example:
dig ]qr www.isc.org any -x 127.0.0.1 isc.org ns ]noqr
SunOS 5.11 Last change: 24 Dec 2008 9
System Administration Commands dig(1M)
...shows how dig could be used from the command line to make
three lookups: an ANY query for www.isc.org, a reverse
lookup of 127.0.0.1 and a query for the NS records of
isc.org. A global query option of ]qr is applied, so that
dig shows the initial query it made for each lookup. The
final query has a local query option of ]noqr which means
that dig will not print the initial query when it looks up
the NS records for isc.org.
FILES
/etc/resolv.conf Resolver configuration file
${HOME}/.digrc User-defined configuration file
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWbind
Interface Stability External
SEE ALSO
dnssec-keygen(1M), host(1M), named(1M), nslookup(1M), attri-
butes(5)
RFC 1035
BUGS
There are probably too many query options.
NOTES
nslookup(1M) and dig now report "Not Implemented" as NOTIMP
rather than NOTIMPL. This will have impact on scripts that
are looking for NOTIMPL.
SunOS 5.11 Last change: 24 Dec 2008 10
|
