in Primer, Quick

A quick primer on dig, Hacker News

1.5k Views


Dig is a DNS lookup utility developed byBINDwhich helps a lot while troubleshooting DNS issues (which are more common than you probably think #hugops). I usedigfairly often and thought to write an introductory guide on how you can usedigwith some practical examples that’ll help youdigthrough DNS issues faster (sorry for the lame pun, couldn’t resist.)

Basics

The most basic and common usage fordigis to query the authoritative servers for a particular domain and retrieve the IP. If it’s an IPv4 then you should be looking atArecord, while if it’s IPv6 thenAAAArecord is your friend. Let’s see the DNS records for the site you’re currently on:

dig ~ dig mrkaran.dev  ;>DiG9. ******************************************************************. 6>mrkaran.dev ;; global options:   cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: NOERROR, id:


;; flags: qr rd ra; QUERY:1, ANSWER:1, AUTHORITY:0, ADDITIONAL :1;; OPT PSEUDOSECTION: ; EDNS: version:0, flags :; udp:;; QUESTION SECTION: ; mrkaran.dev. IN A  ;; ANSWER SECTION: mrkaran.dev.******************************(IN A) ***********************************************************. ********************************************************.   ;; Query time:6msec ;; SERVER:0.0.1 #  (**********************************************.0.0.1) ;; WHEN: Tue Oct******************************************: (**************************************************************************: ********************************************************************** (IST) ********************************;; MSG SIZE rcvd:


This is the most basic example fordig. Let’s explore some of the additional options.

	

			

	

			


		
			
			
					
			

		








Keep it short





dig   shortkeeps the information to bare minimum and only displays theANSWER.




dig   short mrkaran.dev************************************************************************************************************ . 128
Nameserver details
If you want to find theNameserverfor your DNS records, you can use the query typens.


$ dig mrkaran.dev ns   short alec.ns.cloudflare.com. cruz.ns.cloudflare.com.
nsis one of the many query types you can use to indicate which type of DNS record you want to fetch. Default isArecord which returns the IPv4 address of the domain (unless it's a root domain, in which case the default query type isNSSome other examples of query types aremx,AAAA,TXTetc.
Fun Fact:ANYquery type has become
obsoleteas per the new
RFC and DNS operators can choose to not respond to this query. The reason for this is that the payload response size for anANYquery is quite huge (since it has to return all type of DNS records) and this could affect the performance of authoritative servers in case of aDNS amplificationattack.
Using different DNS server
Let's say you want to switch to a different resolver, you can use@followed by the address of your DNS server.
$ dig mrkaran.dev @ 9.9.9.9
Reverse DNS Lookup
This one's actually pretty cool.dig -xlets you query the IP and retrieve the hostname details for that IP.
Multiple queries
You can input a list of domain names and pass the file with the arg- fto dig.
$ cat digfile mrkaran.dev joinmastodon.org zoho.com
To list down all MX records for the domains in a file, you can use something like:
$ dig -f digfile   noall mx   answer mrkaran.dev.****************IN MXmx.zoho.in. mrkaran.dev.****************IN MXmx2.zoho.in. mrkaran.dev.****************IN MXmx3.zoho.in. joinmastodon.org.IN MX17


in1-smtp.messagingengine.com. joinmastodon.org.IN MX(in  in2-smtp.messagingengine.com. zoho.com.**************IN MX(smtpin.zoho.com). zoho.com.**************IN MX(smtpin2.zoho.com). zoho.com.**************IN MXsmtpin3.zoho.com.**********


Search List





I learnt this recently while debugging a DNS issue in one of the Kubernetes pods. Dig does not use search paths by default, so if you have a service sayredisinside a namespace dig won't fetch any result:




$ dig redis   short# empty output, indicates no record found
This is because a service name in Kubernetes is of the formservice.namespace.svc.cluster.local. So, we should actually be querying forredis.myns.svc.cluster.localand we’ll get our result. But isn’t that too long and painful (sorry for the pun) to type?
So, there's another option searchwhich can be used to find all domains matching the search path defined in/ etc / resolv.confnamesever configurations.
$ cat /etc/resolv.conf nameserver


****************************************. 0. 13 search myns.svc.cluster.local svc.cluster.local cluster.local

	

			

	

			


		
			
			
					
			

		








We can now query forrediswith this search list:




dig redis   search   short**********************************************. ********************************
******************************************.********
DNSSec Validation
digeven lets you validate the DNS records you received usingDNSSECvalidation.
$ dig mrkaran.dev   dnssec ;>DiG9. ******************************************************************. 6>mrkaran.dev   dnssec ;; global options:   cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: NOERROR, id:20191110153050  ;; flags: qr rd ra ad; QUERY:1, ANSWER:2, AUTHORITY:0, ADDITIONAL :1;; OPT PSEUDOSECTION: ; EDNS: version:(0 , flags:  do


; udp:


;; QUESTION SECTION: ; mrkaran.dev. IN A  ;; ANSWER SECTION: mrkaran.dev.**************************************IN A****************************************************** . (**************************************************************************. ************************************************************** mrkaran.dev.**************************************IN RRSIG A20


************************************************************************mrkaran.dev. Tl3zD6EqfVRvZi 90 ahePQcAXnbSUY9ZEYx / KwXnDUyonlrCKuBHzIYYC MJoVns 410   sOwbIrcAdLgx   eiMYqRQ==;; Query time:********************************msec ;; SERVER:1. 1.1.1 #(1. 1.1.1) ;; WHEN: Mon Nov**********************************************(**************: 01:  (IST) ;; MSG SIZE rcvd:(**************


The important bit to note here is theadflag set which represents Authenticated Data. The records will only be returned if the validation succeeds (unless you also specify cdwhich indicates Checking Disabled flag.)


On a server which does not have DNSSEC enabled, you can see no records are returned with the dnssecflag.




$ dig dnssec-failed.org   dnssec ;>DiG9.  .6>dnssec-failed.org   dnssec ;; global options:   cmd ;; Got answer: ;; ->>HEADERde: QUERY, status: SERVFAIL, id:23292;; flags: qr rd ra; QUERY:1, ANSWER:0, AUTHORITY:0, ADDITIONAL :0;; QUESTION SECTION: ; dnssec-failed.org. IN A  ;; Query time:


msec ;; SERVER:1. 1.1.1 #(1. 1.1.1) ;; WHEN: Mon Nov**********************************************(**************: 03:  IST******************************************;; MSG SIZE rcvd:




************


That pretty much broadly covers some practical examples withdig. I will soon write a detailed post on howDNSSECvalidation works and why it needs to be mainstream.


Fin!



	

			

	

			

		
	

		







***************************(***************************** Read More


**********************************




























































What do you think?







0 Points 

 Upvote
 Downvote































































Leave a Reply
Your email address will not be published. Required fields are marked *
 
 



 


 








 


 








GIPHY App Key not set. Please check settings 






    



































Epsilon: The JDK's Do-Nothing Garbage Collector, Hacker News
 










3D printing can keep aging Air Force aircraft flying, Ars Technica




3D printing can keep aging Air Force aircraft flying, Ars Technica